[Git][NTPsec/ntpsec][master] 4 commits: Document that ntpkeygen producses SHA1 keys
Eric S. Raymond
gitlab at mg.gitlab.com
Sat Dec 3 18:24:03 UTC 2016
Eric S. Raymond pushed to branch master at NTPsec / ntpsec
Commits:
94cd3ce2 by Sanjeev Gupta at 2016-12-03T13:23:35-05:00
Document that ntpkeygen producses SHA1 keys
... independent of OpenSSL or need
- - - - -
194cfd88 by Sanjeev Gupta at 2016-12-03T13:23:35-05:00
Remove references to OpenSSL
It is neither used nor required by ntpkeygen
- - - - -
a1e28f6c by Sanjeev Gupta at 2016-12-03T13:23:35-05:00
Document Python random generator, and range
- - - - -
9c31631e by Sanjeev Gupta at 2016-12-03T13:23:35-05:00
Document the format of the ntp.keys file
- - - - -
1 changed file:
- docs/includes/ntpkeygen-body.txt
Changes:
=====================================
docs/includes/ntpkeygen-body.txt
=====================================
--- a/docs/includes/ntpkeygen-body.txt
+++ b/docs/includes/ntpkeygen-body.txt
@@ -10,18 +10,17 @@
[[descrip]]
== Description ==
-This program generates the MD5 message digest keys used in NTP's symmetric
-key cryptography.
+This program generates the keys used in NTP's symmetric key
+cryptography.
The program produces a file containing ten pseudo-random printable
ASCII strings suitable for the MD5 message digest algorithm included
-in the distribution. If the OpenSSL library is installed, it produces
-an additional ten hex-encoded random bit strings suitable for the SHA1
-and other message digest algorithms. The message digest keys file must
-be distributed and stored using secure means beyond the scope of NTP
-itself. Besides the keys used for ordinary NTP associations,
-additional keys can be defined as passwords for the
-link:ntpq.html[+ntpq+] utility program.
+in the distribution. It also produces an additional ten hex-encoded
+random bit strings suitable for the SHA1 and other message digest
+algorithms. The message digest keys file must be distributed and
+stored using secure means beyond the scope of NTP itself. Besides
+the keys used for ordinary NTP associations, additional keys can be
+defined as passwords for the link:ntpq.html[+ntpq+] utility program.
[[cmd]]
== Command Line Options ==
@@ -37,13 +36,6 @@ The safest way to run the +ntpkeygen+ program is logged in directly as
root. The recommended procedure is change to the keys directory, usually
+/usr/local/etc+, then run the program.
-Running the program as other than root and using the Unix _su_ command
-to assume root may not work properly, since by default the OpenSSL
-library looks for the random seed file +.rnd+ in the user home
-directory. However, there should be only one +.rnd+, most conveniently
-in the root directory, so it is convenient to define the _$RANDFILE_
-environment variable used by the OpenSSL library as the path to +/.rnd+.
-
Installing the keys as root might not work in NFS-mounted shared file
systems, as NFS clients may not be able to write to the shared keys
directory, even as root. In this case, NFS clients can specify the files
@@ -80,38 +72,24 @@ later on this page.
[[random]]
== Random Seed File ==
-All cryptographically sound key generation schemes must have means to
-randomize the entropy seed used to initialize the internal pseudo-random
-number generator used by the library routines. The OpenSSL library uses
-a designated random seed file for this purpose. The file must be
-available when starting the NTP daemon and +ntpkeygen+ program. If a
-site supports OpenSSL or its companion OpenSSH, it is very likely that
-means to do this are already available.
+All key generation schemes must have means to randomize the
+entropy seed used to initialize the internal pseudo-random
+number generator used by the library routines.
It is important to understand that entropy must be evolved for each
generation, for otherwise the random number sequence would be
predictable. Various means dependent on external events, such as
keystroke intervals, can be used to do this and some systems have
-built-in entropy sources. Suitable means are described in the OpenSSL
-software documentation, but are outside the scope of this page.
-
-The entropy seed used by the OpenSSL library is contained in a file,
-usually called +.rnd+, which must be available when starting the NTP
-daemon or the +ntpkeygen+ program. The NTP daemon will first look for
-the file using the path specified by the _randfile_ subcommand of the
-_crypto_ configuration command. If not specified in this way, or when
-starting the +ntpkeygen+ program, the OpenSSL library will look for the
-file using the path specified by the RANDFILE environment variable in
-the user home directory, whether root or some other user. If the
-RANDFILE environment variable is not present, the library will look for
-the +.rnd+ file in the user home directory. If the file is not available
-or cannot be written, the daemon exits with a message to the system log
-and the program exits with a suitable error message.
+built-in entropy sources.
+
+This implementation uses Python's PRNG, seeded with a combination
+of the system time and the current process ID. The core of this
+is based on the Mersenne Twister, with a period of 2^19937^-1.
[[crypto]]
== Cryptographic Data Files ==
-The +ntpkeygen+ program generates a MD5 symmetric keys file
+The +ntpkeygen+ program generates a file of symmetric keys
_ntpkey_MD5key_hostname.filestamp_. Since the file contains private
shared keys, it should be visible only to root and distributed by secure
means to other subnet hosts. The NTP daemon loads the file _ntp.keys_,
@@ -121,12 +99,23 @@ automated means on the other subnet hosts. This file is needed to
authenticate some remote configuration commands used by the {ntpqman}
utility.
-Following the header the keys are entered one per line in the
-format _keyno_ _type_ _key_ where _keyno_ is a positive integer in the
-range 1-65,535, _type_ is the string MD5 defining the key format and
-_key_ is the key itself, which is a printable ASCII string 16 characters
-or less in length. Each character is chosen from the 93 printable
-characters in the range 0x21 through 0x7f excluding space and the ‘#’
-character.
+Comments may appear in the file, and are preceeded with the +#+
+character.
+
+Following any headers the keys are entered one per line in the
+format:
+
+[options="header"]
+|====================================================================
+|Field | Meaning
+|keyno | Positive integer in the range 1-65,535
+|type | MD5 or SHA1 , type of key
+|key | the actual key, printable ASCII
+|====================================================================
+
+// Recheck. The code does not check for ' '. -- Sanjeev 20161203
+// For type MD5, each character is chosen from the 93 printable
+// characters in the range 0x21 through 0x7f excluding space and the ‘#’
+// character.
// end
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/c1d7f81f112b837ba56bc930ed6085802e1d933a...9c31631ec67cd1d86e7e8fcfe7d9e16d7b6e4647
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntpsec.org/pipermail/vc/attachments/20161203/101bdbbe/attachment.html>
More information about the vc
mailing list