pic/alice44.gif
from Alice’s Adventures in Wonderland, Lewis Carroll Our resident cryptographer; now you see him, now you don’t.

2. Commands and Options

Unless noted otherwise, further information about these commands is on the Authentication Support page.

The following declarations control MAC authentication:

controlkey key

Specifies the key identifier to use with the ntpq(1) utility, which uses the standard protocol defined in RFC 5905. The key argument is the key identifier for a trusted key, where the value can be in the range 1 to 65,535, inclusive.

keys keyfile

Specifies the complete path and location of the key file containing the keys and key identifiers used by ntpd(8), and ntpq(1) when operating with symmetric-key cryptography. This is the same operation as the -k command line option.

trustedkey key…

Specifies the key identifiers which are trusted for the purposes of authenticating peers with symmetric key cryptography, as well as keys used by the ntpq(1) program. Multiple keys on the same line should be separated by spaces. Key ranges can be specified as (first … last). The spaces around the … are necessary. Multiple trustedkey lines are supported and trusted keys can also be specified on the command line.

The MAC authentication procedures require that both the local and remote servers share the same key and key identifier for this purpose, although different keys can be used with different servers. The key arguments are 32-bit unsigned integers with values from 1 to 65,535.

The following command controls NTS authentication. It overrides normal TLS protocol negotiation, which is not usually necessary.

nts [enable|disable] [mintls version] [maxtls version] [tlsciphers name] [tlsciphersuites name]

The options are as follows:

cert file

Present the certificate in file as our certificate.

key file

Read the private key to our certificate from file.

ca location

Use the file (or directory) specified by location to validate NTS-KE server certificates instead of the system default root certificates.

enable

Enable NTS-KE server. The default.

disable

Disable NTS-KE server.

mintls string

Set the lowest allowable TLS version to negotiate. Will be useful in the wake of a TLS compromise. Reasonable values are TLS1.2 and TLS1.3 if your system supports it. TLS1.3 was first supported in OpenSSL version 1.1.1.

maxtls string

Set the highest allowable TLS version to negotiate. By setting mintls and maxtls equal, you can force the TLS version for testing.

tlsciphers string

An OpenSSL cipher list to configure the allowed ciphers for TLS versions up to and including TLS 1.2. A single NULL cipher disables encryption and use of certificates.

tlsciphersuites string

An OpenSSL ciphersuite list to configure the allowed ciphersuites for TLS 1.3. A single NULL cipher disables encryption and use of certificates.

The following options of the server command configure NTS.

nts

Use Network Time Security for authentication and encryption. Request key exchange from the NTP server. If there is an NTS key service running in the same host as the NTP server adding this option is normally all you need to do.

Note that the server name must match the name on the certificate. That is probably a FQDN rather than a short alias that you would probably use to talk to an internal server.

ask address

Use Network Time Security for authentication and encryption. Ask for a specific NTS server, which may differ from the NTP server. Conforms to RFC 3896 section 3.2.2 prescription for the Host part of a URI: that is, the address may be a hostname, an FQDN, an IPv4 numeric address, or an IPv6 numeric address (in square brackets). The address may have the suffix :port to specify a UDP port.

require address

Use Network Time Security for authentication and encryption. Require a specific NTS server, which may differ from the NTP server. Address syntax is as for ask.

noval

Do not validate the server certificate.

expire

How long to use a secured NTP association before rekeying with the NTS-KE server.

cert file

Present the certificate in file as our client certificate, overriding the site default.

ca location

Use the file, or directory, specified by location to validate the NTS-KE server certificate, overriding the site default. Do not use any other CA.


icons/home.gif Home Page

icons/sitemap.png Site Map

icons/mail2.gif Contacts