diff options
Diffstat (limited to 'examples/chrony.keys.example')
| -rw-r--r-- | examples/chrony.keys.example | 30 |
1 files changed, 8 insertions, 22 deletions
diff --git a/examples/chrony.keys.example b/examples/chrony.keys.example index 1583174..e6660ae 100644 --- a/examples/chrony.keys.example +++ b/examples/chrony.keys.example @@ -1,29 +1,15 @@ -####################################################################### +# This is an example chrony keys file. It is used for NTP authentication with +# symmetric keys. It should be readable only by root or the user to which +# chronyd is configured to switch to. # -# This is an example chrony keys file. You should copy it to /etc/chrony.keys -# after editing it to set up the key(s) you want to use. It should be readable -# only by root or the user chronyd drops the root privileges to. In most -# situations, you will require a single key (the 'commandkey') so that you can -# supply a password to chronyc to enable you to modify chronyd's operation -# whilst it is running. -# -# Copyright 2002 Richard P. Curnow -# -###################################################################### +# Don't use the example keys! The keys need to be random for maximum security. +# These shell commands can be used to generate random MD5 and SHA1 keys on +# systems which have the /dev/urandom device: +# echo "1 MD5 HEX:$(tr -d -c '[:xdigit:]' < /dev/urandom | head -c 32)" +# echo "1 SHA1 HEX:$(tr -d -c '[:xdigit:]' < /dev/urandom | head -c 40)" # Examples of valid keys: #1 ALongAndRandomPassword #2 MD5 HEX:B028F91EA5C38D06C2E140B26C7F41EC #3 SHA1 HEX:1DC764E0791B11FA67EFC7ECBC4B0D73F68A070C - -# The keys should be random for maximum security. If you wanted to use a key -# with ID 1 as your commandkey (i.e. chronyc password) you would put -# "commandkey 1" into chrony.conf. If no commandkey is present in the keys -# file and the generatecommandkey directive is specified in chrony.conf, -# a random commandkey will be generated and added to the keys file -# automatically on chronyd start. - -# You might want to define more keys if you use the authentication facility -# in the network time protocol to authenticate request/response packets between -# trusted clients and servers. |