[ntp:questions] notrust alternative?
user at domain.invalid
user at domain.invalid
Wed Nov 1 16:02:08 UTC 2006
There is a fundamental misunderstanding of the notrust option,
understandable because the documentation is buggy. The notrust option
applies to clients attempting to retrieve time from your server. The
options are to supply time whether or not authenticated or to require
authentication. This is done primarily to discourage unwanted traffic
and is intended for use by the national labs.
What you want is the nopeer option, which prevents broadcast, manycast
and symmetric peers to mobilize associations and potentially synchronize
your clock. By preventing mobilization, this prevents any attempt to
synchronize your clock by any outside source. The misunderstanding is in
both NTPv3 (xntpd) and NTPv4 (ntpd). The current documentation at
ntp.org accurately describes these options.
Dennis Hilberg Jr wrote:
> I forgot to include my ntp.conf. Here it is:
> # Default restriction.
> restrict default kod nomodify notrap nopeer noquery
> # Allow free access to localhost.
> restrict 127.0.0.1
> # Allow the local network access with the following modified restrictions.
> restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap nopeer
> # Synchronization servers. Include at least three, but no more than five.
> server bigben.cac.washington.edu iburst
> server montpelier.ilan.caltech.edu iburst
> server tick.ucla.edu iburst
> server clock.xmission.com iburst
> server clepsydra.dec.com iburst
> # Drift file location
> driftfile /etc/ntp/drift
> # Location of the log file
> logfile /var/log/ntp/ntp.log
> # NTP monitoring parameters
> statsdir /var/log/ntp/
> statistics loopstats peerstats clockstats
> filegen loopstats file loopstats type day enable
> filegen peerstats file peerstats type day enable
> filegen clockstats file clockstats type day enable
> # Authentication parameters
> #keys /etc/ntp/keys
> #trustedkey 2 3 4
> #controlkey 3 # To access the ntpq utility
> #requestkey 2 # To access the ntpdc utility
> "Dennis Hilberg Jr" <dhilberg at comcast.net> wrote in message
> news:UZOdnQLLdJhzJdrYnZ2dnUVZ_sqdnZ2d at comcast.com...
> | On one instance I noticed that in the output of 'ntpq -p' one of my
> | clients was flagged with the '+'. notrust under version 4.2 and later now
> | means "Ignore all NTP packets that are not cryptographically
> | instead of the 4.1 and earlier versions where it meant "Don't trust this
> | host/subnet for time." How do I specify with version 4.2 and later that I
> | only want the five server entries in the ntp.conf to be trusted for
> | synchronization? Or is this automatic, and that particular 'ntpq -p'
> | a fluke?
> | Thanks!
More information about the questions