freebsd-skq/contrib/ntp/ntpd/invoke-ntp.keys.texi
Cy Schubert 767173cec2 MFV r362565:
Update 4.2.8p14 --> 4.2.8p15

Summary: Systems that use a CMAC algorithm in ntp.keys will not release
a bit of memory on each packet that uses a CMAC keyid, eventually causing
ntpd to run out of memory and fail. The CMAC cleanup from
https://bugs.ntp.org/3447, part of ntp-4.2.8p11, introduced a bug whereby
the CMAC data structure was no longer completely removed.

MFC after:	3 days
Security:	NTP Bug 3661
2020-06-24 01:51:05 +00:00

142 lines
3.2 KiB
Plaintext

@node ntp.keys Notes
@section Notes about ntp.keys
@pindex ntp.keys
@cindex NTP symmetric key file format
@ignore
#
# EDIT THIS FILE WITH CAUTION (invoke-ntp.keys.texi)
#
# It has been AutoGen-ed June 23, 2020 at 02:20:33 AM by AutoGen 5.18.5
# From the definitions ntp.keys.def
# and the template file agtexi-file.tpl
@end ignore
This document describes the format of an NTP symmetric key file.
For a description of the use of this type of file, see the
"Authentication Support"
section of the
@code{ntp.conf(5)}
page.
@code{ntpd(8)}
reads its keys from a file specified using the
@code{-k}
command line option or the
@code{keys}
statement in the configuration file.
While key number 0 is fixed by the NTP standard
(as 56 zero bits)
and may not be changed,
one or more keys numbered between 1 and 65535
may be arbitrarily set in the keys file.
The key file uses the same comment conventions
as the configuration file.
Key entries use a fixed format of the form
@example
@kbd{keyno} @kbd{type} @kbd{key} @kbd{opt_IP_list}
@end example
where
@kbd{keyno}
is a positive integer (between 1 and 65535),
@kbd{type}
is the message digest algorithm,
@kbd{key}
is the key itself, and
@kbd{opt_IP_list}
is an optional comma-separated list of IPs
where the
@kbd{keyno}
should be trusted.
that are allowed to serve time.
Each IP in
@kbd{opt_IP_list}
may contain an optional
@code{/subnetbits}
specification which identifies the number of bits for
the desired subnet of trust.
If
@kbd{opt_IP_list}
is empty,
any properly-authenticated message will be
accepted.
The
@kbd{key}
may be given in a format
controlled by the
@kbd{type}
field.
The
@kbd{type}
@code{MD5}
is always supported.
If
@code{ntpd}
was built with the OpenSSL library
then any digest library supported by that library may be specified.
However, if compliance with FIPS 140-2 is required the
@kbd{type}
must be either
@code{SHA}
or
@code{SHA1}.
What follows are some key types, and corresponding formats:
@table @asis
@item @code{MD5}
The key is 1 to 16 printable characters terminated by
an EOL,
whitespace,
or
a
@code{#}
(which is the "start of comment" character).
@item @code{SHA}
@item @code{SHA1}
@item @code{RMD160}
The key is a hex-encoded ASCII string of 40 characters,
which is truncated as necessary.
@end table
Note that the keys used by the
@code{ntpq(8)}
and
@code{ntpdc(8)}
programs are checked against passwords
requested by the programs and entered by hand,
so it is generally appropriate to specify these keys in ASCII format.
This section was generated by @strong{AutoGen},
using the @code{agtexi-cmd} template and the option descriptions for the @code{ntp.keys} program.
This software is released under the NTP license, <http://ntp.org/license>.
@menu
* ntp.keys Files:: Files
* ntp.keys See Also:: See Also
* ntp.keys Notes:: Notes
@end menu
@node ntp.keys Files
@subsection ntp.keys Files
@table @asis
@item @file{/etc/ntp.keys}
the default name of the configuration file
@end table
@node ntp.keys See Also
@subsection ntp.keys See Also
@code{ntp.conf(5)},
@code{ntpd(1ntpdmdoc)},
@code{ntpdate(1ntpdatemdoc)},
@code{ntpdc(1ntpdcmdoc)},
@code{sntp(1sntpmdoc)}
@node ntp.keys Notes
@subsection ntp.keys Notes
This document was derived from FreeBSD.