from Alice’s Adventures in Wonderland, Lewis Carroll Our resident cryptographer; now you see him, now you don’t.
1. Related Links
2. Commands and Options
Unless noted otherwise, further information about these commands is on the Authentication Support page.
The following declarations control MAC authentication:
- controlkey key
Specifies the key identifier to use with the ntpq(1) utility, which uses the standard protocol defined in RFC 5905. The key argument is the key identifier for a trusted key, where the value can be in the range 1 to 65,535, inclusive.
- keys keyfile
Specifies the complete path and location of the key file containing the keys and key identifiers used by ntpd(8), and ntpq(1) when operating with symmetric-key cryptography. This is the same operation as the -k command line option.
- trustedkey key…
Specifies the key identifiers which are trusted for the purposes of authenticating peers with symmetric key cryptography, as well as keys used by the ntpq(1) program. Multiple keys on the same line should be separated by spaces. Key ranges can be specified as (first … last). The spaces around the … are necessary. Multiple trustedkey lines are supported and trusted keys can also be specified on the command line.
The MAC authentication procedures require that both the local and remote servers share the same key and key identifier for this purpose, although different keys can be used with different servers. The key arguments are 32-bit unsigned integers with values from 1 to 65,535.
The following command controls NTS authentication. It overrides normal TLS protocol negotiation, which is not usually necessary.
nts [enable|disable] [mintls version] [maxtls version] [tlsciphers name] [tlsciphersuites name]
The options are as follows:
- cert file
Present the certificate in file as our certificate.
- key file
Read the private key to our certificate from file.
- ca location
Use the file (or directory) specified by location to validate NTS-KE server certificates instead of the system default root certificates.
Enable NTS-KE server. The default.
Disable NTS-KE server.
- mintls string
Set the lowest allowable TLS version to negotiate. Will be useful in the wake of a TLS compromise. Reasonable values are TLS1.2 and TLS1.3 if your system supports it. TLS1.3 was first supported in OpenSSL version 1.1.1.
- maxtls string
Set the highest allowable TLS version to negotiate. By setting mintls and maxtls equal, you can force the TLS version for testing.
- tlsciphers string
An OpenSSL cipher list to configure the allowed ciphers for TLS versions up to and including TLS 1.2. A single NULL cipher disables encryption and use of certificates.
- tlsciphersuites string
An OpenSSL ciphersuite list to configure the allowed ciphersuites for TLS 1.3. A single NULL cipher disables encryption and use of certificates.
The following options of the server command configure NTS.
Use Network Time Security for authentication and encryption. Request key exchange from the NTP server. If there is an NTS key service running in the same host as the NTP server adding this option is normally all you need to do.
Note that the server name must match the name on the certificate. That is probably a FQDN rather than a short alias that you would probably use to talk to an internal server.
- ask address
Use Network Time Security for authentication and encryption. Ask for a specific NTS server, which may differ from the NTP server. Conforms to RFC 3896 section 3.2.2 prescription for the Host part of a URI: that is, the address may be a hostname, an FQDN, an IPv4 numeric address, or an IPv6 numeric address (in square brackets). The address may have the suffix :port to specify a UDP port.
- require address
Use Network Time Security for authentication and encryption. Require a specific NTS server, which may differ from the NTP server. Address syntax is as for ask.
Do not validate the server certificate.
How long to use a secured NTP association before rekeying with the NTS-KE server.
- cert file
Present the certificate in file as our client certificate, overriding the site default.
- ca location
Use the file, or directory, specified by location to validate the NTS-KE server certificate, overriding the site default. Do not use any other CA.