ntp-genkeys -- generate public and private keys
ntp-genkeys [-dfhlnt] [-c conffile] [-g target] [-k keyfile]
The ntp-genkeys utility generates random keys used by either or both the
NTPv3/NTPv4 symmetric key or the NTPv4 public key (Autokey) cryptographic
The following options are available:
Location of ntp.conf(5) file.
-d enable debug messages (can be used multiple times)
-f force installation of generated keys.
Generate file or files indicated by the characters in the target
d Generate D-H parameter file.
m Generate MD5 key file.
r Generate RSA keys.
-h Build keys here (current directory). Implies -l.
Location of key file.
-l Do not make the symlinks.
-n Do not actually do anything, just say what would be done.
-t Trash the (old) files at the end of symlink.
By default the program generates the ntp.keys(5) file containing 16 random
symmetric keys. In addition, if the rsaref20 package is configured
for the software build, the program generates cryptographic values used
by the Autokey scheme. These values are incorporated as a set of three
files, ntpkey containing the RSA private key, ntpkey_host containing the
RSA public key, where host is the DNS name of the generating machine, and
ntpkey_dh containing the parameters for the Diffie-Hellman key-agreement
algorithm. All files and are in printable ASCII format. A timestamp in
NTP seconds is appended to each. Since the algorithms are seeded by the
system clock, each run of this program produces a different file and file
The ntp.keys(5) file contains 16 MD5 keys. Each key consists of 16 characters
randomized over the ASCII 95-character printing subset. The file
is read by the daemon at the location specified by the keys configuration
file command and made visible only to root. An additional key consisting
of an easily remembered password should be added by hand for use with the
ntpq(8) and ntpdc(8) programs. The file must be distributed by secure
means to other servers and clients sharing the same security compartment.
While the key identifiers for MD5 and DES keys must be in the range
1-65534, inclusive, the ntp-genkeys utility uses only the identifiers
from 1 to 16. The key identifier for each association is specified as
the key argument in the server or peer configuration file command.
The ntpkey file contains the RSA private key. It is read by the daemon
at the location specified by the privatekey argument of the crypto configuration
file command and made visible only to root. This file is useful
only to the machine that generated it and never shared with any other
daemon or application program.
The ntpkey_host file contains the RSA public key, where host is the DNS
name of the host that generated it. The file is read by the daemon at
the location specified by the publickey argument to the server or peer
configuration file command. This file can be widely distributed and
stored without using secure means, since the data are public values.
The ntp_dh file contains two Diffie-Hellman parameters: the prime modulus
and the generator. The file is read by the daemon at the location specified
by the dhparams argument of the crypto configuration file command.
The file can be distributed by insecure means to other servers and
clients sharing the same key agreement compartment, since the data are
The file formats begin with two lines, the first containing the generating
system DNS name and the second the datestamp. Lines beginning with
`#' are considered comments and ignored by the daemon. In the
ntp.keys(5) file, the next 16 lines contain the MD5 keys in order. If
necessary, this file can be further customized by an ordinary text editor.
The format is described in the following section. In the ntpkey
and ntpkey_host files, the next line contains the modulus length in bits
followed by the key as a PEM encoded string. In the ntpkey_dh file, the
next line contains the prime length in bytes followed by the prime as a
PEM encoded string, and the next and final line contains the generator
length in bytes followed by the generator as a PEM encoded string.
Note: See the file ./source/rsaref.h in the rsaref20 package for explanation
of return values, if necessary.
ntp.keys(5), ntpdc(8), ntpq(8)
It can take quite a while to generate the RSA public/private key pair and
Diffie-Hellman parameters, from a few seconds on a modern workstation to
several minutes on older machines.
FreeBSD 5.2.1 August 2, 2001 FreeBSD 5.2.1 [ Back ]