[ntp:questions] Re: ntpdate functions successors

David L. Mills mills at udel.edu
Mon Oct 4 23:57:45 UTC 2004


Guys,

See below.

Dave

Harlan Stenn wrote:
> Most everything you ask for can be done, and it is described in the
> html pages.
> 
> In article <20040919124504.GX89036 at lucky.net>,
> Valentin Nechayev  <netch at lucky.net> wrote:
> 
>>With promised ntpdate revoking, how is it supposed to implement following
>>ntpdate applications?
>>
>>1. Providing synchronized time on a host without having ntpd listening
>>(to exclude any possibility of being abused or exploited), typical to
>>unix workstations.
>>(ntpdate in crontab)
> 
> 
> ntpd -q

During the time it takes to set the clock, ntpd operates in ntpdate mode 
just like in any other mode. A perp cannot affect your time unless he 
can mobilize an association on your machine, which requires the correct 
cryptographic keys. If you have authentication enabled (default) and 
have no keys, this is not possible, no matter what.

> 
>>2. Always use time stepping on system startup, regardless of offset value.
>>(ntpdate -b)
> 
> 
> ntpd -g

If the offset between server and client time is less than 128 ms, and 
unless overriden by tinker, ntpdate and ntpd operate the same way. They 
call Unix adjtime() to initiate a slew to the correct offset and then 
exit while the slew continues. If you want the same effect even if the 
offset is greater than 128 ms, then tinker step 0.

>>3. Use time stepping when local timer lags behind, and time adjusting when
>>local timer outflies. (Now it may be implemented using simple shell script
>>around ntpdate; second call with -b or -B.)
> 
> 
> ntpd -x is pretty close to the -b/-B stuff.

It's too easy to abuse this. Remember, you might agree to jump forward, 
but to somebody else their own clock, possibly synchronized to you 
appears to jump backward.

> I'm not sure how to detect when to use it though.
> 
> If nobody else sees a way, please open a bug on this.
> 
> 
>>4. Checking working of remote server and its offset, with output suitable
>>for machine parsing (in scripts) and without affecting current daemon.
>>(ntpdate -uq)

That is what we have ntpq and the various statistics files for.

> Not sure how to do this either.
> 
> 
>>All listed applications are widely used in our network and it's strongly
>>interesting what we shall do when the main useful tool disappear.
> 
> 
> ntpdate has many limitations and problems that are addressed by using
> ntpd instead.
> 
> Dave, can we think of a way to say "it's OK to step forward, but always slew
> backwards"?
> 
> Also, I wonder if we could use:
> 
>  tinker panic -0
> 
> to mean "just abort and report what the time difference is" (or something
> similar).

Remember, our experience with tinker step 0 and at least some systems 
that have introduced an extra poll in adjitme() the clock behavior 
becomes unstable at large offsets.
> 
> H
> 




More information about the questions mailing list