[ntp:questions] Re: Using NTPDC - keyid required

Dale Worley worley at dragon.ariadne.com
Tue Dec 9 02:24:48 UTC 2003


Jan Ceuleers <janspam.ceuleers at computer.org> writes:
> As I said, I haven't looked at the source. But if ntpd uses the ntpdc
> protocol during the start-up phase (and I don't doubt that that is the
> case) then why does it not need a keyid/passwd pair for that? This
> raises the possibility that ntpd might be convinced to dispense with
> the keyid/passwd when it receives commands from ntpdc rather than from
> another ntpd process?...

My guess is that the child process (the one doing the configurer)
talks to the parent process (the "real" NTP) using the real ntpd
protocol.  If so, then it *is* using a key, and has to, because
otherwise the socket 127.0.0.1:123 would be unprotected.

OK, duh, I'm wrong there.  Looking at my ntp.conf, I see:

    # Permit all access over the loopback interface.  This could
    # be tightened as well, but to do so would effect some of
    # the administrative functions.
    restrict 127.0.0.1 

I expect that if you don't leave 127.0.0.1 wide-open, then you have to
use the 'requestkey' command to set which key is expected by ntpd for
ntpdc traffic.

Uh, yeah, I guess that's what Jan Ceuleers was saying in his message.

So the short answer is that the ntpdc protocol doesn't require a key,
and the NTP configurator child doesn't use one unless one is specified
via 'requestkey'.  But the ntpdc program requires that you specify
one.

> Secondly, perhaps it is not a limitation of the ntpdc protocol but
> rather of the ntpdc program, which does not seem to implement the same
> richness of options that the ntpd.conf parser offers. I'd still like
> to try and hack ntpd to allow it to be used to modify the runtime
> configuration of another running daemon, but I have no idea when I'll
> have time to do this (and cannot guarantee that I'll succeed either).

In a perfect world, the ntpd configurator child would run occasionally
(every 24 hours?) to re-resolve the names of the servers/peers.  This
would get rid of the problems when one's IP address changes, as well
as when the IP address of the server changes.

Dale



More information about the questions mailing list