Provided by: ntpsec_1.1.0+dfsg1-1ubuntu0.2_amd64 bug

NAME

       ntpkeygen - create and manage NTP host keys

SYNOPSIS

       ntpkeygen [-M]

DESCRIPTION

       This program generates a file containing keys that can be used in NTP’s symmetric key
       cryptography.

       The program produces a file containing ten pseudo-random printable ASCII strings suitable
       for the MD5 message digest algorithm. It also produces an additional ten hex-encoded
       random bit strings suitable for the SHA1 and other message digest algorithms.

       The keys file must be distributed and stored using secure means beyond the scope of NTP
       itself. The keys can also be used as passwords for the ntpq utility program.

COMMAND LINE OPTIONS

       -M, --md5key
           Dummy option for backward compatibility in old scripts. This program always runs in -M
           mode.

RUNNING THE PROGRAM

       The simplest way to run the ntpkeygen program is logged in directly as root. The
       recommended procedure is to change to the keys directory, usually /etc/ntp/, then run the
       program. Then chown the output file to ntp:ntp. It should be mode 400.

           Warning
           ntpkeygen uses the system randomness source. On a POSIX system this is usually
           /dev/urandom. Immediately after a reboot, on any OS, there may not be sufficient
           entropy available for this program to perform well. Do not run this program from any
           startup scripts. Only run this program on an active host with a lot of available
           entropy.

KEY FILE ACCESS AND LOCATION

       File names begin with the prefix ntpkey and end with the postfix hostname.filestamp, where
       hostname is the owner name, usually the string returned by the Unix gethostname() routine,
       and filestamp is the NTP seconds when the file was generated, in decimal digits.

       ntpkeygen also makes a soft link from ntp.keys to the generated file. ntp.keys is the
       normal file used in ntp.conf.

RANDOM SEED FILE

       All key generation schemes must have means to randomize the entropy seed used to
       initialize the internal pseudo-random number generator used by the library routines.

       It is important to understand that entropy must be evolved for each generation, for
       otherwise the random number sequence would be predictable. Various means dependent on
       external events, such as keystroke intervals, can be used to do this and some systems have
       built-in entropy sources.

       This implementation uses Python’s random.SystemRandom class, which relies on os.urandom().
       The security of os.urandom() is improved in Python 3.5+.

CRYPTOGRAPHIC DATA FILES

       Since the file contains private shared keys, it should be visible only to root or ntp.

       In order to use a shared key, the line to be used must also be setup on the target server.

       This file is also used to authenticate remote configuration commands used by the ntpq(1)
       utility.

       Comments may appear in the file, and are preceded with the # character.

       Following any headers the keys are entered one per line in the format:

       ┌──────┬─────────────────────────────────┐
       │FieldMeaning                         │
       ├──────┼─────────────────────────────────┤
       │      │                                 │
       │keyno │ Positive integer in the range   │
       │      │ 1-65,535                        │
       ├──────┼─────────────────────────────────┤
       │      │                                 │
       │type  │ MD5 or SHA1, type of key        │
       ├──────┼─────────────────────────────────┤
       │      │                                 │
       │key   │ the actual key, printable ASCII │
       │      │ or hex                          │
       └──────┴─────────────────────────────────┘

EXIT STATUS

       One of the following exit values will be returned:

       0 (EXIT_SUCCESS)
           Successful program execution.

       1 (EXIT_FAILURE)
           The operation failed or the command syntax was not valid.