[ntp:questions] Re: ntpdate functions successors
David L. Mills
mills at udel.edu
Mon Oct 4 23:57:45 UTC 2004
Harlan Stenn wrote:
> Most everything you ask for can be done, and it is described in the
> html pages.
> In article <20040919124504.GX89036 at lucky.net>,
> Valentin Nechayev <netch at lucky.net> wrote:
>>With promised ntpdate revoking, how is it supposed to implement following
>>1. Providing synchronized time on a host without having ntpd listening
>>(to exclude any possibility of being abused or exploited), typical to
>>(ntpdate in crontab)
> ntpd -q
During the time it takes to set the clock, ntpd operates in ntpdate mode
just like in any other mode. A perp cannot affect your time unless he
can mobilize an association on your machine, which requires the correct
cryptographic keys. If you have authentication enabled (default) and
have no keys, this is not possible, no matter what.
>>2. Always use time stepping on system startup, regardless of offset value.
> ntpd -g
If the offset between server and client time is less than 128 ms, and
unless overriden by tinker, ntpdate and ntpd operate the same way. They
call Unix adjtime() to initiate a slew to the correct offset and then
exit while the slew continues. If you want the same effect even if the
offset is greater than 128 ms, then tinker step 0.
>>3. Use time stepping when local timer lags behind, and time adjusting when
>>local timer outflies. (Now it may be implemented using simple shell script
>>around ntpdate; second call with -b or -B.)
> ntpd -x is pretty close to the -b/-B stuff.
It's too easy to abuse this. Remember, you might agree to jump forward,
but to somebody else their own clock, possibly synchronized to you
appears to jump backward.
> I'm not sure how to detect when to use it though.
> If nobody else sees a way, please open a bug on this.
>>4. Checking working of remote server and its offset, with output suitable
>>for machine parsing (in scripts) and without affecting current daemon.
That is what we have ntpq and the various statistics files for.
> Not sure how to do this either.
>>All listed applications are widely used in our network and it's strongly
>>interesting what we shall do when the main useful tool disappear.
> ntpdate has many limitations and problems that are addressed by using
> ntpd instead.
> Dave, can we think of a way to say "it's OK to step forward, but always slew
> Also, I wonder if we could use:
> tinker panic -0
> to mean "just abort and report what the time difference is" (or something
Remember, our experience with tinker step 0 and at least some systems
that have introduced an extra poll in adjitme() the clock behavior
becomes unstable at large offsets.
More information about the questions