[ntp:questions] notrust alternative?

user at domain.invalid user at domain.invalid
Wed Nov 1 16:02:08 UTC 2006


Dennis,

There is a fundamental misunderstanding of the notrust option, 
understandable because the documentation is buggy. The notrust option 
applies to clients attempting to retrieve time from your server. The 
options are to supply time whether or not authenticated or to require 
authentication. This is done primarily to discourage unwanted traffic 
and is intended for use by the national labs.

What you want is the nopeer option, which prevents broadcast, manycast 
and symmetric peers to mobilize associations and potentially synchronize 
your clock. By preventing mobilization, this prevents any attempt to 
synchronize your clock by any outside source. The misunderstanding is in 
both NTPv3 (xntpd) and NTPv4 (ntpd). The current documentation at 
ntp.org accurately describes these options.

Dave

Dennis Hilberg Jr wrote:
> I forgot to include my ntp.conf.  Here it is:
> 
> 
> # Default restriction.
> 
> restrict default kod nomodify notrap nopeer noquery
> 
> # Allow free access to localhost.
> 
> restrict 127.0.0.1
> 
> # Allow the local network access with the following modified restrictions.
> 
> restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap nopeer
> 
> # Synchronization servers.  Include at least three, but no more than five.
> 
> server bigben.cac.washington.edu  iburst
> server montpelier.ilan.caltech.edu   iburst
> server tick.ucla.edu                        iburst
> server clock.xmission.com             iburst
> server clepsydra.dec.com              iburst
> 
> # Drift file location
> 
> driftfile /etc/ntp/drift
> 
> # Location of the log file
> 
> logfile /var/log/ntp/ntp.log
> 
> # NTP monitoring parameters
> 
> statsdir /var/log/ntp/
> statistics loopstats peerstats clockstats
> filegen loopstats file loopstats type day enable
> filegen peerstats file peerstats type day enable
> filegen clockstats file clockstats type day enable
> 
> # Authentication parameters
> 
> #keys           /etc/ntp/keys
> #trustedkey     2 3 4
> #controlkey     3       # To access the ntpq utility
> #requestkey     2       # To access the ntpdc utility
> 
> 
> "Dennis Hilberg Jr" <dhilberg at comcast.net> wrote in message 
> news:UZOdnQLLdJhzJdrYnZ2dnUVZ_sqdnZ2d at comcast.com...
> | On one instance I noticed that in the output of 'ntpq -p' one of my 
> server's
> | clients was flagged with the '+'.  notrust under version 4.2 and later now
> | means "Ignore all NTP packets that are not cryptographically 
> authenticated"
> | instead of the 4.1 and earlier versions where it meant "Don't trust this
> | host/subnet for time."  How do I specify with version 4.2 and later that I
> | only want the five server entries in the ntp.conf to be trusted for
> | synchronization?  Or is this automatic, and that particular 'ntpq -p' 
> output
> | a fluke?
> |
> | Thanks!
> |
> | 
> 
> 




More information about the questions mailing list