[ntp:questions] Generating keys for ntpdc control

Steve Kostecke kostecke at ntp.org
Thu Jul 3 12:39:15 UTC 2008

On 2008-07-03, Bob <bobsjunkmail at bellsouth.net> wrote:

> I'm getting closer... you actually put the key data in a file that you
> point to. OK... how do I generate the keys? For example, I tried the
> below (of course, the keys listed have been erased...) and which file
> do I use the contents of as key material, how much do I use (just the
> data and no headers), and do I have to do it all on one line per key?
> Thanks for the help on this. I've searched for detailed info without
> success.

You're making this more complicated than it needs to be.

As Martin stated previously, the keys file is just a list of keyids
and passwords. You can populate this file yourself using your prefered
passwords, or you may use ntp-keygen to generate the passwords, or some
combination of both.

You may create the manually populated keys file with your favorite
editor and generate the passwords in your preferred manner. The contents
of manually populated keys file looks like this:


1 M a_password
2 M another_password
5 M is_right_out
42 M themeaningoflife
255 M yet_another_password


If you wish to use ntp-keygen to create the keys file run the following
command in the directory where you wish to store the file:

ntp-keygen -M

The contents of the file generated in this way will look similar to:


# ntpkey_MD5key_stasis.3424023800
# Wed Jul  2 17:43:20 2008

 1 MD5  F<=\Q>+xuk:bMHO # MD5 key


16 MD5  uWk>srQSIw0d=0N # MD5 key


To use symmetric keys you must configure them in ntp.conf (we'll use the
keyids shown above):

Tell ntpd where to find the keys file with:

	keys    /etc/ntp.keys

Tell ntpd which keys in that file to trust with:

	trustedkey 1 2 42 255

Tell ntpd which keys may be used to authenticate time service with:

	requestkey 1 2 255

Tell ntpd which keys may be used to authenticate remote configuration

	controlkey 42

Please note that the 'nomodify' restriction overrides the symmetric keys
configuration. So hosts/sub-nets which are covered by 'nomodify' will
not be able to remotely configure ntpd even if they know the right
keyids and passwords.

Steve Kostecke <kostecke at ntp.org>
NTP Public Services Project - http://support.ntp.org/

More information about the questions mailing list