diff options
author | ru <ru@FreeBSD.org> | 2006-09-30 19:07:03 +0000 |
---|---|---|
committer | ru <ru@FreeBSD.org> | 2006-09-30 19:07:03 +0000 |
commit | 99849399c0a14e1ff2773e87de05c18ee59ab128 (patch) | |
tree | 309e64ec3f7014ee546cba7fe8d72e3da8aef1d5 /usr.sbin/ntp | |
parent | 793f672a87878712ede431f9204d95b213440f66 (diff) | |
download | FreeBSD-src-99849399c0a14e1ff2773e87de05c18ee59ab128.zip FreeBSD-src-99849399c0a14e1ff2773e87de05c18ee59ab128.tar.gz |
Revise markup.
Diffstat (limited to 'usr.sbin/ntp')
-rw-r--r-- | usr.sbin/ntp/doc/ntp-keygen.8 | 57 |
1 files changed, 38 insertions, 19 deletions
diff --git a/usr.sbin/ntp/doc/ntp-keygen.8 b/usr.sbin/ntp/doc/ntp-keygen.8 index bf08692..8266129 100644 --- a/usr.sbin/ntp/doc/ntp-keygen.8 +++ b/usr.sbin/ntp/doc/ntp-keygen.8 @@ -2,7 +2,7 @@ .\" $FreeBSD$ .\" .Dd May 17, 2006 -.Dt NTP-KEYGEN. 8 +.Dt NTP-KEYGEN 8 .Os .Sh NAME .Nm ntp-keygen @@ -10,27 +10,28 @@ .Sh SYNOPSIS .Nm .Op Fl deGgHIMnPT -.Op Fl c Oo Cm RSA-MD2 | RSA-MD5 | RSA-SHA | RSA-SHA1 | RSA-MDC2 | RSA-RIPEMD160 | DSA-SHA | DSA-SHA1 Oc +.Op Fl c Ar scheme .Op Fl i Ar name .Op Fl p Ar password -.Op Fl S Oo Cm RSA | DSA Oc +.Op Fl S Op Cm RSA | DSA .Op Fl s Ar name .Op Fl v Ar nkeys - .Sh DESCRIPTION This program generates cryptographic data files used by the NTPv4 authentication and identification schemes. It generates MD5 key files used in symmetric key cryptography. In addition, if the OpenSSL software library has been installed, it generates keys, certificate and identity files used in public key -cryptography. These files are used for cookie encryption, +cryptography. +These files are used for cookie encryption, digital signature and challenge/response identification algorithms compatible with the Internet standard security infrastructure. .Pp All files are in PEM-encoded printable ASCII format, so they can be embedded as MIME attachments in mail to other sites and certificate authorities. -By default, files are not encrypted. The +By default, files are not encrypted. +The .Fl p Ar password option specifies the write password and .Fl q Ar password @@ -82,7 +83,8 @@ and generation date and time as comments. All files are installed by default in the keys directory .Pa /usr/local/etc , which is normally in a shared filesystem -in NFS-mounted networks. The actual location of the keys directory +in NFS-mounted networks. +The actual location of the keys directory and each file can be overridden by configuration commands, but this is not recommended. Normally, the files for each host are generated by that host @@ -112,7 +114,8 @@ If a link is not present, .Xr ntpd 8 extracts the filestamp from the file itself. This allows clients to verify that the file and generation times -are always current. The +are always current. +The .Nm program uses the same timestamp extension for all files generated at one time, so each generation is distinct and can be readily @@ -124,7 +127,8 @@ program is logged in directly as root. The recommended procedure is change to the keys directory, usually .Pa /ust/local/etc , -then run the program. When run for the first time, +then run the program. +When run for the first time, or if all .Cm ntpkey files have been removed, @@ -205,7 +209,8 @@ The default cryptotype uses RSA encryption, MD5 message digest and TC identification. First, configure a NTP subnet including one or more low-stratum trusted hosts from which all other hosts derive synchronization -directly or indirectly. Trusted hosts have trusted certificates; +directly or indirectly. +Trusted hosts have trusted certificates; all other hosts have nontrusted certificates. These hosts will automatically and dynamically build authoritative certificate trails to one or more trusted hosts. @@ -295,7 +300,8 @@ A server can also be a client of another server, but a client can never be a server for another client. In general, trusted hosts and nontrusted hosts that operate as both server and client have parameter files that contain -both server and client keys. Hosts that operate +both server and client keys. +Hosts that operate only as clients have key files that contain only client keys. .Pp The PC scheme supports only one trusted host in the group. @@ -315,7 +321,8 @@ to the host key file and soft link .Pa ntpkey_cert_ Ns Ar bob to the private certificate file. Note the generic links are on bob, but point to files generated -by trusted host alice. In this scheme it is not possible to refresh +by trusted host alice. +In this scheme it is not possible to refresh either the keys or certificates without copying them to all other hosts in the group. .Pp @@ -335,7 +342,8 @@ and clients and install a soft link from the generic .Pa ntpkey_iff_ Ns Ar alice to this file. If there are no hosts restricted to operate only as clients, -there is nothing further to do. As the IFF scheme is independent +there is nothing further to do. +As the IFF scheme is independent of keys and certificates, these files can be refreshed as needed. .Pp If a rogue client has the parameter file, it could masquerade @@ -349,7 +357,8 @@ and pipe the output to a file or mail program. Copy or mail this file to all restricted clients. On these clients install a soft link from the generic .Pa ntpkey_iff_ Ns Ar alice -to this file. To further protect the integrity of the keys, +to this file. +To further protect the integrity of the keys, each file can be encrypted with a secret password. .Pp For the GQ scheme proceed as in the TC scheme to generate keys @@ -377,7 +386,8 @@ at the same time, keys and certificates can be regenerated as needed. For the MV scheme, proceed as in the TC scheme to generate keys and certificates for all group hosts. For illustration assume trish is the TA, alice one of several trusted hosts -and bob one of her clients. On TA trish run +and bob one of her clients. +On TA trish run .Nm .Fl V Ar n .Fl p Ar password , @@ -410,8 +420,14 @@ As the MV scheme is independent of keys and certificates, these files can be refreshed as needed. .Ss Command Line Options .Bl -tag -width indent -.It Fl c Oo Cm RSA-MD2 | RSA-MD5 | RSA-SHA | RSA-SHA1 | RSA-MDC2 | RSA-RIPEMD160 | DSA-SHA | DSA-SHA1 Oc +.It Fl c Ar scheme Select certificate message digest/signature encryption scheme. +The +.Ar scheme +can be one of the following: +. Cm RSA-MD2 , RSA-MD5 , RSA-SHA , RSA-SHA1 , RSA-MDC2 , RSA-RIPEMD160 , DSA-SHA , +or +.Cm DSA-SHA1 . Note that RSA schemes must be used with a RSA sign key and DSA schemes must be used with a DSA sign key. The default without this option is @@ -473,7 +489,8 @@ by the library routines. The OpenSSL library uses a designated random seed file for this purpose. The file must be available when starting the NTP daemon and .Nm -program. If a site supports OpenSSL or its companion OpenSSH, +program. +If a site supports OpenSSL or its companion OpenSSH, it is very likely that means to do this are already available. .Pp It is important to understand that entropy must be evolved @@ -490,7 +507,8 @@ usually called which must be available when starting the NTP daemon or the .Nm -program. The NTP daemon will first look for the file +program. +The NTP daemon will first look for the file using the path specified by the .Ic randfile subcommand of the @@ -530,7 +548,8 @@ printable ASCII format preceded and followed by MIME content identifier lines. The format of the symmetric keys file is somewhat different than the other files in the interest of backward compatibility. Since DES-CBC is deprecated in NTPv4, the only key format of interest -is MD5 alphanumeric strings. Following hte heard the keys are +is MD5 alphanumeric strings. +Following hte heard the keys are entered one per line in the format .D1 Ar keyno type key where |