doc: update keyfile description
This commit is contained in:
Miroslav Lichvar
parent
8549043a3f
commit
d36ca9288a
1 changed files with 15 additions and 18 deletions
|
|
@ -1707,28 +1707,25 @@ pairs. The format of the file is shown below
|
||||||
...
|
...
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
Each line consists of an ID, a name of authentication hash function (optional)
|
Each line consists of an ID, name of an authentication hash function (optional)
|
||||||
and a password. The ID can be any unsigned integer in the range 1 through
|
and a password. The ID can be any unsigned integer in the range 1 through
|
||||||
2**32-1. The hash function is MD5 by default, depending on how was
|
2**32-1. The default hash function is MD5. Depending on how @code{chronyd}
|
||||||
@code{chronyd} compiled, other allowed hash functions may be SHA1, SHA256,
|
was compiled, other supported functions may be SHA1, SHA256, SHA384, SHA512,
|
||||||
SHA384, SHA512, RMD128, RMD160, RMD256, RMD320, TIGER and WHIRLPOOL. The
|
RMD128, RMD160, RMD256, RMD320, TIGER and WHIRLPOOL. The password can be
|
||||||
password can be encoded as a string of characters not containing a space with
|
specified as a string of characters not containing white space with an optional
|
||||||
optional @code{ASCII:} prefix or as a hexadecimal number with @code{HEX:}
|
@code{ASCII:} prefix, or as a hexadecimal number with the @code{HEX:} prefix.
|
||||||
prefix.
|
The maximum length of the line is 2047 characters.
|
||||||
|
|
||||||
The password is used with the hash function to generate and verify a message
|
The password is used with the hash function to generate and verify a message
|
||||||
authentication code (MAC) in NTP packets.
|
authentication code (MAC) in NTP packets. It's recommended to use SHA1 or a
|
||||||
For maximum security, it's recommended to use SHA1 or stronger hash function.
|
stronger hash function with random passwords specified in the hexadecimal
|
||||||
The passwords should be random and they should be as long as the output size of
|
format that have at least 128 bits. @code{chronyd} will log a warning to
|
||||||
the configured hash function, e.g. 160 bits with SHA1.
|
syslog on start if a source is specified in the configuration file with a key
|
||||||
|
that has password shorter than 80 bits.
|
||||||
|
|
||||||
These shell commands can be used to generate random MD5 and SHA1 keys on
|
The @code{keygen} command of @code{chronyc} (@pxref{keygen command}) can be
|
||||||
systems which have the @code{/dev/urandom} device:
|
used to generate random keys for the key file. By default, it generates
|
||||||
|
160-bit MD5 or SHA1 keys.
|
||||||
@example
|
|
||||||
echo "1 MD5 HEX:$(tr -d -c '[:xdigit:]' < /dev/urandom | head -c 32)"
|
|
||||||
echo "1 SHA1 HEX:$(tr -d -c '[:xdigit:]' < /dev/urandom | head -c 40)"
|
|
||||||
@end example
|
|
||||||
@c }}}
|
@c }}}
|
||||||
@c {{{ leapsecmode
|
@c {{{ leapsecmode
|
||||||
@node leapsecmode directive
|
@node leapsecmode directive
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue