freebsd-nq/contrib/ntp/ntpd/invoke-ntp.keys.texi
Cy Schubert 052d159a8b MFV r344878:
4.2.8p12 --> 4.2.8p13

MFC after:	immediately
Security:	CVE-2019-8936
		VuXML: c2576e14-36e2-11e9-9eda-206a8a720317
Obtained from:	nwtime.org
2019-03-07 13:36:00 +00:00

142 lines
3.2 KiB
Plaintext

@node ntp.keys Notes
@section Notes about ntp.keys
@pindex ntp.keys
@cindex NTP symmetric key file format
@ignore
#
# EDIT THIS FILE WITH CAUTION (invoke-ntp.keys.texi)
#
# It has been AutoGen-ed February 20, 2019 at 09:56:41 AM by AutoGen 5.18.5
# From the definitions ntp.keys.def
# and the template file agtexi-file.tpl
@end ignore
This document describes the format of an NTP symmetric key file.
For a description of the use of this type of file, see the
"Authentication Support"
section of the
@code{ntp.conf(5)}
page.
@code{ntpd(8)}
reads its keys from a file specified using the
@code{-k}
command line option or the
@code{keys}
statement in the configuration file.
While key number 0 is fixed by the NTP standard
(as 56 zero bits)
and may not be changed,
one or more keys numbered between 1 and 65535
may be arbitrarily set in the keys file.
The key file uses the same comment conventions
as the configuration file.
Key entries use a fixed format of the form
@example
@kbd{keyno} @kbd{type} @kbd{key} @kbd{opt_IP_list}
@end example
where
@kbd{keyno}
is a positive integer (between 1 and 65535),
@kbd{type}
is the message digest algorithm,
@kbd{key}
is the key itself, and
@kbd{opt_IP_list}
is an optional comma-separated list of IPs
where the
@kbd{keyno}
should be trusted.
that are allowed to serve time.
Each IP in
@kbd{opt_IP_list}
may contain an optional
@code{/subnetbits}
specification which identifies the number of bits for
the desired subnet of trust.
If
@kbd{opt_IP_list}
is empty,
any properly-authenticated message will be
accepted.
The
@kbd{key}
may be given in a format
controlled by the
@kbd{type}
field.
The
@kbd{type}
@code{MD5}
is always supported.
If
@code{ntpd}
was built with the OpenSSL library
then any digest library supported by that library may be specified.
However, if compliance with FIPS 140-2 is required the
@kbd{type}
must be either
@code{SHA}
or
@code{SHA1}.
What follows are some key types, and corresponding formats:
@table @asis
@item @code{MD5}
The key is 1 to 16 printable characters terminated by
an EOL,
whitespace,
or
a
@code{#}
(which is the "start of comment" character).
@item @code{SHA}
@item @code{SHA1}
@item @code{RMD160}
The key is a hex-encoded ASCII string of 40 characters,
which is truncated as necessary.
@end table
Note that the keys used by the
@code{ntpq(8)}
and
@code{ntpdc(8)}
programs are checked against passwords
requested by the programs and entered by hand,
so it is generally appropriate to specify these keys in ASCII format.
This section was generated by @strong{AutoGen},
using the @code{agtexi-cmd} template and the option descriptions for the @code{ntp.keys} program.
This software is released under the NTP license, <http://ntp.org/license>.
@menu
* ntp.keys Files:: Files
* ntp.keys See Also:: See Also
* ntp.keys Notes:: Notes
@end menu
@node ntp.keys Files
@subsection ntp.keys Files
@table @asis
@item @file{/etc/ntp.keys}
the default name of the configuration file
@end table
@node ntp.keys See Also
@subsection ntp.keys See Also
@code{ntp.conf(5)},
@code{ntpd(1ntpdmdoc)},
@code{ntpdate(1ntpdatemdoc)},
@code{ntpdc(1ntpdcmdoc)},
@code{sntp(1sntpmdoc)}
@node ntp.keys Notes
@subsection ntp.keys Notes
This document was derived from FreeBSD.