[Git][NTPsec/ntpsec][master] 5 commits: Move NTS command documentation to its own section

Gary E. Miller gitlab at mg.gitlab.com
Wed Jun 26 16:48:33 UTC 2019 


Gary E. Miller pushed to branch master at NTPsec / ntpsec


Commits:
0a43ddaa by Sanjeev Gupta at 2019-06-18T06:16:05Z
Move NTS command documentation to its own section

Was appended to Authentication commnands, which are
about MAC

- - - - -
b8914b05 by Sanjeev Gupta at 2019-06-20T06:04:16Z
Move NTS command documentation to its own section

Was appended to Authentication commnands, which are
about MAC

- - - - -
98394279 by Sanjeev Gupta at 2019-06-20T06:05:12Z
Merge branch 'NTSDOC' of gitlab.com:ghane/ntpsec into NTSDOC

- - - - -
af30ee89 by Sanjeev Gupta at 2019-06-26T08:04:41Z
Move NTS command documentation to its own section

Was appended to Authentication commnands, which are
about MAC

- - - - -
45596db7 by Sanjeev Gupta at 2019-06-26T08:05:26Z
Merge branch 'NTSDOC' of gitlab.com:ghane/ntpsec into NTSDOC

- - - - -


4 changed files:

- docs/includes/assoc-commands.adoc
- docs/includes/auth-commands.adoc
- docs/includes/ntp-conf-body.adoc
- docs/ntp_conf.adoc


Changes:

=====================================
docs/includes/assoc-commands.adoc
=====================================
@@ -14,7 +14,7 @@ link-local IPV6 address with an interface specified in
 +peer+ _address_ [+key+ _key_] [+version+ _version_] [+prefer+] [+minpoll+ _minpoll_] [+maxpoll+ _maxpoll_]
 
 +unpeer+ ['address' | 'associd' | +clock+ 'clocktype' [ +unit+ 'unitnum']]::
-  These six commands specify the time server name or address to be
+  These four commands specify the time server name or address to be
   used and the mode in which to operate. The _address_ can be either a
   DNS name or an IP address in dotted-quad notation.  If it is a
   refclock, it can be +clock+ followed by a type-unit pair as in the


=====================================
docs/includes/auth-commands.adoc
=====================================
@@ -32,128 +32,4 @@ although different keys can be used with different servers.
 The _key_ arguments are 32-bit unsigned integers with values from 1 to
 65,535.
 
-The following command controls NTS authentication. It overrides
-normal TLS protocol negotiation, which is not usually necessary.
-
-[[nts]]
-+nts+ [enable|disable] [+mintls+ _version_] [+maxtls+ _version_] [+tlsciphers+ _name_] [+tlsciphersuites+ _name_]
-
-The options are as follows:
-
-+cert+ _file_::
-  Present the certificate in _file_ as our certificate.
-
-+key+ _file_::
-  Read the private key to our certificate from _file_.
-
-+ca+ _location_::
-  Use the file, or directory, specified by _location_ to
-  validate NTS-KE server certificates instead of the system
-  default root certificates.  If a directory is specified, it
-  must have files named with their hash, as created by
-  +openssl rehash+.
-
-+cookie+ _location_::
-  Use the file (or directory) specified by _location_ to
-  store the keys used to make and decode cookies.  The default
-  is _/var/lib/ntp/nts-keys_.
-
-+enable+::
-  Enable NTS-KE server.
-  When enabled, _cert_ and _key_ are required.
-
-+disable+::
-  Disable NTS-KE server.
-
-+mintls+ _string_::
-  Set the lowest allowable TLS version to negotiate. Will be useful in
-  the wake of a TLS compromise.  Reasonable values are _TLS1.2_ and
-  _TLS1.3_ if your system supports it.  TLS 1.3 was first supported in
-  OpenSSL version 1.1.1.
-
-+maxtls+ _string_::
-  Set the highest allowable TLS version to negotiate. By setting
-  +mintls+ and +maxtls+ equal, you can force the TLS version for
-  testing. Format is as for +mintls+.
-
-// https://crypto.stackexchange.com/questions/8964/sending-tls-messages-with-out-encryption-using-openssl-code
-+tlsciphers+ _string_::
-   An OpenSSL cipher list to configure the allowed ciphers for TLS
-   versions up to and including TLS 1.2. A single NULL cipher disables
-   encryption and use of certificates.
-
-+tlsciphersuites+ _string_::
-   An OpenSSL ciphersuite list to configure the allowed ciphersuites for
-   TLS 1.3.  A single NULL cipher disables encryption and use of certificates.
-
-+aead+ _string_::
-   Specify the crypto algorithm to be used on the wire.  The choices
-   come from RFC 5297.  The only options supported are AES_SIV_CMAC_256,
-   AES_SIV_CMAC_384, and AES_SIV_CMAC_512.  This slot is dual use.
-   It is the server default if the remote client doesn't request a
-   valid choice and it is also the preference passed to the
-   remote client if the server command doesn't specify a preference.
-   The default is AES_SIV_CMAC_256.
-
-The following options of the +server+ command configure NTS.
-
-+nts+::
-  Use Network Time Security (NTS) for authentication.  Normally,
-  this is all you have to do to activate the client side of NTS.
-  +
-  The hostname following the +server+ command is used as the address
-  of the NTS key exchange server (NTS-KE) rather than the address
-  of a NTP server.  The NTS-KE exchange defaults to using the same
-  IP address for the NTP server.
-  +
-  Note that the +server+ hostname must match the name on the NTS-KE
-  server's certificate.
-
-+ask+ _address_:: (not implemented)
-  Use Network Time Security for authentication.  Ask
-  for a specific NTP server, which may differ from the NTS server.
-  Conforms to RFC 3896 section 3.2.2 prescription for the Host part of
-  a URI: that is, the _address_ may be a hostname, an FQDN, an IPv4
-  numeric address, or an IPv6 numeric address (in square brackets).
-  The address may have the suffix +:port+ to specify a UDP port.
-
-+require+ _address_:: (not implemented)
-  Use Network Time Security for authentication and encryption.
-  Require a specific NTP server, which may differ from the NTS server.
-  Address syntax is as for +ask+.
-
-+noval+::
-  Do not validate the server certificate.
-
-+expire+:: (not implemented)
-  How long to use a secured NTP association before rekeying with the
-  NTS-KE server.
-
-+cert+ _file_:: (not implemented)
-  Present the certificate in _file_ as our client certificate,
-  overriding the site default.
-
-+ca+ _location_::
-  Use the file, or directory, specified by _location_ to validate the
-  NTS-KE server certificate, overriding the site default.  Do not use
-  any other CA.  If a directory is specified, it must have files named
-  with their hash, as created by +openssl rehash+.
-
-+aead+ _string_::
-  Specify the prefered crypto algorithm to be used on the wire.
-  The only options supported are AES_SIV_CMAC_256, AES_SIV_CMAC_384, and
-  AES_SIV_CMAC_512.  The server may ignore the request.  See the _aead_
-  option above.
-  +
-  The same _aead_ algorithms are also used to encrypt cookies.
-  The default is AES_SIV_CMAC_256.  There is no config file option to
-  change it, but you can change it by editing the saved cookie key
-  file, probably +/var/lib/ntp/nts-keys+.  Adjust the _L:_ slot to be
-  48 or 64 and adjust the _I:_ slots to have the right number of bytes.
-  Then restart the server.  (All old cookies held by clients will be
-  rejected so their next 8 NTP requests will be ignored.  They should
-  recover by retrying NTS-KE to get fresh cookies.)
-
-
-
 // end


=====================================
docs/includes/ntp-conf-body.adoc
=====================================
@@ -38,6 +38,7 @@ there are sections describing the following supported functionality and
 the options used to control it:
 
 * Authentication Support
+* NTS Support
 * Monitoring Support
 * Access Control Support
 * Automatic NTP Configuration Options
@@ -82,6 +83,10 @@ include::../includes/assoc-auxcommands.adoc[]
 
 include::../includes/auth-commands.adoc[]
 
+=== NTS Commands
+
+include::../includes/nts-commands.adoc[]
+
 [[monit]]
 == Monitoring Support
 


=====================================
docs/ntp_conf.adoc
=====================================
@@ -20,6 +20,7 @@ include::includes/manual.adoc[]
 * link:#_description[DESCRIPTION]
 * link:#_configuration_support[Configuration Support]
 * link:#_authentication_commands[Authentication Commands]
+* link:#_nts_commands[NTS Commands]
 * link:#monit[Monitoring Support]
 * link:#_access_control_support[Access Control Support]
 * link:#_access_control_commands[Access Control Commands]



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/3b23756a75cd8d5889220947bb5605a271926b47...45596db716ebbb0a8d5587b45547d95b20776292

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/3b23756a75cd8d5889220947bb5605a271926b47...45596db716ebbb0a8d5587b45547d95b20776292
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190626/20a02428/attachment-0001.htm>

More information about the vc mailing list