Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/external/bsd/ntp adjust for new ntp and add the generated ma...
details: https://anonhg.NetBSD.org/src/rev/ed3541462578
branches: trunk
changeset: 325530:ed3541462578
user: christos <christos%NetBSD.org@localhost>
date: Sat Dec 28 03:19:43 2013 +0000
description:
adjust for new ntp and add the generated man pages
diffstat:
external/bsd/ntp/bin/ntp-keygen/Makefile | 11 +-
external/bsd/ntp/bin/ntp-keygen/ntp-keygen.8 | 1084 ++++++++++
external/bsd/ntp/bin/ntpd/Makefile | 17 +-
external/bsd/ntp/bin/ntpd/ntp.conf.5 | 2814 ++++++++++++++++++++++++++
external/bsd/ntp/bin/ntpd/ntp.keys.5 | 174 +
external/bsd/ntp/bin/ntpd/ntpd.8 | 902 ++++++++
external/bsd/ntp/bin/ntpdc/Makefile | 8 +-
external/bsd/ntp/bin/ntpdc/ntpdc.8 | 821 +++++++
external/bsd/ntp/bin/ntpq/Makefile | 10 +-
external/bsd/ntp/bin/ntpq/ntpq.8 | 404 +++
external/bsd/ntp/bin/ntptime/Makefile | 5 +-
external/bsd/ntp/bin/sntp/Makefile | 19 +-
external/bsd/ntp/bin/sntp/sntp.1 | 317 ++
external/bsd/ntp/importdate | 2 +-
external/bsd/ntp/include/config.h | 754 ++++--
external/bsd/ntp/lib/libiscntp/Makefile | 4 +-
external/bsd/ntp/lib/libntp/Makefile | 78 +-
external/bsd/ntp/lib/libopts/Makefile | 11 +-
18 files changed, 7150 insertions(+), 285 deletions(-)
diffs (truncated from 8280 to 300 lines):
diff -r 405e029fbf80 -r ed3541462578 external/bsd/ntp/bin/ntp-keygen/Makefile
--- a/external/bsd/ntp/bin/ntp-keygen/Makefile Sat Dec 28 03:18:39 2013 +0000
+++ b/external/bsd/ntp/bin/ntp-keygen/Makefile Sat Dec 28 03:19:43 2013 +0000
@@ -1,10 +1,7 @@
-# $NetBSD: Makefile,v 1.4 2012/02/01 07:46:21 kardel Exp $
-
-NOGCCERROR=yes
+# $NetBSD: Makefile,v 1.5 2013/12/28 03:19:43 christos Exp $
.include <bsd.own.mk>
-
PROG= ntp-keygen
MAN= ntp-keygen.8
BINDIR= /usr/sbin
@@ -23,10 +20,4 @@
.PATH: ${DIST}
-ntp-keygen.8: ntp-keygen.1
- ${_MKTARGET_BUILD}
- ${TOOL_SED} -e "s,NTP-KEYGEN 1,NTP-KEYGEN 8," $? > $@
-
-CLEANFILES+=ntp-keygen.8
-
.include <bsd.prog.mk>
diff -r 405e029fbf80 -r ed3541462578 external/bsd/ntp/bin/ntp-keygen/ntp-keygen.8
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/ntp/bin/ntp-keygen/ntp-keygen.8 Sat Dec 28 03:19:43 2013 +0000
@@ -0,0 +1,1084 @@
+.Dd December 24 2013
+.Dt NTP_KEYGEN 8 User Commands
+.Os SunOS 5.10
+.\" EDIT THIS FILE WITH CAUTION (ntp-keygen-opts.mdoc)
+.\"
+.\" It has been AutoGen-ed December 24, 2013 at 11:39:38 AM by AutoGen 5.18.3pre5
+.\" From the definitions ntp-keygen-opts.def
+.\" and the template file agmdoc-cmd.tpl
+.Sh NAME
+.Nm ntp-keygen
+.Nd Create a NTP host key
+.Sh SYNOPSIS
+.Nm
+.\" Mixture of short (flag) options and long options
+.Op Fl flags
+.Op Fl flag Op Ar value
+.Op Fl \-option\-name Ns Oo Oo Ns "=| " Oc Ns Ar value Oc
+.Pp
+All arguments must be options.
+.Pp
+.Sh DESCRIPTION
+This program generates cryptographic data files used by the NTPv4
+authentication and identification schemes.
+It generates MD5 key files used in symmetric key cryptography.
+In addition, if the OpenSSL software library has been installed,
+it generates keys, certificate and identity files used in public key
+cryptography.
+These files are used for cookie encryption,
+digital signature and challenge/response identification algorithms
+compatible with the Internet standard security infrastructure.
+.Pp
+All files are in PEM\-encoded printable ASCII format,
+so they can be embedded as MIME attachments in mail to other sites
+and certificate authorities.
+By default, files are not encrypted.
+.Pp
+When used to generate message digest keys, the program produces a file
+containing ten pseudo\-random printable ASCII strings suitable for the
+MD5 message digest algorithm included in the distribution.
+If the OpenSSL library is installed, it produces an additional ten
+hex\-encoded random bit strings suitable for the SHA1 and other message
+digest algorithms.
+The message digest keys file must be distributed and stored
+using secure means beyond the scope of NTP itself.
+Besides the keys used for ordinary NTP associations, additional keys
+can be defined as passwords for the
+.Xr ntpq 8
+and
+.Xr ntpdc 8
+utility programs.
+.Pp
+The remaining generated files are compatible with other OpenSSL
+applications and other Public Key Infrastructure (PKI) resources.
+Certificates generated by this program are compatible with extant
+industry practice, although some users might find the interpretation of
+X509v3 extension fields somewhat liberal.
+However, the identity keys are probably not compatible with anything
+other than Autokey.
+.Pp
+Some files used by this program are encrypted using a private password.
+The
+.Fl p
+option specifies the password for local encrypted files and the
+.Fl q
+option the password for encrypted files sent to remote sites.
+If no password is specified, the host name returned by the Unix
+.Fn gethostname
+function, normally the DNS name of the host is used.
+.Pp
+The
+.Ar pw
+option of the
+.Ar crypto
+configuration command specifies the read
+password for previously encrypted local files.
+This must match the local password used by this program.
+If not specified, the host name is used.
+Thus, if files are generated by this program without password,
+they can be read back by
+.Ar ntpd
+without password but only on the same host.
+.Pp
+Normally, encrypted files for each host are generated by that host and
+used only by that host, although exceptions exist as noted later on
+this page.
+The symmetric keys file, normally called
+.Ar ntp.keys ,
+is usually installed in
+.Pa /etc .
+Other files and links are usually installed in
+.Pa /usr/local/etc ,
+which is normally in a shared filesystem in
+NFS\-mounted networks and cannot be changed by shared clients.
+The location of the keys directory can be changed by the
+.Ar keysdir
+configuration command in such cases.
+Normally, this is in
+.Pa /etc .
+.Pp
+This program directs commentary and error messages to the standard
+error stream
+.Ar stderr
+and remote files to the standard output stream
+.Ar stdout
+where they can be piped to other applications or redirected to files.
+The names used for generated files and links all begin with the
+string
+.Ar ntpkey
+and include the file type, generating host and filestamp,
+as described in the
+.Dq Cryptographic Data Files
+section below.
+.Ss Running the Program
+To test and gain experience with Autokey concepts, log in as root and
+change to the keys directory, usually
+.Pa /usr/local/etc
+When run for the first time, or if all files with names beginning with
+.Ar ntpkey
+have been removed, use the
+.Nm
+command without arguments to generate a
+default RSA host key and matching RSA\-MD5 certificate with expiration
+date one year hence.
+If run again without options, the program uses the
+existing keys and parameters and generates only a new certificate with
+new expiration date one year hence.
+.Pp
+Run the command on as many hosts as necessary.
+Designate one of them as the trusted host (TH) using
+.Nm
+with the
+.Fl T
+option and configure it to synchronize from reliable Internet servers.
+Then configure the other hosts to synchronize to the TH directly or
+indirectly.
+A certificate trail is created when Autokey asks the immediately
+ascendant host towards the TH to sign its certificate, which is then
+provided to the immediately descendant host on request.
+All group hosts should have acyclic certificate trails ending on the TH.
+.Pp
+The host key is used to encrypt the cookie when required and so must be
+RSA type.
+By default, the host key is also the sign key used to encrypt
+signatures.
+A different sign key can be assigned using the
+.Fl S
+option and this can be either RSA or DSA type.
+By default, the signature
+message digest type is MD5, but any combination of sign key type and
+message digest type supported by the OpenSSL library can be specified
+using the
+.Fl c
+option.
+The rules say cryptographic media should be generated with proventic
+filestamps, which means the host should already be synchronized before
+this program is run.
+This of course creates a chicken\-and\-egg problem
+when the host is started for the first time.
+Accordingly, the host time
+should be set by some other means, such as eyeball\-and\-wristwatch, at
+least so that the certificate lifetime is within the current year.
+After that and when the host is synchronized to a proventic source, the
+certificate should be re\-generated.
+.Pp
+Additional information on trusted groups and identity schemes is on the
+.Dq Autokey Public\-Key Authentication
+page.
+.Pp
+The
+.Xr ntpd 8
+configuration command
+.Ic crypto pw Ar password
+specifies the read password for previously encrypted files.
+The daemon expires on the spot if the password is missing
+or incorrect.
+For convenience, if a file has been previously encrypted,
+the default read password is the name of the host running
+the program.
+If the previous write password is specified as the host name,
+these files can be read by that host with no explicit password.
+.Pp
+File names begin with the prefix
+.Cm ntpkey_
+and end with the postfix
+.Ar _hostname.filestamp ,
+where
+.Ar hostname
+is the owner name, usually the string returned
+by the Unix gethostname() routine, and
+.Ar filestamp
+is the NTP seconds when the file was generated, in decimal digits.
+This both guarantees uniqueness and simplifies maintenance
+procedures, since all files can be quickly removed
+by a
+.Ic rm ntpkey\&*
+command or all files generated
+at a specific time can be removed by a
+.Ic rm
+.Ar \&*filestamp
+command.
+To further reduce the risk of misconfiguration,
+the first two lines of a file contain the file name
+and generation date and time as comments.
+.Pp
+All files are installed by default in the keys directory
+.Pa /usr/local/etc ,
+which is normally in a shared filesystem
+in NFS\-mounted networks.
+The actual location of the keys directory
+and each file can be overridden by configuration commands,
+but this is not recommended.
+Normally, the files for each host are generated by that host
+and used only by that host, although exceptions exist
+as noted later on this page.
+.Pp
+Normally, files containing private values,
+including the host key, sign key and identification parameters,
+are permitted root read/write\-only;
+while others containing public values are permitted world readable.
+Alternatively, files containing private values can be encrypted
+and these files permitted world readable,
+which simplifies maintenance in shared file systems.
+Since uniqueness is insured by the hostname and
+file name extensions, the files for a NFS server and
+dependent clients can all be installed in the same shared directory.
+.Pp
+The recommended practice is to keep the file name extensions
+when installing a file and to install a soft link
+from the generic names specified elsewhere on this page
+to the generated files.
+This allows new file generations to be activated simply
+by changing the link.
+If a link is present, ntpd follows it to the file name
+to extract the filestamp.
+If a link is not present,
+.Xr ntpd 8
+extracts the filestamp from the file itself.
+This allows clients to verify that the file and generation times
+are always current.
+The
+.Nm
+program uses the same timestamp extension for all files generated
+at one time, so each generation is distinct and can be readily
+recognized in monitoring data.
+.Ss Running the program
+The safest way to run the
+.Nm
+program is logged in directly as root.
+The recommended procedure is change to the keys directory,
+usually
+.Pa /usr/local/etc ,
+then run the program.
+When run for the first time,
+or if all
+.Cm ntpkey
+files have been removed,
+the program generates a RSA host key file and matching RSA\-MD5 certificate file,
+which is all that is necessary in many cases.
+The program also generates soft links from the generic names
+to the respective files.
+If run again, the program uses the same host key file,
+but generates a new certificate file and link.
+.Pp
+The host key is used to encrypt the cookie when required and so must be RSA type.
+By default, the host key is also the sign key used to encrypt signatures.
+When necessary, a different sign key can be specified and this can be
+either RSA or DSA type.
+By default, the message digest type is MD5, but any combination
+of sign key type and message digest type supported by the OpenSSL library
+can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2
Home |
Main Index |
Thread Index |
Old Index