The NTP standard specifies an extension which provides cryptographic
authentication of received NTP packets. This is implemented in
xntpd
using the DES or MD5 algorithms to compute a digital
signature, or message digest. The specification allows any one of
possibly 4 billion keys, numbered with 32-bit key identifiers, to be
used to authenticate an association. The servers involved in an
association must agree on the key and key identifier used to
authenticate their messages.
Keys and related information are specified in a key file, which
should be exchanged and stored using secure procedures beyond the scope
of the protocol. There are three classes of keys involved in the current
implementation. One class is used for ordinary NTP associations, another
for the ntpq
utility program and
the third for the xntpdc
utility program.
keys keyfile
xntpd
, ntpq
and
xntpdc
when operating in authenticated mode. The format of
this file is described later in this document.
trustedkey key [ ... ]
key
arguments are 32-bit unsigned integers. Note
that NTP key 0 is fixed and globally known. If meaningful authentication
is to be performed the 0 key should not be trusted.
requestkey key
xntpdc
program, which uses a proprietary protocol specific to this
implementation of xntpd
. This program is useful to diagnose
and repair problems that affect xntpd
operation. The
key
argument to this command is a 32-bit unsigned
integer. If no requestkey
command is included in the
configuration file, or if the keys don't match, such requests will be
ignored.
controlkey key
ntpq
program, which uses the standard protocol defined in RFC-1305. This
program is useful to diagnose and repair problems that affect
xntpd
operation. The key
argument to
this command is a 32-bit unsigned integer. If no requestkey
command is included in the configuration file, or if the keys don't
match, such requests will be ignored.
authdelay delay
authspeed
program included with the
distribution.
In the case of DES, the keys are 56 bits long with, depending on
type, a parity check on each byte. In the case of MD5, the keys are 64
bits (8 bytes). xntpd
reads its keys from a file specified
using the -k
command line option or the keys
statement in the configuration file. While key number 0 is fixed by the
NTP standard (as 56 zero bits) and may not be changed, one or more of
the keys numbered 1 through 15 may be arbitrarily set in the keys file.
The key file uses the same comment conventions as the configuration file. Key entries use a fixed format of the form
keyno type key
where keyno
is a positive integer,
type
is a single character which defines the key
format, and key
is the key itself.
The key may be given in one of three different formats, controlled by
the type
character. The three key types, and
corresponding formats, are listed following.
S
0101010101010101
.
N
8080808080808080
.
A
M
Note that the keys used by the ntpq
and
xntpdc
programs are checked against passwords requested by
the programs and entered by hand, so it is generally appropriate to
specify these keys in ASCII format.