[ntp:questions] notrust alternative?
Richard B. Gilbert
rgilbert88 at comcast.net
Wed Nov 1 04:46:11 UTC 2006
Dennis Hilberg Jr wrote:
> On one instance I noticed that in the output of 'ntpq -p' one of my server's
> clients was flagged with the '+'. notrust under version 4.2 and later now
> means "Ignore all NTP packets that are not cryptographically authenticated"
> instead of the 4.1 and earlier versions where it meant "Don't trust this
> host/subnet for time." How do I specify with version 4.2 and later that I
> only want the five server entries in the ntp.conf to be trusted for
> synchronization? Or is this automatic, and that particular 'ntpq -p' output
> a fluke?
>
> Thanks!
>
>
By naming a system in the server statement you are telling ntpd to get
time from that system and effectively telling ntpd to trust that system.
Authentication is supposed to guarantee that the server that is telling
you the time really is the server that you named in the server
statement. To name a server and then tell ntpd not to trust it seems a
pointless exercise.
If your server's ntpq -p "banner" lists a client with a "+" something is
very wrong somewhere! NTP is hierarchical and servers do not get time
from clients!! Now two systems can be declared as "peers" and get time
from each other but that is a different relationship than client and
server.
More information about the questions
mailing list