[ntp:questions] notrust alternative?

Ronan Flood ronan at noc.ulcc.ac.uk
Wed Nov 1 13:59:19 UTC 2006

"Dennis Hilberg Jr" <dhilberg at comcast.net> wrote:

> On one instance I noticed that in the output of 'ntpq -p' one of my server's 
> clients was flagged with the '+'.  notrust under version 4.2 and later now 
> means "Ignore all NTP packets that are not cryptographically authenticated" 
> instead of the 4.1 and earlier versions where it meant "Don't trust this 
> host/subnet for time."  How do I specify with version 4.2 and later that I 
> only want the five server entries in the ntp.conf to be trusted for 
> synchronization?  Or is this automatic, and that particular 'ntpq -p' output 
> a fluke?

'nopeer' should prevent a client establishing a symmetric-passive
association on your server, so the ntp.conf you show in your later
message should be working.  Post the output of 'ntpq -p' showing
your client listed (with or without '+') and 'ntpq -classoc',
and 'ntpq "-crv nnn"' where nnn is the number of the association
(assID) for your client in the lassoc output.

Hmm, "ntpdc -ncreslist" will show the active restrictions, so check
that matches your ntp.conf.

                      Ronan Flood <R.Flood at noc.ulcc.ac.uk>
                        working for but not speaking for
             Network Services, University of London Computer Centre
     (which means: don't bother ULCC if I've said something you don't like)

More information about the questions mailing list