[ntp:hackers] SHA1 for symmetric keys?

Miroslav Lichvar mlichvar at redhat.com
Thu Dec 10 06:55:41 UTC 2015

On Wed, Dec 09, 2015 at 10:18:11PM -0500, brian utterback wrote:
> Does ntpd support SHA1 for symmetric keys? Looking at the docs it
> suggests that the ntp.keys file should be generated with ntp-keygen
> rather than by manual editing. Running ntp-keygen creates a file with
> both MD5 and SHA1 keys, but when I try to use them ntpd says "invalid
> key type" for all of the SHA1 keys. Not to mention I never heard anyone
> say not to edit the ntp.keys file by hand. Am I misunderstanding the
> whole thing?

ntpd supports SHA1 keys when it's compiled with openssl support. Keys
can be generated by ntp-keygen or they can be created manually, but be
sure they are long and random enough. These days, when GPUs can brute
force billions of SHA1 keys per second, a random key using only 8
alphanumeric characters could be found in few hours or days.

Miroslav Lichvar

More information about the hackers mailing list