2 .\" $FreeBSD: src/usr.sbin/ntp/doc/ntp-genkeys.8,v 1.1.2.2 2003/03/11 22:31:29 trhodes Exp $
9 .Nd generate public and private keys
19 utility generates random keys used by either or both the
20 NTPv3/NTPv4 symmetric key or the NTPv4 public key (Autokey)
21 cryptographic authentication schemes.
23 The following options are available:
24 .Bl -tag -width indent
30 enable debug messages (can be used multiple times)
32 force installation of generated keys.
34 Generate file or files indicated by the characters in the
39 Generate D-H parameter file.
41 Generate MD5 key file.
46 Build keys here (current directory).
52 Do not make the symlinks.
54 Do not actually do anything, just say what would be done.
56 Trash the (old) files at the end of symlink.
59 By default the program
62 file containing 16 random symmetric
67 for the software build, the program generates cryptographic values
68 used by the Autokey scheme.
69 These values are incorporated as a set
72 containing the RSA private key,
73 .Pa ntpkey_ Ns Ar host
74 containing the RSA public key, where
76 is the DNS name of the generating machine, and
78 containing the parameters for the Diffie-Hellman
79 key-agreement algorithm.
80 All files and are in printable ASCII
82 A timestamp in NTP seconds is appended to each.
84 algorithms are seeded by the system clock, each run of this program
85 produces a different file and file name.
89 file contains 16 MD5 keys.
91 consists of 16 characters randomized over the ASCII 95-character
93 The file is read by the daemon at the location
96 configuration file command and made
98 An additional key consisting of an easily
99 remembered password should be added by hand for use with the
105 distributed by secure means to other servers and clients sharing
106 the same security compartment.
107 While the key identifiers for MD5
108 and DES keys must be in the range 1-65534, inclusive, the
110 utility uses only the identifiers from 1 to
112 The key identifier for each association is specified as the key
117 configuration file command.
121 file contains the RSA private key.
123 read by the daemon at the location specified by the
128 file command and made visible only to root.
130 only to the machine that generated it and never shared with any
131 other daemon or application program.
134 .Pa ntpkey_ Ns Ar host
135 file contains the RSA public
138 is the DNS name of the host that
140 The file is read by the daemon at the location
147 configuration file command.
149 widely distributed and stored without using secure means, since the
150 data are public values.
154 file contains two Diffie-Hellman parameters:
155 the prime modulus and the generator.
156 The file is read by the daemon
157 at the location specified by the
161 configuration file command.
163 distributed by insecure means to other servers and clients sharing
164 the same key agreement compartment, since the data are public
167 The file formats begin with two lines, the first containing the
168 generating system DNS name and the second the datestamp.
172 are considered comments and ignored by
176 file, the next 16 lines
177 contain the MD5 keys in order.
178 If necessary, this file can be
179 further customized by an ordinary text editor.
181 described in the following section.
185 .Pa ntpkey_ Ns Ar host
186 files, the next line contains the
187 modulus length in bits followed by the key as a PEM encoded string.
190 file, the next line contains the prime
191 length in bytes followed by the prime as a PEM encoded string, and
192 the next and final line contains the generator length in bytes
193 followed by the generator as a PEM encoded string.
196 .Pa ./source/rsaref.h
199 package for explanation of return values, if
206 It can take quite a while to generate the RSA public/private key
207 pair and Diffie-Hellman parameters, from a few seconds on a modern
208 workstation to several minutes on older machines.