[ntp:questions] notrust alternative?

Richard B. Gilbert rgilbert88 at comcast.net
Wed Nov 1 04:46:11 UTC 2006

Dennis Hilberg Jr wrote:

> On one instance I noticed that in the output of 'ntpq -p' one of my server's 
> clients was flagged with the '+'.  notrust under version 4.2 and later now 
> means "Ignore all NTP packets that are not cryptographically authenticated" 
> instead of the 4.1 and earlier versions where it meant "Don't trust this 
> host/subnet for time."  How do I specify with version 4.2 and later that I 
> only want the five server entries in the ntp.conf to be trusted for 
> synchronization?  Or is this automatic, and that particular 'ntpq -p' output 
> a fluke?
> Thanks! 

By naming a system in the server statement  you are telling ntpd to get 
time from that system and effectively telling ntpd to trust that system. 
Authentication is supposed to guarantee that the server that is telling 
you the time really is the server that you named in the server 
statement.  To name a server and then tell ntpd not to trust it seems a 
pointless exercise.

If your server's ntpq -p "banner" lists a client with a "+" something is 
very wrong somewhere!  NTP is hierarchical and servers do not get time 
from clients!!  Now two systems can be declared as "peers" and get time 
from each other but that is a different relationship than client and 

More information about the questions mailing list