Authentication Commands and Options
from Alice's Adventures in Wonderland, Lewis Carroll
Our resident cryptographer; now you see him, now you don't.
Last update:
02-Oct-2010 23:55
UTC
Related Links
Commands and Options
Unless noted otherwise, further information about these commands is on the Authentication Support page.
- automax [logsec]
- Specifies the interval between regenerations of the session key list used with the Autokey protocol, as a power of 2 in seconds. Note that the size of the key list for each association depends on this interval and the current poll interval. The default interval is 12 (about 1.1 h). For poll intervals above the specified interval, a session key list with a single entry will be regenerated for every message sent. See the Autokey Public Key Authentication page for further information.
- controlkey keyid
- Specifies the key ID to use with the ntpq utility, which uses the
standard protocol defined in RFC-1305. The keyid argument is the key ID for a trusted
key, where the value can be in the range 1 to 65534,
inclusive.
- crypto [randfile file] [host name] [ident name] [pw password]
- This command requires the OpenSSL library. It activates public key cryptography
and loads the required host key and public certificate. If one or more files
are left unspecified, the default names are used as described below. Unless
the complete path and name of the file are specified, the location of a file
is relative to the keys directory specified in the keysdir configuration
command or default /usr/local/etc. See the Autokey Public Key Authentication page for further information. Following are the options.
-
- digest MD2 | MD4 | MD5 | MDC2 | RIPEMD160 | SHA | SHA1
- Specify the message digest algorithm, with default MD5. If the OpenSSL library
is installed, name can be be any message digest algorithm supported
by the library not exceeding 160 bits in length. However, all Autokey
participants in an Autokey subnet must use the same algorithm. Note that
the Autokey message digest algorithm is separate and distinct form the symmetric
key message digest algorithms. Note: If compliance with FIPS 140-2 is required,
the algorithm must be ether SHA or SHA1.
- host name
- Specifies the string used when constructing the names for the host, sign
and certificate files generated by the ntp-keygen program with the -s name option.
- ident name
- Specifies the string used in constructing the identity files generated by the ntp-keygen program with the -i name option.
- pw password
- Specifies the password to decrypt files previously encrypted by the ntp-keygen program with the -p option.
- randfile file
- Specifies the location of the random seed file used by the OpenSSL library. The defaults are described on the ntp-keygen page.
- keys keyfile
- Specifies the complete path to the MD5 key file containing the keys and key IDs used by ntpd, ntpq and ntpdc when operating with symmetric key cryptography. This is the same operation as the -k command line option. Note that the directory path for Autokey media is specified by the keysdir command.
- keysdir pathK
- This command specifies the default directory path for Autokey cryptographic keys, parameters and certificates. The default is /usr/local/etc/. Note that the path for the symmetric keys file is specified by the keys command.
- requestkey keyid
- Specifies the key ID to use with the ntpdc utility program, which
uses a proprietary protocol specific to this implementation of ntpd. The keyid argument is a key ID
for a trusted key, in the range 1 to
65534, inclusive.
- revoke [logsec]
- Specifies the interval between re-randomization of certain cryptographic values used by the Autokey scheme, as a power of 2 in seconds. These values need to be updated frequently in order to deflect brute-force attacks on the algorithms; however, updating some values is a relatively expensive operation. The default interval is 17 (about 36 h). For poll intervals above the specified interval, the values will be updated for every message sent.
- trustedkey [keyid | (lowid ... highid)] [...]
- Specifies the key ID(s) which are trusted for the purposes of
authenticating peers with symmetric key cryptography. Key IDs
used to authenticate ntpq and ntpdc operations
must be listed here and additionally be enabled with controlkey and/or requestkey. The authentication
procedure for time transfer require that both the local and
remote NTP servers employ the same key ID and secret for this
purpose, although different keys IDs may be used with different
servers. Ranges of trusted key IDs may be specified: trustedkey (1 ... 19) 1000 (100 ... 199) enables the
lowest 120 key IDs which start with the digit 1. The spaces
surrounding the ellipsis are required when specifying a range.