[ntp:questions] Generating keys for ntpdc control

David L. Mills mills at udel.edu
Fri Jul 4 21:25:52 UTC 2008


Steve,

When I wrote the ntp-keygen page I was mostly concerned to demistify the 
autokey files; a casual reader could well drown before figuring out all 
that is needed is the -M option. I put a note to that effect on the page.

Dave

Steve Kostecke wrote:

> On 2008-07-03, Bob <bobsjunkmail at bellsouth.net> wrote:
> 
> 
>>I'm getting closer... you actually put the key data in a file that you
>>point to. OK... how do I generate the keys? For example, I tried the
>>below (of course, the keys listed have been erased...) and which file
>>do I use the contents of as key material, how much do I use (just the
>>data and no headers), and do I have to do it all on one line per key?
>>Thanks for the help on this. I've searched for detailed info without
>>success.
> 
> 
> You're making this more complicated than it needs to be.
> 
> As Martin stated previously, the keys file is just a list of keyids
> and passwords. You can populate this file yourself using your prefered
> passwords, or you may use ntp-keygen to generate the passwords, or some
> combination of both.
> 
> You may create the manually populated keys file with your favorite
> editor and generate the passwords in your preferred manner. The contents
> of manually populated keys file looks like this:
> 
> -------------------------8X-------------------------
> 
> 1 M a_password
> 2 M another_password
> 5 M is_right_out
> 42 M themeaningoflife
> 255 M yet_another_password
> 
> -------------------------8X-------------------------
> 
> If you wish to use ntp-keygen to create the keys file run the following
> command in the directory where you wish to store the file:
> 
> ntp-keygen -M
> 
> The contents of the file generated in this way will look similar to:
> 
> -------------------------8X-------------------------
> 
> # ntpkey_MD5key_stasis.3424023800
> # Wed Jul  2 17:43:20 2008
> 
>  1 MD5  F<=\Q>+xuk:bMHO # MD5 key
> 
> [snip]
> 
> 16 MD5  uWk>srQSIw0d=0N # MD5 key
> 
> -------------------------8X-------------------------
> 
> To use symmetric keys you must configure them in ntp.conf (we'll use the
> keyids shown above):
> 
> Tell ntpd where to find the keys file with:
> 
> 	keys    /etc/ntp.keys
> 
> Tell ntpd which keys in that file to trust with:
> 
> 	trustedkey 1 2 42 255
> 
> Tell ntpd which keys may be used to authenticate time service with:
> 
> 	requestkey 1 2 255
> 
> Tell ntpd which keys may be used to authenticate remote configuration
> with:
> 
> 	controlkey 42
> 
> Please note that the 'nomodify' restriction overrides the symmetric keys
> configuration. So hosts/sub-nets which are covered by 'nomodify' will
> not be able to remotely configure ntpd even if they know the right
> keyids and passwords.
> 




More information about the questions mailing list