Following is a description of the format of NTP key files.
For a description of the use of these files, see the
Qq Authentication Support
section of the
ntp.conf5
page.
In the case of DES, the keys are 56 bits long with,
depending on type, a parity check on each byte.
In the case of MD5, the keys are 64 bits (8 bytes).
ntpd(8)
reads its keys from a file specified using the
-k
command line option or the
keys
statement in the configuration file.
While key number 0 is fixed by the NTP standard
(as 56 zero bits)
and may not be changed,
one or more of the keys numbered 1 through 15
may be arbitrarily set in the keys file.
The key file uses the same comment conventions
as the configuration file.
Key entries use a fixed format of the form
where
keyno
is a positive integer,
type
is a single character which defines the key format,
and
key
is the key itself.
The
key
may be given in one of four different formats,
controlled by the
type
character.
The four key types, and corresponding formats,
are listed following.
S
The key is a 64-bit hexadecimal number in the format
specified in the DES specification;
that is, the high order seven bits of each octet are used
to form the 56-bit key
while the low order bit of each octet is given a value
such that odd parity is maintained for the octet.
Leading zeroes must be specified
(i.e., the key must be exactly 16 hex digits long)
and odd parity must be maintained.
Hence a zero key, in standard format, would be given as
`0101010101010101'
N
The key is a 64-bit hexadecimal number in the format
specified in the NTP standard.
This is the same as the DES format,
except the bits in each octet have been rotated one bit right
so that the parity bit is now the high order bit of the octet.
Leading zeroes must be specified and odd parity must be maintained.
A zero key in NTP format would be specified as
`8080808080808080'
A
The key is a 1-to-8 character ASCII string.
A key is formed from this by using the low order 7 bits
of each ASCII character in the string,
with zeroes added on the right
when necessary to form a full width 56-bit key,
in the same way that encryption keys are formed from
UNIX
passwords.
M
The key is a 1-to-8 character ASCII string,
using the MD5 authentication scheme.
Note that both the keys and the authentication schemes (DES or MD5)
must be identical between a set of peers sharing the same key number.
Note that the keys used by the
ntpq(8)
and
ntpdc(8)
programs are checked against passwords
requested by the programs and entered by hand,
so it is generally appropriate to specify these keys in ASCII format.
ntpd(8)
has gotten rather fat.
While not huge, it has gotten larger than might
be desirable for an elevated-priority daemon running on a workstation,
particularly since many of the fancy features which consume the space
were designed more with a busy primary server, rather than a high
stratum workstation, in mind.