1/* -*- Mode: Text -*- */ 2 3autogen definitions options; 4 5#include copyright.def 6#include homerc.def 7#include autogen-version.def 8 9prog-name = "ntp-keygen"; 10prog-title = "Create a NTP host key"; 11package = ntp; 12 13include = '#include <stdlib.h>'; 14#include version.def 15 16flag = { 17 value = b; 18 name = imbits; 19 arg-type = number; 20 arg-name = imbits; 21 arg-range = '256->2048'; 22 ifdef = AUTOKEY; 23 descrip = "identity modulus bits"; 24 doc = <<- _EndOfDoc_ 25 The number of bits in the identity modulus. The default is 256. 26 _EndOfDoc_; 27}; 28 29flag = { 30 value = c; 31 name = certificate; 32 arg-type = string; 33 arg-name = scheme; 34 ifdef = AUTOKEY; 35 descrip = "certificate scheme"; 36 doc = <<- _EndOfDoc_ 37 scheme is one of 38 RSA-MD2, RSA-MD5, RSA-SHA, RSA-SHA1, RSA-MDC2, RSA-RIPEMD160, 39 DSA-SHA, or DSA-SHA1. 40 41 Select the certificate message digest/signature encryption scheme. 42 Note that RSA schemes must be used with a RSA sign key and DSA 43 schemes must be used with a DSA sign key. The default without 44 this option is RSA-MD5. 45 _EndOfDoc_; 46}; 47 48flag = { 49 value = C; 50 name = cipher; 51 arg-type = string; 52 arg-name = cipher; 53 ifdef = AUTOKEY; 54 descrip = "privatekey cipher"; 55 doc = <<- _EndOfDoc_ 56 Select the cipher which is used to encrypt the files containing 57 private keys. The default is three-key triple DES in CBC mode, 58 equivalent to "@code{-C des-ede3-cbc". The openssl tool lists ciphers 59 available in "@code{openssl -h}" output. 60 _EndOfDoc_; 61}; 62 63#include debug-opt.def 64 65flag = { 66 value = e; 67 name = id-key; 68 ifdef = AUTOKEY; 69 descrip = "Write IFF or GQ identity keys"; 70 doc = <<- _EndOfDoc_ 71 Write the IFF or GQ client keys to the standard output. This is 72 intended for automatic key distribution by mail. 73 _EndOfDoc_; 74}; 75 76flag = { 77 value = G; 78 name = gq-params; 79 ifdef = AUTOKEY; 80 descrip = "Generate GQ parameters and keys"; 81 doc = <<- _EndOfDoc_ 82 Generate parameters and keys for the GQ identification scheme, 83 obsoleting any that may exist. 84 _EndOfDoc_; 85}; 86 87flag = { 88 value = H; 89 name = host-key; 90 ifdef = AUTOKEY; 91 descrip = "generate RSA host key"; 92 doc = <<- _EndOfDoc_ 93 Generate new host keys, obsoleting any that may exist. 94 _EndOfDoc_; 95}; 96 97flag = { 98 value = I; 99 name = iffkey; 100 ifdef = AUTOKEY; 101 descrip = "generate IFF parameters"; 102 doc = <<- _EndOfDoc_ 103 Generate parameters for the IFF identification scheme, obsoleting 104 any that may exist. 105 _EndOfDoc_; 106}; 107 108flag = { 109 value = i; 110 name = ident; 111 ifdef = AUTOKEY; 112 arg-type = string; 113 arg-name = group; 114 descrip = "set Autokey group name"; 115 doc = <<- _EndOfDoc_ 116 Set the optional Autokey group name to name. This is used in 117 the file name of IFF, GQ, and MV client parameters files. In 118 that role, the default is the host name if this option is not 119 provided. The group name, if specified using @code{-i/--ident} or 120 using @code{-s/--subject-name} following an '@code{@}' character, 121 is also a part of the self-signed host certificate's subject and 122 issuer names in the form @code{host@group} and should match the 123 '@code{crypto ident}' or '@code{server ident}' configuration in 124 @code{ntpd}'s configuration file. 125 _EndOfDoc_; 126}; 127 128flag = { 129 value = l; 130 name = lifetime; 131 ifdef = AUTOKEY; 132 arg-type = number; 133 arg-name = lifetime; 134 descrip = "set certificate lifetime"; 135 doc = <<- _EndOfDoc_ 136 Set the certificate expiration to lifetime days from now. 137 _EndOfDoc_; 138}; 139 140flag = { 141 value = M; 142 name = md5key; 143 descrip = "generate MD5 keys"; 144 doc = <<- _EndOfDoc_ 145 Generate MD5 keys, obsoleting any that may exist. 146 _EndOfDoc_; 147}; 148 149flag = { 150 value = m; 151 name = modulus; 152 arg-type = number; 153 arg-name = modulus; 154 arg-range = '256->2048'; 155 ifdef = AUTOKEY; 156 descrip = "modulus"; 157 doc = <<- _EndOfDoc_ 158 The number of bits in the prime modulus. The default is 512. 159 _EndOfDoc_; 160}; 161 162flag = { 163 value = P; 164 name = pvt-cert; 165 ifdef = AUTOKEY; 166 descrip = "generate PC private certificate"; 167 doc = <<- _EndOfDoc_ 168 Generate a private certificate. By default, the program generates 169 public certificates. 170 _EndOfDoc_; 171}; 172 173flag = { 174 value = p; 175 name = password; // was: pvt-passwd; 176 ifdef = AUTOKEY; 177 arg-type = string; 178 arg-name = passwd; 179 descrip = "local private password"; 180 doc = <<- _EndOfDoc_ 181 Local files containing private data are encrypted with the 182 DES-CBC algorithm and the specified password. The same password 183 must be specified to the local ntpd via the "crypto pw password" 184 configuration command. The default password is the local 185 hostname. 186 _EndOfDoc_; 187}; 188 189flag = { 190 value = q; 191 name = export-passwd; // Was: get-pvt-passwd; 192 ifdef = AUTOKEY; 193 arg-type = string; 194 arg-name = passwd; 195 descrip = "export IFF or GQ group keys with password"; 196 doc = <<- _EndOfDoc_ 197 Export IFF or GQ identity group keys to the standard output, 198 encrypted with the DES-CBC algorithm and the specified password. 199 The same password must be specified to the remote ntpd via the 200 "crypto pw password" configuration command. See also the option 201 --id-key (-e) for unencrypted exports. 202 _EndOfDoc_; 203}; 204 205flag = { 206 value = S; 207 name = sign-key; 208 arg-type = string; 209 arg-name = sign; 210 ifdef = AUTOKEY; 211 descrip = "generate sign key (RSA or DSA)"; 212 doc = <<- _EndOfDoc_ 213 Generate a new sign key of the designated type, obsoleting any 214 that may exist. By default, the program uses the host key as the 215 sign key. 216 _EndOfDoc_; 217}; 218 219flag = { 220 value = s; 221 name = subject-name; 222 arg-type = string; 223 arg-name = host@group; 224 ifdef = AUTOKEY; 225 descrip = "set host and optionally group name"; 226 doc = <<- _EndOfDoc_ 227 Set the Autokey host name, and optionally, group name specified 228 following an '@code{@}' character. The host name is used in the file 229 name of generated host and signing certificates, without the 230 group name. The host name, and if provided, group name are used 231 in @code{host@group} form for the host certificate's subject and issuer 232 fields. Specifying '@code{-s @group}' is allowed, and results in 233 leaving the host name unchanged while appending @code{@group} to the 234 subject and issuer fields, as with @code{-i group}. The group name, or 235 if not provided, the host name are also used in the file names 236 of IFF, GQ, and MV client parameter files. 237 _EndOfDoc_; 238}; 239 240flag = { 241 value = T; 242 name = trusted-cert; 243 ifdef = AUTOKEY; 244 descrip = "trusted certificate (TC scheme)"; 245 doc = <<- _EndOfDoc_ 246 Generate a trusted certificate. By default, the program generates 247 a non-trusted certificate. 248 _EndOfDoc_; 249}; 250 251flag = { 252 value = V; 253 name = mv-params; 254 arg-type = number; 255 arg-name = num; 256 ifdef = AUTOKEY; 257 descrip = "generate <num> MV parameters"; 258 doc = <<- _EndOfDoc_ 259 Generate parameters and keys for the Mu-Varadharajan (MV) 260 identification scheme. 261 _EndOfDoc_; 262}; 263 264flag = { 265 value = v; 266 name = mv-keys; 267 arg-type = number; 268 arg-name = num; 269 ifdef = AUTOKEY; 270 descrip = "update <num> MV keys"; 271}; 272 273/* explain: Additional information whenever the usage routine is invoked */ 274explain = <<- _END_EXPLAIN 275 _END_EXPLAIN; 276 277doc-section = { 278 ds-type = 'DESCRIPTION'; 279 ds-format = 'mdoc'; 280 ds-text = <<- _END_PROG_MDOC_DESCRIP 281This program generates cryptographic data files used by the NTPv4 282authentication and identification schemes. 283It generates MD5 key files used in symmetric key cryptography. 284In addition, if the OpenSSL software library has been installed, 285it generates keys, certificate and identity files used in public key 286cryptography. 287These files are used for cookie encryption, 288digital signature and challenge/response identification algorithms 289compatible with the Internet standard security infrastructure. 290.Pp 291All files are in PEM-encoded printable ASCII format, 292so they can be embedded as MIME attachments in mail to other sites 293and certificate authorities. 294By default, files are not encrypted. 295.Pp 296When used to generate message digest keys, the program produces a file 297containing ten pseudo-random printable ASCII strings suitable for the 298MD5 message digest algorithm included in the distribution. 299If the OpenSSL library is installed, it produces an additional ten 300hex-encoded random bit strings suitable for the SHA1 and other message 301digest algorithms. 302The message digest keys file must be distributed and stored 303using secure means beyond the scope of NTP itself. 304Besides the keys used for ordinary NTP associations, additional keys 305can be defined as passwords for the 306.Xr ntpq 1ntpqmdoc 307and 308.Xr ntpdc 1ntpdcmdoc 309utility programs. 310.Pp 311The remaining generated files are compatible with other OpenSSL 312applications and other Public Key Infrastructure (PKI) resources. 313Certificates generated by this program are compatible with extant 314industry practice, although some users might find the interpretation of 315X509v3 extension fields somewhat liberal. 316However, the identity keys are probably not compatible with anything 317other than Autokey. 318.Pp 319Some files used by this program are encrypted using a private password. 320The 321.Fl p 322option specifies the password for local encrypted files and the 323.Fl q 324option the password for encrypted files sent to remote sites. 325If no password is specified, the host name returned by the Unix 326.Fn gethostname 327function, normally the DNS name of the host is used. 328.Pp 329The 330.Ar pw 331option of the 332.Ar crypto 333configuration command specifies the read 334password for previously encrypted local files. 335This must match the local password used by this program. 336If not specified, the host name is used. 337Thus, if files are generated by this program without password, 338they can be read back by 339.Ar ntpd 340without password but only on the same host. 341.Pp 342Normally, encrypted files for each host are generated by that host and 343used only by that host, although exceptions exist as noted later on 344this page. 345The symmetric keys file, normally called 346.Ar ntp.keys , 347is usually installed in 348.Pa /etc . 349Other files and links are usually installed in 350.Pa /usr/local/etc , 351which is normally in a shared filesystem in 352NFS-mounted networks and cannot be changed by shared clients. 353The location of the keys directory can be changed by the 354.Ar keysdir 355configuration command in such cases. 356Normally, this is in 357.Pa /etc . 358.Pp 359This program directs commentary and error messages to the standard 360error stream 361.Ar stderr 362and remote files to the standard output stream 363.Ar stdout 364where they can be piped to other applications or redirected to files. 365The names used for generated files and links all begin with the 366string 367.Ar ntpkey 368and include the file type, generating host and filestamp, 369as described in the 370.Dq Cryptographic Data Files 371section below. 372.Ss Running the Program 373To test and gain experience with Autokey concepts, log in as root and 374change to the keys directory, usually 375.Pa /usr/local/etc 376When run for the first time, or if all files with names beginning with 377.Ar ntpkey 378have been removed, use the 379.Nm 380command without arguments to generate a 381default RSA host key and matching RSA-MD5 certificate with expiration 382date one year hence. 383If run again without options, the program uses the 384existing keys and parameters and generates only a new certificate with 385new expiration date one year hence. 386.Pp 387Run the command on as many hosts as necessary. 388Designate one of them as the trusted host (TH) using 389.Nm 390with the 391.Fl T 392option and configure it to synchronize from reliable Internet servers. 393Then configure the other hosts to synchronize to the TH directly or 394indirectly. 395A certificate trail is created when Autokey asks the immediately 396ascendant host towards the TH to sign its certificate, which is then 397provided to the immediately descendant host on request. 398All group hosts should have acyclic certificate trails ending on the TH. 399.Pp 400The host key is used to encrypt the cookie when required and so must be 401RSA type. 402By default, the host key is also the sign key used to encrypt 403signatures. 404A different sign key can be assigned using the 405.Fl S 406option and this can be either RSA or DSA type. 407By default, the signature 408message digest type is MD5, but any combination of sign key type and 409message digest type supported by the OpenSSL library can be specified 410using the 411.Fl c 412option. 413The rules say cryptographic media should be generated with proventic 414filestamps, which means the host should already be synchronized before 415this program is run. 416This of course creates a chicken-and-egg problem 417when the host is started for the first time. 418Accordingly, the host time 419should be set by some other means, such as eyeball-and-wristwatch, at 420least so that the certificate lifetime is within the current year. 421After that and when the host is synchronized to a proventic source, the 422certificate should be re-generated. 423.Pp 424Additional information on trusted groups and identity schemes is on the 425.Dq Autokey Public-Key Authentication 426page. 427 428 429.Pp 430The 431.Xr ntpd 1ntpdmdoc 432configuration command 433.Ic crypto pw Ar password 434specifies the read password for previously encrypted files. 435The daemon expires on the spot if the password is missing 436or incorrect. 437For convenience, if a file has been previously encrypted, 438the default read password is the name of the host running 439the program. 440If the previous write password is specified as the host name, 441these files can be read by that host with no explicit password. 442 443.Pp 444File names begin with the prefix 445.Cm ntpkey_ 446and end with the postfix 447.Ar _hostname.filestamp , 448where 449.Ar hostname 450is the owner name, usually the string returned 451by the Unix gethostname() routine, and 452.Ar filestamp 453is the NTP seconds when the file was generated, in decimal digits. 454This both guarantees uniqueness and simplifies maintenance 455procedures, since all files can be quickly removed 456by a 457.Ic rm ntpkey\&* 458command or all files generated 459at a specific time can be removed by a 460.Ic rm 461.Ar \&*filestamp 462command. 463To further reduce the risk of misconfiguration, 464the first two lines of a file contain the file name 465and generation date and time as comments. 466.Pp 467All files are installed by default in the keys directory 468.Pa /usr/local/etc , 469which is normally in a shared filesystem 470in NFS-mounted networks. 471The actual location of the keys directory 472and each file can be overridden by configuration commands, 473but this is not recommended. 474Normally, the files for each host are generated by that host 475and used only by that host, although exceptions exist 476as noted later on this page. 477.Pp 478Normally, files containing private values, 479including the host key, sign key and identification parameters, 480are permitted root read/write-only; 481while others containing public values are permitted world readable. 482Alternatively, files containing private values can be encrypted 483and these files permitted world readable, 484which simplifies maintenance in shared file systems. 485Since uniqueness is insured by the hostname and 486file name extensions, the files for a NFS server and 487dependent clients can all be installed in the same shared directory. 488.Pp 489The recommended practice is to keep the file name extensions 490when installing a file and to install a soft link 491from the generic names specified elsewhere on this page 492to the generated files. 493This allows new file generations to be activated simply 494by changing the link. 495If a link is present, ntpd follows it to the file name 496to extract the filestamp. 497If a link is not present, 498.Xr ntpd 1ntpdmdoc 499extracts the filestamp from the file itself. 500This allows clients to verify that the file and generation times 501are always current. 502The 503.Nm 504program uses the same timestamp extension for all files generated 505at one time, so each generation is distinct and can be readily 506recognized in monitoring data. 507.Ss Running the program 508The safest way to run the 509.Nm 510program is logged in directly as root. 511The recommended procedure is change to the keys directory, 512usually 513.Pa /usr/local/etc , 514then run the program. 515When run for the first time, 516or if all 517.Cm ntpkey 518files have been removed, 519the program generates a RSA host key file and matching RSA-MD5 certificate file, 520which is all that is necessary in many cases. 521The program also generates soft links from the generic names 522to the respective files. 523If run again, the program uses the same host key file, 524but generates a new certificate file and link. 525.Pp 526The host key is used to encrypt the cookie when required and so must be RSA type. 527By default, the host key is also the sign key used to encrypt signatures. 528When necessary, a different sign key can be specified and this can be 529either RSA or DSA type. 530By default, the message digest type is MD5, but any combination 531of sign key type and message digest type supported by the OpenSSL library 532can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2 533and RIPE160 message digest algorithms. 534However, the scheme specified in the certificate must be compatible 535with the sign key. 536Certificates using any digest algorithm are compatible with RSA sign keys; 537however, only SHA and SHA1 certificates are compatible with DSA sign keys. 538.Pp 539Private/public key files and certificates are compatible with 540other OpenSSL applications and very likely other libraries as well. 541Certificates or certificate requests derived from them should be compatible 542with extant industry practice, although some users might find 543the interpretation of X509v3 extension fields somewhat liberal. 544However, the identification parameter files, although encoded 545as the other files, are probably not compatible with anything other than Autokey. 546.Pp 547Running the program as other than root and using the Unix 548.Ic su 549command 550to assume root may not work properly, since by default the OpenSSL library 551looks for the random seed file 552.Cm .rnd 553in the user home directory. 554However, there should be only one 555.Cm .rnd , 556most conveniently 557in the root directory, so it is convenient to define the 558.Cm $RANDFILE 559environment variable used by the OpenSSL library as the path to 560.Cm /.rnd . 561.Pp 562Installing the keys as root might not work in NFS-mounted 563shared file systems, as NFS clients may not be able to write 564to the shared keys directory, even as root. 565In this case, NFS clients can specify the files in another 566directory such as 567.Pa /etc 568using the 569.Ic keysdir 570command. 571There is no need for one client to read the keys and certificates 572of other clients or servers, as these data are obtained automatically 573by the Autokey protocol. 574.Pp 575Ordinarily, cryptographic files are generated by the host that uses them, 576but it is possible for a trusted agent (TA) to generate these files 577for other hosts; however, in such cases files should always be encrypted. 578The subject name and trusted name default to the hostname 579of the host generating the files, but can be changed by command line options. 580It is convenient to designate the owner name and trusted name 581as the subject and issuer fields, respectively, of the certificate. 582The owner name is also used for the host and sign key files, 583while the trusted name is used for the identity files. 584 585.Pp 586All files are installed by default in the keys directory 587.Pa /usr/local/etc , 588which is normally in a shared filesystem 589in NFS-mounted networks. 590The actual location of the keys directory 591and each file can be overridden by configuration commands, 592but this is not recommended. 593Normally, the files for each host are generated by that host 594and used only by that host, although exceptions exist 595as noted later on this page. 596.Pp 597Normally, files containing private values, 598including the host key, sign key and identification parameters, 599are permitted root read/write-only; 600while others containing public values are permitted world readable. 601Alternatively, files containing private values can be encrypted 602and these files permitted world readable, 603which simplifies maintenance in shared file systems. 604Since uniqueness is insured by the hostname and 605file name extensions, the files for a NFS server and 606dependent clients can all be installed in the same shared directory. 607.Pp 608The recommended practice is to keep the file name extensions 609when installing a file and to install a soft link 610from the generic names specified elsewhere on this page 611to the generated files. 612This allows new file generations to be activated simply 613by changing the link. 614If a link is present, ntpd follows it to the file name 615to extract the filestamp. 616If a link is not present, 617.Xr ntpd 1ntpdmdoc 618extracts the filestamp from the file itself. 619This allows clients to verify that the file and generation times 620are always current. 621The 622.Nm 623program uses the same timestamp extension for all files generated 624at one time, so each generation is distinct and can be readily 625recognized in monitoring data. 626.Ss Running the program 627The safest way to run the 628.Nm 629program is logged in directly as root. 630The recommended procedure is change to the keys directory, 631usually 632.Pa /usr/local/etc , 633then run the program. 634When run for the first time, 635or if all 636.Cm ntpkey 637files have been removed, 638the program generates a RSA host key file and matching RSA-MD5 certificate file, 639which is all that is necessary in many cases. 640The program also generates soft links from the generic names 641to the respective files. 642If run again, the program uses the same host key file, 643but generates a new certificate file and link. 644.Pp 645The host key is used to encrypt the cookie when required and so must be RSA type. 646By default, the host key is also the sign key used to encrypt signatures. 647When necessary, a different sign key can be specified and this can be 648either RSA or DSA type. 649By default, the message digest type is MD5, but any combination 650of sign key type and message digest type supported by the OpenSSL library 651can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2 652and RIPE160 message digest algorithms. 653However, the scheme specified in the certificate must be compatible 654with the sign key. 655Certificates using any digest algorithm are compatible with RSA sign keys; 656however, only SHA and SHA1 certificates are compatible with DSA sign keys. 657.Pp 658Private/public key files and certificates are compatible with 659other OpenSSL applications and very likely other libraries as well. 660Certificates or certificate requests derived from them should be compatible 661with extant industry practice, although some users might find 662the interpretation of X509v3 extension fields somewhat liberal. 663However, the identification parameter files, although encoded 664as the other files, are probably not compatible with anything other than Autokey. 665.Pp 666Running the program as other than root and using the Unix 667.Ic su 668command 669to assume root may not work properly, since by default the OpenSSL library 670looks for the random seed file 671.Cm .rnd 672in the user home directory. 673However, there should be only one 674.Cm .rnd , 675most conveniently 676in the root directory, so it is convenient to define the 677.Cm $RANDFILE 678environment variable used by the OpenSSL library as the path to 679.Cm /.rnd . 680.Pp 681Installing the keys as root might not work in NFS-mounted 682shared file systems, as NFS clients may not be able to write 683to the shared keys directory, even as root. 684In this case, NFS clients can specify the files in another 685directory such as 686.Pa /etc 687using the 688.Ic keysdir 689command. 690There is no need for one client to read the keys and certificates 691of other clients or servers, as these data are obtained automatically 692by the Autokey protocol. 693.Pp 694Ordinarily, cryptographic files are generated by the host that uses them, 695but it is possible for a trusted agent (TA) to generate these files 696for other hosts; however, in such cases files should always be encrypted. 697The subject name and trusted name default to the hostname 698of the host generating the files, but can be changed by command line options. 699It is convenient to designate the owner name and trusted name 700as the subject and issuer fields, respectively, of the certificate. 701The owner name is also used for the host and sign key files, 702while the trusted name is used for the identity files. 703seconds. 704seconds. 705 706s Trusted Hosts and Groups 707Each cryptographic configuration involves selection of a signature scheme 708and identification scheme, called a cryptotype, 709as explained in the 710.Sx Authentication Options 711section of 712.Xr ntp.conf 5 . 713The default cryptotype uses RSA encryption, MD5 message digest 714and TC identification. 715First, configure a NTP subnet including one or more low-stratum 716trusted hosts from which all other hosts derive synchronization 717directly or indirectly. 718Trusted hosts have trusted certificates; 719all other hosts have nontrusted certificates. 720These hosts will automatically and dynamically build authoritative 721certificate trails to one or more trusted hosts. 722A trusted group is the set of all hosts that have, directly or indirectly, 723a certificate trail ending at a trusted host. 724The trail is defined by static configuration file entries 725or dynamic means described on the 726.Sx Automatic NTP Configuration Options 727section of 728.Xr ntp.conf 5 . 729.Pp 730On each trusted host as root, change to the keys directory. 731To insure a fresh fileset, remove all 732.Cm ntpkey 733files. 734Then run 735.Nm 736.Fl T 737to generate keys and a trusted certificate. 738On all other hosts do the same, but leave off the 739.Fl T 740flag to generate keys and nontrusted certificates. 741When complete, start the NTP daemons beginning at the lowest stratum 742and working up the tree. 743It may take some time for Autokey to instantiate the certificate trails 744throughout the subnet, but setting up the environment is completely automatic. 745.Pp 746If it is necessary to use a different sign key or different digest/signature 747scheme than the default, run 748.Nm 749with the 750.Fl S Ar type 751option, where 752.Ar type 753is either 754.Cm RSA 755or 756.Cm DSA . 757The most often need to do this is when a DSA-signed certificate is used. 758If it is necessary to use a different certificate scheme than the default, 759run 760.Nm 761with the 762.Fl c Ar scheme 763option and selected 764.Ar scheme 765as needed. 766f 767.Nm 768is run again without these options, it generates a new certificate 769using the same scheme and sign key. 770.Pp 771After setting up the environment it is advisable to update certificates 772from time to time, if only to extend the validity interval. 773Simply run 774.Nm 775with the same flags as before to generate new certificates 776using existing keys. 777However, if the host or sign key is changed, 778.Xr ntpd 1ntpdmdoc 779should be restarted. 780When 781.Xr ntpd 1ntpdmdoc 782is restarted, it loads any new files and restarts the protocol. 783Other dependent hosts will continue as usual until signatures are refreshed, 784at which time the protocol is restarted. 785.Ss Identity Schemes 786As mentioned on the Autonomous Authentication page, 787the default TC identity scheme is vulnerable to a middleman attack. 788However, there are more secure identity schemes available, 789including PC, IFF, GQ and MV described on the 790.Qq Identification Schemes 791page 792(maybe available at 793.Li http://www.eecis.udel.edu/%7emills/keygen.html ) . 794These schemes are based on a TA, one or more trusted hosts 795and some number of nontrusted hosts. 796Trusted hosts prove identity using values provided by the TA, 797while the remaining hosts prove identity using values provided 798by a trusted host and certificate trails that end on that host. 799The name of a trusted host is also the name of its sugroup 800and also the subject and issuer name on its trusted certificate. 801The TA is not necessarily a trusted host in this sense, but often is. 802.Pp 803In some schemes there are separate keys for servers and clients. 804A server can also be a client of another server, 805but a client can never be a server for another client. 806In general, trusted hosts and nontrusted hosts that operate 807as both server and client have parameter files that contain 808both server and client keys. 809Hosts that operate 810only as clients have key files that contain only client keys. 811.Pp 812The PC scheme supports only one trusted host in the group. 813On trusted host alice run 814.Nm 815.Fl P 816.Fl p Ar password 817to generate the host key file 818.Pa ntpkey_RSAkey_ Ns Ar alice.filestamp 819and trusted private certificate file 820.Pa ntpkey_RSA-MD5_cert_ Ns Ar alice.filestamp . 821Copy both files to all group hosts; 822they replace the files which would be generated in other schemes. 823On each host bob install a soft link from the generic name 824.Pa ntpkey_host_ Ns Ar bob 825to the host key file and soft link 826.Pa ntpkey_cert_ Ns Ar bob 827to the private certificate file. 828Note the generic links are on bob, but point to files generated 829by trusted host alice. 830In this scheme it is not possible to refresh 831either the keys or certificates without copying them 832to all other hosts in the group. 833.Pp 834For the IFF scheme proceed as in the TC scheme to generate keys 835and certificates for all group hosts, then for every trusted host in the group, 836generate the IFF parameter file. 837On trusted host alice run 838.Nm 839.Fl T 840.Fl I 841.Fl p Ar password 842to produce her parameter file 843.Pa ntpkey_IFFpar_ Ns Ar alice.filestamp , 844which includes both server and client keys. 845Copy this file to all group hosts that operate as both servers 846and clients and install a soft link from the generic 847.Pa ntpkey_iff_ Ns Ar alice 848to this file. 849If there are no hosts restricted to operate only as clients, 850there is nothing further to do. 851As the IFF scheme is independent 852of keys and certificates, these files can be refreshed as needed. 853.Pp 854If a rogue client has the parameter file, it could masquerade 855as a legitimate server and present a middleman threat. 856To eliminate this threat, the client keys can be extracted 857from the parameter file and distributed to all restricted clients. 858After generating the parameter file, on alice run 859.Nm 860.Fl e 861and pipe the output to a file or mail program. 862Copy or mail this file to all restricted clients. 863On these clients install a soft link from the generic 864.Pa ntpkey_iff_ Ns Ar alice 865to this file. 866To further protect the integrity of the keys, 867each file can be encrypted with a secret password. 868.Pp 869For the GQ scheme proceed as in the TC scheme to generate keys 870and certificates for all group hosts, then for every trusted host 871in the group, generate the IFF parameter file. 872On trusted host alice run 873.Nm 874.Fl T 875.Fl G 876.Fl p Ar password 877to produce her parameter file 878.Pa ntpkey_GQpar_ Ns Ar alice.filestamp , 879which includes both server and client keys. 880Copy this file to all group hosts and install a soft link 881from the generic 882.Pa ntpkey_gq_ Ns Ar alice 883to this file. 884In addition, on each host bob install a soft link 885from generic 886.Pa ntpkey_gq_ Ns Ar bob 887to this file. 888As the GQ scheme updates the GQ parameters file and certificate 889at the same time, keys and certificates can be regenerated as needed. 890.Pp 891For the MV scheme, proceed as in the TC scheme to generate keys 892and certificates for all group hosts. 893For illustration assume trish is the TA, alice one of several trusted hosts 894and bob one of her clients. 895On TA trish run 896.Nm 897.Fl V Ar n 898.Fl p Ar password , 899where 900.Ar n 901is the number of revokable keys (typically 5) to produce 902the parameter file 903.Pa ntpkeys_MVpar_ Ns Ar trish.filestamp 904and client key files 905.Pa ntpkeys_MVkeyd_ Ns Ar trish.filestamp 906where 907.Ar d 908is the key number (0 \&< 909.Ar d 910\&< 911.Ar n ) . 912Copy the parameter file to alice and install a soft link 913from the generic 914.Pa ntpkey_mv_ Ns Ar alice 915to this file. 916Copy one of the client key files to alice for later distribution 917to her clients. 918It doesn't matter which client key file goes to alice, 919since they all work the same way. 920Alice copies the client key file to all of her cliens. 921On client bob install a soft link from generic 922.Pa ntpkey_mvkey_ Ns Ar bob 923to the client key file. 924As the MV scheme is independent of keys and certificates, 925these files can be refreshed as needed. 926.Ss Command Line Options 927.Bl -tag -width indent 928.It Fl c Ar scheme 929Select certificate message digest/signature encryption scheme. 930The 931.Ar scheme 932can be one of the following: 933. Cm RSA-MD2 , RSA-MD5 , RSA-SHA , RSA-SHA1 , RSA-MDC2 , RSA-RIPEMD160 , DSA-SHA , 934or 935.Cm DSA-SHA1 . 936Note that RSA schemes must be used with a RSA sign key and DSA 937schemes must be used with a DSA sign key. 938The default without this option is 939.Cm RSA-MD5 . 940.It Fl d 941Enable debugging. 942This option displays the cryptographic data produced in eye-friendly billboards. 943.It Fl e 944Write the IFF client keys to the standard output. 945This is intended for automatic key distribution by mail. 946.It Fl G 947Generate parameters and keys for the GQ identification scheme, 948obsoleting any that may exist. 949.It Fl g 950Generate keys for the GQ identification scheme 951using the existing GQ parameters. 952If the GQ parameters do not yet exist, create them first. 953.It Fl H 954Generate new host keys, obsoleting any that may exist. 955.It Fl I 956Generate parameters for the IFF identification scheme, 957obsoleting any that may exist. 958.It Fl i Ar name 959Set the suject name to 960.Ar name . 961This is used as the subject field in certificates 962and in the file name for host and sign keys. 963.It Fl M 964Generate MD5 keys, obsoleting any that may exist. 965.It Fl P 966Generate a private certificate. 967By default, the program generates public certificates. 968.It Fl p Ar password 969Encrypt generated files containing private data with 970.Ar password 971and the DES-CBC algorithm. 972.It Fl q 973Set the password for reading files to password. 974.It Fl S Oo Cm RSA | DSA Oc 975Generate a new sign key of the designated type, 976obsoleting any that may exist. 977By default, the program uses the host key as the sign key. 978.It Fl s Ar name 979Set the issuer name to 980.Ar name . 981This is used for the issuer field in certificates 982and in the file name for identity files. 983.It Fl T 984Generate a trusted certificate. 985By default, the program generates a non-trusted certificate. 986.It Fl V Ar nkeys 987Generate parameters and keys for the Mu-Varadharajan (MV) identification scheme. 988.El 989.Ss Random Seed File 990All cryptographically sound key generation schemes must have means 991to randomize the entropy seed used to initialize 992the internal pseudo-random number generator used 993by the library routines. 994The OpenSSL library uses a designated random seed file for this purpose. 995The file must be available when starting the NTP daemon and 996.Nm 997program. 998If a site supports OpenSSL or its companion OpenSSH, 999it is very likely that means to do this are already available. 1000.Pp 1001It is important to understand that entropy must be evolved 1002for each generation, for otherwise the random number sequence 1003would be predictable. 1004Various means dependent on external events, such as keystroke intervals, 1005can be used to do this and some systems have built-in entropy sources. 1006Suitable means are described in the OpenSSL software documentation, 1007but are outside the scope of this page. 1008.Pp 1009The entropy seed used by the OpenSSL library is contained in a file, 1010usually called 1011.Cm .rnd , 1012which must be available when starting the NTP daemon 1013or the 1014.Nm 1015program. 1016The NTP daemon will first look for the file 1017using the path specified by the 1018.Ic randfile 1019subcommand of the 1020.Ic crypto 1021configuration command. 1022If not specified in this way, or when starting the 1023.Nm 1024program, 1025the OpenSSL library will look for the file using the path specified 1026by the 1027.Ev RANDFILE 1028environment variable in the user home directory, 1029whether root or some other user. 1030If the 1031.Ev RANDFILE 1032environment variable is not present, 1033the library will look for the 1034.Cm .rnd 1035file in the user home directory. 1036If the file is not available or cannot be written, 1037the daemon exits with a message to the system log and the program 1038exits with a suitable error message. 1039.Ss Cryptographic Data Files 1040All other file formats begin with two lines. 1041The first contains the file name, including the generated host name 1042and filestamp. 1043The second contains the datestamp in conventional Unix date format. 1044Lines beginning with # are considered comments and ignored by the 1045.Nm 1046program and 1047.Xr ntpd 1ntpdmdoc 1048daemon. 1049Cryptographic values are encoded first using ASN.1 rules, 1050then encrypted if necessary, and finally written PEM-encoded 1051printable ASCII format preceded and followed by MIME content identifier lines. 1052.Pp 1053The format of the symmetric keys file is somewhat different 1054than the other files in the interest of backward compatibility. 1055Since DES-CBC is deprecated in NTPv4, the only key format of interest 1056is MD5 alphanumeric strings. 1057Following hte heard the keys are 1058entered one per line in the format 1059.D1 Ar keyno type key 1060where 1061.Ar keyno 1062is a positive integer in the range 1-65,535, 1063.Ar type 1064is the string MD5 defining the key format and 1065.Ar key 1066is the key itself, 1067which is a printable ASCII string 16 characters or less in length. 1068Each character is chosen from the 93 printable characters 1069in the range 0x21 through 0x7f excluding space and the 1070.Ql # 1071character. 1072.Pp 1073Note that the keys used by the 1074.Xr ntpq 1ntpqmdoc 1075and 1076.Xr ntpdc 1ntpdcmdoc 1077programs 1078are checked against passwords requested by the programs 1079and entered by hand, so it is generally appropriate to specify these keys 1080in human readable ASCII format. 1081.Pp 1082The 1083.Nm 1084program generates a MD5 symmetric keys file 1085.Pa ntpkey_MD5key_ Ns Ar hostname.filestamp . 1086Since the file contains private shared keys, 1087it should be visible only to root and distributed by secure means 1088to other subnet hosts. 1089The NTP daemon loads the file 1090.Pa ntp.keys , 1091so 1092.Nm 1093installs a soft link from this name to the generated file. 1094Subsequently, similar soft links must be installed by manual 1095or automated means on the other subnet hosts. 1096While this file is not used with the Autokey Version 2 protocol, 1097it is needed to authenticate some remote configuration commands 1098used by the 1099.Xr ntpq 1ntpqmdoc 1100and 1101.Xr ntpdc 1ntpdcmdoc 1102utilities. 1103 _END_PROG_MDOC_DESCRIP; 1104}; 1105 1106doc-section = { 1107 ds-type = 'USAGE'; 1108 ds-format = 'mdoc'; 1109 ds-text = <<- _END_MDOC_USAGE 1110The 1111.Fl p Ar password 1112option specifies the write password and 1113.Fl q Ar password 1114option the read password for previously encrypted files. 1115The 1116.Nm 1117program prompts for the password if it reads an encrypted file 1118and the password is missing or incorrect. 1119If an encrypted file is read successfully and 1120no write password is specified, the read password is used 1121as the write password by default. 1122 _END_MDOC_USAGE; 1123}; 1124 1125doc-section = { 1126 ds-type = 'NOTES'; 1127 ds-format = 'mdoc'; 1128 ds-text = <<- _END_MDOC_NOTES 1129Portions of this document came from FreeBSD. 1130 _END_MDOC_NOTES; 1131}; 1132 1133doc-section = { 1134 ds-type = 'BUGS'; 1135 ds-format = 'mdoc'; 1136 ds-text = <<- _END_MDOC_BUGS 1137It can take quite a while to generate some cryptographic values, 1138from one to several minutes with modern architectures 1139such as UltraSPARC and up to tens of minutes to an hour 1140with older architectures such as SPARC IPC. 1141.Pp 1142Please report bugs to http://bugs.ntp.org . 1143 _END_MDOC_BUGS; 1144}; 1145