xref: /freebsd/contrib/ntp/util/ntp-keygen-opts.def (revision f4b37ed0f8b307b1f3f0f630ca725d68f1dff30d)
1/* -*- Mode: Text -*- */
2
3autogen definitions options;
4
5#include copyright.def
6#include homerc.def
7#include autogen-version.def
8
9prog-name      = "ntp-keygen";
10prog-title     = "Create a NTP host key";
11package        = ntp;
12
13include        = '#include <stdlib.h>';
14#include       version.def
15
16flag = {
17    value     = b;
18    name      = imbits;
19    arg-type  = number;
20    arg-name  = imbits;
21    arg-range = '256->2048';
22    ifdef     = AUTOKEY;
23    descrip   = "identity modulus bits";
24    doc = <<-  _EndOfDoc_
25	The number of bits in the identity modulus.  The default is 256.
26	_EndOfDoc_;
27};
28
29flag = {
30    value     = c;
31    name      = certificate;
32    arg-type  = string;
33    arg-name  = scheme;
34    ifdef     = AUTOKEY;
35    descrip   = "certificate scheme";
36    doc = <<-  _EndOfDoc_
37	scheme is one of
38	RSA-MD2, RSA-MD5, RSA-SHA, RSA-SHA1, RSA-MDC2, RSA-RIPEMD160,
39	DSA-SHA, or DSA-SHA1.
40
41	Select the certificate message digest/signature encryption scheme.
42	Note that RSA schemes must be used with a RSA sign key and DSA
43	schemes must be used with a DSA sign key.  The default without
44	this option is RSA-MD5.
45	_EndOfDoc_;
46};
47
48flag = {
49    value     = C;
50    name      = cipher;
51    arg-type  = string;
52    arg-name  = cipher;
53    ifdef     = AUTOKEY;
54    descrip   = "privatekey cipher";
55    doc = <<-  _EndOfDoc_
56	Select the cipher which is used to encrypt the files containing
57	private keys.  The default is three-key triple DES in CBC mode,
58	equivalent to "@code{-C des-ede3-cbc".  The openssl tool lists ciphers
59	available in "@code{openssl -h}" output.
60	_EndOfDoc_;
61};
62
63#include       debug-opt.def
64
65flag = {
66    value     = e;
67    name      = id-key;
68    ifdef     = AUTOKEY;
69    descrip   = "Write IFF or GQ identity keys";
70    doc = <<-  _EndOfDoc_
71	Write the IFF or GQ client keys to the standard output.  This is
72	intended for automatic key distribution by mail.
73	_EndOfDoc_;
74};
75
76flag = {
77    value     = G;
78    name      = gq-params;
79    ifdef     = AUTOKEY;
80    descrip   = "Generate GQ parameters and keys";
81    doc = <<-  _EndOfDoc_
82	Generate parameters and keys for the GQ identification scheme,
83	obsoleting any that may exist.
84	_EndOfDoc_;
85};
86
87flag = {
88    value     = H;
89    name      = host-key;
90    ifdef     = AUTOKEY;
91    descrip   = "generate RSA host key";
92    doc = <<-  _EndOfDoc_
93	Generate new host keys, obsoleting any that may exist.
94	_EndOfDoc_;
95};
96
97flag = {
98    value     = I;
99    name      = iffkey;
100    ifdef     = AUTOKEY;
101    descrip   = "generate IFF parameters";
102    doc = <<-  _EndOfDoc_
103	Generate parameters for the IFF identification scheme, obsoleting
104	any that may exist.
105	_EndOfDoc_;
106};
107
108flag = {
109    value     = i;
110    name      = ident;
111    ifdef     = AUTOKEY;
112    arg-type  = string;
113    arg-name  = group;
114    descrip   = "set Autokey group name";
115    doc = <<-  _EndOfDoc_
116	Set the optional Autokey group name to name.  This is used in
117	the file name of IFF, GQ, and MV client parameters files.  In
118	that role, the default is the host name if this option is not
119	provided.  The group name, if specified using @code{-i/--ident} or
120	using @code{-s/--subject-name} following an '@code{@}' character,
121	is also a part of the self-signed host certificate's subject and
122	issuer names in the form @code{host@group} and should match the
123	'@code{crypto ident}' or '@code{server ident}' configuration in
124	@code{ntpd}'s configuration file.
125	_EndOfDoc_;
126};
127
128flag = {
129    value     = l;
130    name      = lifetime;
131    ifdef     = AUTOKEY;
132    arg-type  = number;
133    arg-name  = lifetime;
134    descrip   = "set certificate lifetime";
135    doc = <<-  _EndOfDoc_
136	Set the certificate expiration to lifetime days from now.
137	_EndOfDoc_;
138};
139
140flag = {
141    value     = M;
142    name      = md5key;
143    descrip   = "generate MD5 keys";
144    doc = <<-  _EndOfDoc_
145	Generate MD5 keys, obsoleting any that may exist.
146	_EndOfDoc_;
147};
148
149flag = {
150    value     = m;
151    name      = modulus;
152    arg-type  = number;
153    arg-name  = modulus;
154    arg-range = '256->2048';
155    ifdef     = AUTOKEY;
156    descrip   = "modulus";
157    doc = <<-  _EndOfDoc_
158	The number of bits in the prime modulus.  The default is 512.
159	_EndOfDoc_;
160};
161
162flag = {
163    value     = P;
164    name      = pvt-cert;
165    ifdef     = AUTOKEY;
166    descrip   = "generate PC private certificate";
167    doc = <<-  _EndOfDoc_
168	Generate a private certificate.  By default, the program generates
169	public certificates.
170	_EndOfDoc_;
171};
172
173flag = {
174    value     = p;
175    name      = password;	// was: pvt-passwd;
176    ifdef     = AUTOKEY;
177    arg-type  = string;
178    arg-name  = passwd;
179    descrip   = "local private password";
180    doc = <<-  _EndOfDoc_
181	Local files containing private data are encrypted with the
182	DES-CBC algorithm and the specified password.  The same password
183	must be specified to the local ntpd via the "crypto pw password"
184	configuration command.  The default password is the local
185	hostname.
186	_EndOfDoc_;
187};
188
189flag = {
190    value     = q;
191    name      = export-passwd;	// Was: get-pvt-passwd;
192    ifdef     = AUTOKEY;
193    arg-type  = string;
194    arg-name  = passwd;
195    descrip   = "export IFF or GQ group keys with password";
196    doc = <<-  _EndOfDoc_
197	Export IFF or GQ identity group keys to the standard output,
198	encrypted with the DES-CBC algorithm and the specified password.
199	The same password must be specified to the remote ntpd via the
200	"crypto pw password" configuration command.  See also the option
201	--id-key (-e) for unencrypted exports.
202	_EndOfDoc_;
203};
204
205flag = {
206    value     = S;
207    name      = sign-key;
208    arg-type  = string;
209    arg-name  = sign;
210    ifdef     = AUTOKEY;
211    descrip   = "generate sign key (RSA or DSA)";
212    doc = <<-  _EndOfDoc_
213	Generate a new sign key of the designated type, obsoleting any
214	that may exist.  By default, the program uses the host key as the
215	sign key.
216	_EndOfDoc_;
217};
218
219flag = {
220    value     = s;
221    name      = subject-name;
222    arg-type  = string;
223    arg-name  = host@group;
224    ifdef     = AUTOKEY;
225    descrip   = "set host and optionally group name";
226    doc = <<-  _EndOfDoc_
227	Set the Autokey host name, and optionally, group name specified
228	following an '@code{@}' character.  The host name is used in the file
229	name of generated host and signing certificates, without the
230	group name.  The host name, and if provided, group name are used
231	in @code{host@group} form for the host certificate's subject and issuer
232	fields.  Specifying '@code{-s @group}' is allowed, and results in
233	leaving the host name unchanged while appending @code{@group} to the
234	subject and issuer fields, as with @code{-i group}.  The group name, or
235	if not provided, the host name are also used in the file names
236	of IFF, GQ, and MV client parameter files.
237		_EndOfDoc_;
238};
239
240flag = {
241    value     = T;
242    name      = trusted-cert;
243    ifdef     = AUTOKEY;
244    descrip   = "trusted certificate (TC scheme)";
245    doc = <<-  _EndOfDoc_
246	Generate a trusted certificate.  By default, the program generates
247	a non-trusted certificate.
248	_EndOfDoc_;
249};
250
251flag = {
252    value     = V;
253    name      = mv-params;
254    arg-type  = number;
255    arg-name  = num;
256    ifdef     = AUTOKEY;
257    descrip   = "generate <num> MV parameters";
258    doc = <<-  _EndOfDoc_
259	Generate parameters and keys for the Mu-Varadharajan (MV)
260	identification scheme.
261	_EndOfDoc_;
262};
263
264flag = {
265    value     = v;
266    name      = mv-keys;
267    arg-type  = number;
268    arg-name  = num;
269    ifdef     = AUTOKEY;
270    descrip   = "update <num> MV keys";
271};
272
273/* explain: Additional information whenever the usage routine is invoked */
274explain = <<- _END_EXPLAIN
275	_END_EXPLAIN;
276
277doc-section	= {
278  ds-type	= 'DESCRIPTION';
279  ds-format	= 'mdoc';
280  ds-text	= <<- _END_PROG_MDOC_DESCRIP
281This program generates cryptographic data files used by the NTPv4
282authentication and identification schemes.
283It generates MD5 key files used in symmetric key cryptography.
284In addition, if the OpenSSL software library has been installed,
285it generates keys, certificate and identity files used in public key
286cryptography.
287These files are used for cookie encryption,
288digital signature and challenge/response identification algorithms
289compatible with the Internet standard security infrastructure.
290.Pp
291All files are in PEM-encoded printable ASCII format,
292so they can be embedded as MIME attachments in mail to other sites
293and certificate authorities.
294By default, files are not encrypted.
295.Pp
296When used to generate message digest keys, the program produces a file
297containing ten pseudo-random printable ASCII strings suitable for the
298MD5 message digest algorithm included in the distribution.
299If the OpenSSL library is installed, it produces an additional ten
300hex-encoded random bit strings suitable for the SHA1 and other message
301digest algorithms.
302The message digest keys file must be distributed and stored
303using secure means beyond the scope of NTP itself.
304Besides the keys used for ordinary NTP associations, additional keys
305can be defined as passwords for the
306.Xr ntpq 1ntpqmdoc
307and
308.Xr ntpdc 1ntpdcmdoc
309utility programs.
310.Pp
311The remaining generated files are compatible with other OpenSSL
312applications and other Public Key Infrastructure (PKI) resources.
313Certificates generated by this program are compatible with extant
314industry practice, although some users might find the interpretation of
315X509v3 extension fields somewhat liberal.
316However, the identity keys are probably not compatible with anything
317other than Autokey.
318.Pp
319Some files used by this program are encrypted using a private password.
320The
321.Fl p
322option specifies the password for local encrypted files and the
323.Fl q
324option the password for encrypted files sent to remote sites.
325If no password is specified, the host name returned by the Unix
326.Fn gethostname
327function, normally the DNS name of the host is used.
328.Pp
329The
330.Ar pw
331option of the
332.Ar crypto
333configuration command specifies the read
334password for previously encrypted local files.
335This must match the local password used by this program.
336If not specified, the host name is used.
337Thus, if files are generated by this program without password,
338they can be read back by
339.Ar ntpd
340without password but only on the same host.
341.Pp
342Normally, encrypted files for each host are generated by that host and
343used only by that host, although exceptions exist as noted later on
344this page.
345The symmetric keys file, normally called
346.Ar ntp.keys ,
347is usually installed in
348.Pa /etc .
349Other files and links are usually installed in
350.Pa /usr/local/etc ,
351which is normally in a shared filesystem in
352NFS-mounted networks and cannot be changed by shared clients.
353The location of the keys directory can be changed by the
354.Ar keysdir
355configuration command in such cases.
356Normally, this is in
357.Pa /etc .
358.Pp
359This program directs commentary and error messages to the standard
360error stream
361.Ar stderr
362and remote files to the standard output stream
363.Ar stdout
364where they can be piped to other applications or redirected to files.
365The names used for generated files and links all begin with the
366string
367.Ar ntpkey
368and include the file type, generating host and filestamp,
369as described in the
370.Dq Cryptographic Data Files
371section below.
372.Ss Running the Program
373To test and gain experience with Autokey concepts, log in as root and
374change to the keys directory, usually
375.Pa /usr/local/etc
376When run for the first time, or if all files with names beginning with
377.Ar ntpkey
378have been removed, use the
379.Nm
380command without arguments to generate a
381default RSA host key and matching RSA-MD5 certificate with expiration
382date one year hence.
383If run again without options, the program uses the
384existing keys and parameters and generates only a new certificate with
385new expiration date one year hence.
386.Pp
387Run the command on as many hosts as necessary.
388Designate one of them as the trusted host (TH) using
389.Nm
390with the
391.Fl T
392option and configure it to synchronize from reliable Internet servers.
393Then configure the other hosts to synchronize to the TH directly or
394indirectly.
395A certificate trail is created when Autokey asks the immediately
396ascendant host towards the TH to sign its certificate, which is then
397provided to the immediately descendant host on request.
398All group hosts should have acyclic certificate trails ending on the TH.
399.Pp
400The host key is used to encrypt the cookie when required and so must be
401RSA type.
402By default, the host key is also the sign key used to encrypt
403signatures.
404A different sign key can be assigned using the
405.Fl S
406option and this can be either RSA or DSA type.
407By default, the signature
408message digest type is MD5, but any combination of sign key type and
409message digest type supported by the OpenSSL library can be specified
410using the
411.Fl c
412option.
413The rules say cryptographic media should be generated with proventic
414filestamps, which means the host should already be synchronized before
415this program is run.
416This of course creates a chicken-and-egg problem
417when the host is started for the first time.
418Accordingly, the host time
419should be set by some other means, such as eyeball-and-wristwatch, at
420least so that the certificate lifetime is within the current year.
421After that and when the host is synchronized to a proventic source, the
422certificate should be re-generated.
423.Pp
424Additional information on trusted groups and identity schemes is on the
425.Dq Autokey Public-Key Authentication
426page.
427
428
429.Pp
430The
431.Xr ntpd 1ntpdmdoc
432configuration command
433.Ic crypto pw Ar password
434specifies the read password for previously encrypted files.
435The daemon expires on the spot if the password is missing
436or incorrect.
437For convenience, if a file has been previously encrypted,
438the default read password is the name of the host running
439the program.
440If the previous write password is specified as the host name,
441these files can be read by that host with no explicit password.
442
443.Pp
444File names begin with the prefix
445.Cm ntpkey_
446and end with the postfix
447.Ar _hostname.filestamp ,
448where
449.Ar hostname
450is the owner name, usually the string returned
451by the Unix gethostname() routine, and
452.Ar filestamp
453is the NTP seconds when the file was generated, in decimal digits.
454This both guarantees uniqueness and simplifies maintenance
455procedures, since all files can be quickly removed
456by a
457.Ic rm ntpkey\&*
458command or all files generated
459at a specific time can be removed by a
460.Ic rm
461.Ar \&*filestamp
462command.
463To further reduce the risk of misconfiguration,
464the first two lines of a file contain the file name
465and generation date and time as comments.
466.Pp
467All files are installed by default in the keys directory
468.Pa /usr/local/etc ,
469which is normally in a shared filesystem
470in NFS-mounted networks.
471The actual location of the keys directory
472and each file can be overridden by configuration commands,
473but this is not recommended.
474Normally, the files for each host are generated by that host
475and used only by that host, although exceptions exist
476as noted later on this page.
477.Pp
478Normally, files containing private values,
479including the host key, sign key and identification parameters,
480are permitted root read/write-only;
481while others containing public values are permitted world readable.
482Alternatively, files containing private values can be encrypted
483and these files permitted world readable,
484which simplifies maintenance in shared file systems.
485Since uniqueness is insured by the hostname and
486file name extensions, the files for a NFS server and
487dependent clients can all be installed in the same shared directory.
488.Pp
489The recommended practice is to keep the file name extensions
490when installing a file and to install a soft link
491from the generic names specified elsewhere on this page
492to the generated files.
493This allows new file generations to be activated simply
494by changing the link.
495If a link is present, ntpd follows it to the file name
496to extract the filestamp.
497If a link is not present,
498.Xr ntpd 1ntpdmdoc
499extracts the filestamp from the file itself.
500This allows clients to verify that the file and generation times
501are always current.
502The
503.Nm
504program uses the same timestamp extension for all files generated
505at one time, so each generation is distinct and can be readily
506recognized in monitoring data.
507.Ss Running the program
508The safest way to run the
509.Nm
510program is logged in directly as root.
511The recommended procedure is change to the keys directory,
512usually
513.Pa /usr/local/etc ,
514then run the program.
515When run for the first time,
516or if all
517.Cm ntpkey
518files have been removed,
519the program generates a RSA host key file and matching RSA-MD5 certificate file,
520which is all that is necessary in many cases.
521The program also generates soft links from the generic names
522to the respective files.
523If run again, the program uses the same host key file,
524but generates a new certificate file and link.
525.Pp
526The host key is used to encrypt the cookie when required and so must be RSA type.
527By default, the host key is also the sign key used to encrypt signatures.
528When necessary, a different sign key can be specified and this can be
529either RSA or DSA type.
530By default, the message digest type is MD5, but any combination
531of sign key type and message digest type supported by the OpenSSL library
532can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2
533and RIPE160 message digest algorithms.
534However, the scheme specified in the certificate must be compatible
535with the sign key.
536Certificates using any digest algorithm are compatible with RSA sign keys;
537however, only SHA and SHA1 certificates are compatible with DSA sign keys.
538.Pp
539Private/public key files and certificates are compatible with
540other OpenSSL applications and very likely other libraries as well.
541Certificates or certificate requests derived from them should be compatible
542with extant industry practice, although some users might find
543the interpretation of X509v3 extension fields somewhat liberal.
544However, the identification parameter files, although encoded
545as the other files, are probably not compatible with anything other than Autokey.
546.Pp
547Running the program as other than root and using the Unix
548.Ic su
549command
550to assume root may not work properly, since by default the OpenSSL library
551looks for the random seed file
552.Cm .rnd
553in the user home directory.
554However, there should be only one
555.Cm .rnd ,
556most conveniently
557in the root directory, so it is convenient to define the
558.Cm $RANDFILE
559environment variable used by the OpenSSL library as the path to
560.Cm /.rnd .
561.Pp
562Installing the keys as root might not work in NFS-mounted
563shared file systems, as NFS clients may not be able to write
564to the shared keys directory, even as root.
565In this case, NFS clients can specify the files in another
566directory such as
567.Pa /etc
568using the
569.Ic keysdir
570command.
571There is no need for one client to read the keys and certificates
572of other clients or servers, as these data are obtained automatically
573by the Autokey protocol.
574.Pp
575Ordinarily, cryptographic files are generated by the host that uses them,
576but it is possible for a trusted agent (TA) to generate these files
577for other hosts; however, in such cases files should always be encrypted.
578The subject name and trusted name default to the hostname
579of the host generating the files, but can be changed by command line options.
580It is convenient to designate the owner name and trusted name
581as the subject and issuer fields, respectively, of the certificate.
582The owner name is also used for the host and sign key files,
583while the trusted name is used for the identity files.
584
585.Pp
586All files are installed by default in the keys directory
587.Pa /usr/local/etc ,
588which is normally in a shared filesystem
589in NFS-mounted networks.
590The actual location of the keys directory
591and each file can be overridden by configuration commands,
592but this is not recommended.
593Normally, the files for each host are generated by that host
594and used only by that host, although exceptions exist
595as noted later on this page.
596.Pp
597Normally, files containing private values,
598including the host key, sign key and identification parameters,
599are permitted root read/write-only;
600while others containing public values are permitted world readable.
601Alternatively, files containing private values can be encrypted
602and these files permitted world readable,
603which simplifies maintenance in shared file systems.
604Since uniqueness is insured by the hostname and
605file name extensions, the files for a NFS server and
606dependent clients can all be installed in the same shared directory.
607.Pp
608The recommended practice is to keep the file name extensions
609when installing a file and to install a soft link
610from the generic names specified elsewhere on this page
611to the generated files.
612This allows new file generations to be activated simply
613by changing the link.
614If a link is present, ntpd follows it to the file name
615to extract the filestamp.
616If a link is not present,
617.Xr ntpd 1ntpdmdoc
618extracts the filestamp from the file itself.
619This allows clients to verify that the file and generation times
620are always current.
621The
622.Nm
623program uses the same timestamp extension for all files generated
624at one time, so each generation is distinct and can be readily
625recognized in monitoring data.
626.Ss Running the program
627The safest way to run the
628.Nm
629program is logged in directly as root.
630The recommended procedure is change to the keys directory,
631usually
632.Pa /usr/local/etc ,
633then run the program.
634When run for the first time,
635or if all
636.Cm ntpkey
637files have been removed,
638the program generates a RSA host key file and matching RSA-MD5 certificate file,
639which is all that is necessary in many cases.
640The program also generates soft links from the generic names
641to the respective files.
642If run again, the program uses the same host key file,
643but generates a new certificate file and link.
644.Pp
645The host key is used to encrypt the cookie when required and so must be RSA type.
646By default, the host key is also the sign key used to encrypt signatures.
647When necessary, a different sign key can be specified and this can be
648either RSA or DSA type.
649By default, the message digest type is MD5, but any combination
650of sign key type and message digest type supported by the OpenSSL library
651can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2
652and RIPE160 message digest algorithms.
653However, the scheme specified in the certificate must be compatible
654with the sign key.
655Certificates using any digest algorithm are compatible with RSA sign keys;
656however, only SHA and SHA1 certificates are compatible with DSA sign keys.
657.Pp
658Private/public key files and certificates are compatible with
659other OpenSSL applications and very likely other libraries as well.
660Certificates or certificate requests derived from them should be compatible
661with extant industry practice, although some users might find
662the interpretation of X509v3 extension fields somewhat liberal.
663However, the identification parameter files, although encoded
664as the other files, are probably not compatible with anything other than Autokey.
665.Pp
666Running the program as other than root and using the Unix
667.Ic su
668command
669to assume root may not work properly, since by default the OpenSSL library
670looks for the random seed file
671.Cm .rnd
672in the user home directory.
673However, there should be only one
674.Cm .rnd ,
675most conveniently
676in the root directory, so it is convenient to define the
677.Cm $RANDFILE
678environment variable used by the OpenSSL library as the path to
679.Cm /.rnd .
680.Pp
681Installing the keys as root might not work in NFS-mounted
682shared file systems, as NFS clients may not be able to write
683to the shared keys directory, even as root.
684In this case, NFS clients can specify the files in another
685directory such as
686.Pa /etc
687using the
688.Ic keysdir
689command.
690There is no need for one client to read the keys and certificates
691of other clients or servers, as these data are obtained automatically
692by the Autokey protocol.
693.Pp
694Ordinarily, cryptographic files are generated by the host that uses them,
695but it is possible for a trusted agent (TA) to generate these files
696for other hosts; however, in such cases files should always be encrypted.
697The subject name and trusted name default to the hostname
698of the host generating the files, but can be changed by command line options.
699It is convenient to designate the owner name and trusted name
700as the subject and issuer fields, respectively, of the certificate.
701The owner name is also used for the host and sign key files,
702while the trusted name is used for the identity files.
703seconds.
704seconds.
705
706s Trusted Hosts and Groups
707Each cryptographic configuration involves selection of a signature scheme
708and identification scheme, called a cryptotype,
709as explained in the
710.Sx Authentication Options
711section of
712.Xr ntp.conf 5 .
713The default cryptotype uses RSA encryption, MD5 message digest
714and TC identification.
715First, configure a NTP subnet including one or more low-stratum
716trusted hosts from which all other hosts derive synchronization
717directly or indirectly.
718Trusted hosts have trusted certificates;
719all other hosts have nontrusted certificates.
720These hosts will automatically and dynamically build authoritative
721certificate trails to one or more trusted hosts.
722A trusted group is the set of all hosts that have, directly or indirectly,
723a certificate trail ending at a trusted host.
724The trail is defined by static configuration file entries
725or dynamic means described on the
726.Sx Automatic NTP Configuration Options
727section of
728.Xr ntp.conf 5 .
729.Pp
730On each trusted host as root, change to the keys directory.
731To insure a fresh fileset, remove all
732.Cm ntpkey
733files.
734Then run
735.Nm
736.Fl T
737to generate keys and a trusted certificate.
738On all other hosts do the same, but leave off the
739.Fl T
740flag to generate keys and nontrusted certificates.
741When complete, start the NTP daemons beginning at the lowest stratum
742and working up the tree.
743It may take some time for Autokey to instantiate the certificate trails
744throughout the subnet, but setting up the environment is completely automatic.
745.Pp
746If it is necessary to use a different sign key or different digest/signature
747scheme than the default, run
748.Nm
749with the
750.Fl S Ar type
751option, where
752.Ar type
753is either
754.Cm RSA
755or
756.Cm DSA .
757The most often need to do this is when a DSA-signed certificate is used.
758If it is necessary to use a different certificate scheme than the default,
759run
760.Nm
761with the
762.Fl c Ar scheme
763option and selected
764.Ar scheme
765as needed.
766f
767.Nm
768is run again without these options, it generates a new certificate
769using the same scheme and sign key.
770.Pp
771After setting up the environment it is advisable to update certificates
772from time to time, if only to extend the validity interval.
773Simply run
774.Nm
775with the same flags as before to generate new certificates
776using existing keys.
777However, if the host or sign key is changed,
778.Xr ntpd 1ntpdmdoc
779should be restarted.
780When
781.Xr ntpd 1ntpdmdoc
782is restarted, it loads any new files and restarts the protocol.
783Other dependent hosts will continue as usual until signatures are refreshed,
784at which time the protocol is restarted.
785.Ss Identity Schemes
786As mentioned on the Autonomous Authentication page,
787the default TC identity scheme is vulnerable to a middleman attack.
788However, there are more secure identity schemes available,
789including PC, IFF, GQ and MV described on the
790.Qq Identification Schemes
791page
792(maybe available at
793.Li http://www.eecis.udel.edu/%7emills/keygen.html ) .
794These schemes are based on a TA, one or more trusted hosts
795and some number of nontrusted hosts.
796Trusted hosts prove identity using values provided by the TA,
797while the remaining hosts prove identity using values provided
798by a trusted host and certificate trails that end on that host.
799The name of a trusted host is also the name of its sugroup
800and also the subject and issuer name on its trusted certificate.
801The TA is not necessarily a trusted host in this sense, but often is.
802.Pp
803In some schemes there are separate keys for servers and clients.
804A server can also be a client of another server,
805but a client can never be a server for another client.
806In general, trusted hosts and nontrusted hosts that operate
807as both server and client have parameter files that contain
808both server and client keys.
809Hosts that operate
810only as clients have key files that contain only client keys.
811.Pp
812The PC scheme supports only one trusted host in the group.
813On trusted host alice run
814.Nm
815.Fl P
816.Fl p Ar password
817to generate the host key file
818.Pa ntpkey_RSAkey_ Ns Ar alice.filestamp
819and trusted private certificate file
820.Pa ntpkey_RSA-MD5_cert_ Ns Ar alice.filestamp .
821Copy both files to all group hosts;
822they replace the files which would be generated in other schemes.
823On each host bob install a soft link from the generic name
824.Pa ntpkey_host_ Ns Ar bob
825to the host key file and soft link
826.Pa ntpkey_cert_ Ns Ar bob
827to the private certificate file.
828Note the generic links are on bob, but point to files generated
829by trusted host alice.
830In this scheme it is not possible to refresh
831either the keys or certificates without copying them
832to all other hosts in the group.
833.Pp
834For the IFF scheme proceed as in the TC scheme to generate keys
835and certificates for all group hosts, then for every trusted host in the group,
836generate the IFF parameter file.
837On trusted host alice run
838.Nm
839.Fl T
840.Fl I
841.Fl p Ar password
842to produce her parameter file
843.Pa ntpkey_IFFpar_ Ns Ar alice.filestamp ,
844which includes both server and client keys.
845Copy this file to all group hosts that operate as both servers
846and clients and install a soft link from the generic
847.Pa ntpkey_iff_ Ns Ar alice
848to this file.
849If there are no hosts restricted to operate only as clients,
850there is nothing further to do.
851As the IFF scheme is independent
852of keys and certificates, these files can be refreshed as needed.
853.Pp
854If a rogue client has the parameter file, it could masquerade
855as a legitimate server and present a middleman threat.
856To eliminate this threat, the client keys can be extracted
857from the parameter file and distributed to all restricted clients.
858After generating the parameter file, on alice run
859.Nm
860.Fl e
861and pipe the output to a file or mail program.
862Copy or mail this file to all restricted clients.
863On these clients install a soft link from the generic
864.Pa ntpkey_iff_ Ns Ar alice
865to this file.
866To further protect the integrity of the keys,
867each file can be encrypted with a secret password.
868.Pp
869For the GQ scheme proceed as in the TC scheme to generate keys
870and certificates for all group hosts, then for every trusted host
871in the group, generate the IFF parameter file.
872On trusted host alice run
873.Nm
874.Fl T
875.Fl G
876.Fl p Ar password
877to produce her parameter file
878.Pa ntpkey_GQpar_ Ns Ar alice.filestamp ,
879which includes both server and client keys.
880Copy this file to all group hosts and install a soft link
881from the generic
882.Pa ntpkey_gq_ Ns Ar alice
883to this file.
884In addition, on each host bob install a soft link
885from generic
886.Pa ntpkey_gq_ Ns Ar bob
887to this file.
888As the GQ scheme updates the GQ parameters file and certificate
889at the same time, keys and certificates can be regenerated as needed.
890.Pp
891For the MV scheme, proceed as in the TC scheme to generate keys
892and certificates for all group hosts.
893For illustration assume trish is the TA, alice one of several trusted hosts
894and bob one of her clients.
895On TA trish run
896.Nm
897.Fl V Ar n
898.Fl p Ar password ,
899where
900.Ar n
901is the number of revokable keys (typically 5) to produce
902the parameter file
903.Pa ntpkeys_MVpar_ Ns Ar trish.filestamp
904and client key files
905.Pa ntpkeys_MVkeyd_ Ns Ar trish.filestamp
906where
907.Ar d
908is the key number (0 \&<
909.Ar d
910\&<
911.Ar n ) .
912Copy the parameter file to alice and install a soft link
913from the generic
914.Pa ntpkey_mv_ Ns Ar alice
915to this file.
916Copy one of the client key files to alice for later distribution
917to her clients.
918It doesn't matter which client key file goes to alice,
919since they all work the same way.
920Alice copies the client key file to all of her cliens.
921On client bob install a soft link from generic
922.Pa ntpkey_mvkey_ Ns Ar bob
923to the client key file.
924As the MV scheme is independent of keys and certificates,
925these files can be refreshed as needed.
926.Ss Command Line Options
927.Bl -tag -width indent
928.It Fl c Ar scheme
929Select certificate message digest/signature encryption scheme.
930The
931.Ar scheme
932can be one of the following:
933. Cm RSA-MD2 , RSA-MD5 , RSA-SHA , RSA-SHA1 , RSA-MDC2 , RSA-RIPEMD160 , DSA-SHA ,
934or
935.Cm DSA-SHA1 .
936Note that RSA schemes must be used with a RSA sign key and DSA
937schemes must be used with a DSA sign key.
938The default without this option is
939.Cm RSA-MD5 .
940.It Fl d
941Enable debugging.
942This option displays the cryptographic data produced in eye-friendly billboards.
943.It Fl e
944Write the IFF client keys to the standard output.
945This is intended for automatic key distribution by mail.
946.It Fl G
947Generate parameters and keys for the GQ identification scheme,
948obsoleting any that may exist.
949.It Fl g
950Generate keys for the GQ identification scheme
951using the existing GQ parameters.
952If the GQ parameters do not yet exist, create them first.
953.It Fl H
954Generate new host keys, obsoleting any that may exist.
955.It Fl I
956Generate parameters for the IFF identification scheme,
957obsoleting any that may exist.
958.It Fl i Ar name
959Set the suject name to
960.Ar name .
961This is used as the subject field in certificates
962and in the file name for host and sign keys.
963.It Fl M
964Generate MD5 keys, obsoleting any that may exist.
965.It Fl P
966Generate a private certificate.
967By default, the program generates public certificates.
968.It Fl p Ar password
969Encrypt generated files containing private data with
970.Ar password
971and the DES-CBC algorithm.
972.It Fl q
973Set the password for reading files to password.
974.It Fl S Oo Cm RSA | DSA Oc
975Generate a new sign key of the designated type,
976obsoleting any that may exist.
977By default, the program uses the host key as the sign key.
978.It Fl s Ar name
979Set the issuer name to
980.Ar name .
981This is used for the issuer field in certificates
982and in the file name for identity files.
983.It Fl T
984Generate a trusted certificate.
985By default, the program generates a non-trusted certificate.
986.It Fl V Ar nkeys
987Generate parameters and keys for the Mu-Varadharajan (MV) identification scheme.
988.El
989.Ss Random Seed File
990All cryptographically sound key generation schemes must have means
991to randomize the entropy seed used to initialize
992the internal pseudo-random number generator used
993by the library routines.
994The OpenSSL library uses a designated random seed file for this purpose.
995The file must be available when starting the NTP daemon and
996.Nm
997program.
998If a site supports OpenSSL or its companion OpenSSH,
999it is very likely that means to do this are already available.
1000.Pp
1001It is important to understand that entropy must be evolved
1002for each generation, for otherwise the random number sequence
1003would be predictable.
1004Various means dependent on external events, such as keystroke intervals,
1005can be used to do this and some systems have built-in entropy sources.
1006Suitable means are described in the OpenSSL software documentation,
1007but are outside the scope of this page.
1008.Pp
1009The entropy seed used by the OpenSSL library is contained in a file,
1010usually called
1011.Cm .rnd ,
1012which must be available when starting the NTP daemon
1013or the
1014.Nm
1015program.
1016The NTP daemon will first look for the file
1017using the path specified by the
1018.Ic randfile
1019subcommand of the
1020.Ic crypto
1021configuration command.
1022If not specified in this way, or when starting the
1023.Nm
1024program,
1025the OpenSSL library will look for the file using the path specified
1026by the
1027.Ev RANDFILE
1028environment variable in the user home directory,
1029whether root or some other user.
1030If the
1031.Ev RANDFILE
1032environment variable is not present,
1033the library will look for the
1034.Cm .rnd
1035file in the user home directory.
1036If the file is not available or cannot be written,
1037the daemon exits with a message to the system log and the program
1038exits with a suitable error message.
1039.Ss Cryptographic Data Files
1040All other file formats begin with two lines.
1041The first contains the file name, including the generated host name
1042and filestamp.
1043The second contains the datestamp in conventional Unix date format.
1044Lines beginning with # are considered comments and ignored by the
1045.Nm
1046program and
1047.Xr ntpd 1ntpdmdoc
1048daemon.
1049Cryptographic values are encoded first using ASN.1 rules,
1050then encrypted if necessary, and finally written PEM-encoded
1051printable ASCII format preceded and followed by MIME content identifier lines.
1052.Pp
1053The format of the symmetric keys file is somewhat different
1054than the other files in the interest of backward compatibility.
1055Since DES-CBC is deprecated in NTPv4, the only key format of interest
1056is MD5 alphanumeric strings.
1057Following hte heard the keys are
1058entered one per line in the format
1059.D1 Ar keyno type key
1060where
1061.Ar keyno
1062is a positive integer in the range 1-65,535,
1063.Ar type
1064is the string MD5 defining the key format and
1065.Ar key
1066is the key itself,
1067which is a printable ASCII string 16 characters or less in length.
1068Each character is chosen from the 93 printable characters
1069in the range 0x21 through 0x7f excluding space and the
1070.Ql #
1071character.
1072.Pp
1073Note that the keys used by the
1074.Xr ntpq 1ntpqmdoc
1075and
1076.Xr ntpdc 1ntpdcmdoc
1077programs
1078are checked against passwords requested by the programs
1079and entered by hand, so it is generally appropriate to specify these keys
1080in human readable ASCII format.
1081.Pp
1082The
1083.Nm
1084program generates a MD5 symmetric keys file
1085.Pa ntpkey_MD5key_ Ns Ar hostname.filestamp .
1086Since the file contains private shared keys,
1087it should be visible only to root and distributed by secure means
1088to other subnet hosts.
1089The NTP daemon loads the file
1090.Pa ntp.keys ,
1091so
1092.Nm
1093installs a soft link from this name to the generated file.
1094Subsequently, similar soft links must be installed by manual
1095or automated means on the other subnet hosts.
1096While this file is not used with the Autokey Version 2 protocol,
1097it is needed to authenticate some remote configuration commands
1098used by the
1099.Xr ntpq 1ntpqmdoc
1100and
1101.Xr ntpdc 1ntpdcmdoc
1102utilities.
1103	_END_PROG_MDOC_DESCRIP;
1104};
1105
1106doc-section	= {
1107  ds-type	= 'USAGE';
1108  ds-format	= 'mdoc';
1109  ds-text	= <<- _END_MDOC_USAGE
1110The
1111.Fl p Ar password
1112option specifies the write password and
1113.Fl q Ar password
1114option the read password for previously encrypted files.
1115The
1116.Nm
1117program prompts for the password if it reads an encrypted file
1118and the password is missing or incorrect.
1119If an encrypted file is read successfully and
1120no write password is specified, the read password is used
1121as the write password by default.
1122	_END_MDOC_USAGE;
1123};
1124
1125doc-section	= {
1126  ds-type	= 'NOTES';
1127  ds-format	= 'mdoc';
1128  ds-text	= <<- _END_MDOC_NOTES
1129Portions of this document came from FreeBSD.
1130	_END_MDOC_NOTES;
1131};
1132
1133doc-section	= {
1134  ds-type	= 'BUGS';
1135  ds-format	= 'mdoc';
1136  ds-text	= <<- _END_MDOC_BUGS
1137It can take quite a while to generate some cryptographic values,
1138from one to several minutes with modern architectures
1139such as UltraSPARC and up to tens of minutes to an hour
1140with older architectures such as SPARC IPC.
1141.Pp
1142Please report bugs to http://bugs.ntp.org .
1143	_END_MDOC_BUGS;
1144};
1145