1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
// This is the body of the manual page for ntpkeygen.
// It's included in two places: once for the docs/ HTML
// tree, and once to make an individual man page.
== Synopsis
[verse]
+ntpkeygen+ [+-MV+]
== Description
This program generates a file containing keys that can be used
in NTP's symmetric key cryptography.
The program produces a file containing ten pseudo-random printable
ASCII strings suitable for the MD5 message digest algorithm.
It also produces an additional ten hex-encoded random bit strings
suitable for the SHA-1 and other message digest algorithms.
The keys file must be distributed and stored using secure means
beyond the scope of NTP itself. The keys can also be used as
passwords for the link:ntpq.html[+ntpq+] utility program.
[[cmd]]
== Command Line Options
+-V+, +--version+::
Print the version string and exit.
[[run]]
== Running the program
The simplest way to run the +ntpkeygen+ program is logged in directly as
root. The recommended procedure is to change to the keys directory,
usually +/etc/ntpsec/+, then run the program. Then chown the output
file to ntpsec:ntpsec. It should be mode 400.
WARNING: +ntpkeygen+ uses the system randomness source. On a POSIX
system, this is usually /dev/urandom. Immediately after a reboot, on any
OS, there may not be sufficient entropy available for this program to
perform well. Do not run this program from any startup scripts. Only
run this program on an active host with a lot of available entropy.
[[access]]
== Key file access and location
File names begin with the prefix _ntpkey_ and end with the postfix
_hostname.filestamp_, where _hostname_ is the owner name, usually the
string returned by the Unix gethostname() routine, and _filestamp_ is
the NTP seconds when the file was generated, in decimal digits.
+ntpkeygen+ also makes a soft link from +ntp.keys+ to the generated
file. +ntp.keys+ is the normal file used in +{ntpconf}+.
[[random]]
== Random Seed File
All key generation schemes must have means to randomize the
entropy seed used to initialize the internal pseudo-random
number generator used by the library routines.
It is important to understand that entropy must be evolved for each
generation, for otherwise the random number sequence would be
predictable. Various means dependent on external events, such as
keystroke intervals can be used to do this and some systems have
built-in entropy sources.
This implementation uses Python's random.SystemRandom class, which relies on
os.urandom(). The security of os.urandom() is improved in
https://docs.python.org/library/os.html#os.urandom[Python 3.5+].
[[crypto]]
== Cryptographic Data Files
Unlike NTP Classic, this implementation generates only AES keys,
not MD5 or SHA1.
Since the file contains private shared keys, it should be visible
only to root or ntp.
In order to use a shared key, the line to be used must also be setup
on the target server.
This file is also used to authenticate remote configuration
commands used by the {ntpqman} utility.
Comments may appear in the file and are preceded with the +#+
character.
Following any headers the keys are entered one per line in the
format:
[options="header"]
|====================================================================
|Field | Meaning
|keyno | Positive integer in the range 1-65,535
|type | Type of key (MD5, SHA-1, AES-CMAC etc). This program generates only AES.
|key | the actual key, printable ASCII or hex
|====================================================================
// end
|
