2 .\" $FreeBSD: src/usr.sbin/ntp/doc/ntp-genkeys.8,v 1.1.2.2 2003/03/11 22:31:29 trhodes Exp $
3 .\" $DragonFly: src/usr.sbin/ntp/doc/Attic/ntp-genkeys.8,v 1.2 2003/06/17 04:29:58 dillon Exp $
10 .Nd generate public and private keys
20 utility generates random keys used by either or both the
21 NTPv3/NTPv4 symmetric key or the NTPv4 public key (Autokey)
22 cryptographic authentication schemes.
24 The following options are available:
25 .Bl -tag -width indent
31 enable debug messages (can be used multiple times)
33 force installation of generated keys.
35 Generate file or files indicated by the characters in the
40 Generate D-H parameter file.
42 Generate MD5 key file.
47 Build keys here (current directory).
53 Do not make the symlinks.
55 Do not actually do anything, just say what would be done.
57 Trash the (old) files at the end of symlink.
60 By default the program
63 file containing 16 random symmetric
68 for the software build, the program generates cryptographic values
69 used by the Autokey scheme.
70 These values are incorporated as a set
73 containing the RSA private key,
74 .Pa ntpkey_ Ns Ar host
75 containing the RSA public key, where
77 is the DNS name of the generating machine, and
79 containing the parameters for the Diffie-Hellman
80 key-agreement algorithm.
81 All files and are in printable ASCII
83 A timestamp in NTP seconds is appended to each.
85 algorithms are seeded by the system clock, each run of this program
86 produces a different file and file name.
90 file contains 16 MD5 keys.
92 consists of 16 characters randomized over the ASCII 95-character
94 The file is read by the daemon at the location
97 configuration file command and made
99 An additional key consisting of an easily
100 remembered password should be added by hand for use with the
106 distributed by secure means to other servers and clients sharing
107 the same security compartment.
108 While the key identifiers for MD5
109 and DES keys must be in the range 1-65534, inclusive, the
111 utility uses only the identifiers from 1 to
113 The key identifier for each association is specified as the key
118 configuration file command.
122 file contains the RSA private key.
124 read by the daemon at the location specified by the
129 file command and made visible only to root.
131 only to the machine that generated it and never shared with any
132 other daemon or application program.
135 .Pa ntpkey_ Ns Ar host
136 file contains the RSA public
139 is the DNS name of the host that
141 The file is read by the daemon at the location
148 configuration file command.
150 widely distributed and stored without using secure means, since the
151 data are public values.
155 file contains two Diffie-Hellman parameters:
156 the prime modulus and the generator.
157 The file is read by the daemon
158 at the location specified by the
162 configuration file command.
164 distributed by insecure means to other servers and clients sharing
165 the same key agreement compartment, since the data are public
168 The file formats begin with two lines, the first containing the
169 generating system DNS name and the second the datestamp.
173 are considered comments and ignored by
177 file, the next 16 lines
178 contain the MD5 keys in order.
179 If necessary, this file can be
180 further customized by an ordinary text editor.
182 described in the following section.
186 .Pa ntpkey_ Ns Ar host
187 files, the next line contains the
188 modulus length in bits followed by the key as a PEM encoded string.
191 file, the next line contains the prime
192 length in bytes followed by the prime as a PEM encoded string, and
193 the next and final line contains the generator length in bytes
194 followed by the generator as a PEM encoded string.
197 .Pa ./source/rsaref.h
200 package for explanation of return values, if
207 It can take quite a while to generate the RSA public/private key
208 pair and Diffie-Hellman parameters, from a few seconds on a modern
209 workstation to several minutes on older machines.