[ntp:questions] notrust alternative?

Dennis Hilberg Jr dhilberg at comcast.net
Fri Nov 3 06:27:01 UTC 2006

Maybe I'm misunderstanding the output of 'ntpq -p'.  When I use this command, a large list is printed to the screen (sometimes 60 or 
more entries in length), of which, the first five of the entries are the servers I have listed in my ntp.conf and the rest I'm 
assuming are clients, or systems using my server's clock as a synchronization source.  Am I correct on that?  Most of the time those 
five servers are the ones that have +, -, or * next to them.  Of those five, there's always a * and usually two +.  On occasion 
though, some of the systems in the 'ntpq -p' output OTHER than my five servers have a + next to them.  Is this normal, based on my 
ntp.conf?  My concern is that my server might be using systems other than the five I have listed in my ntp.conf as a synchronization 
source.  Perhaps I should have worded my initial post this way, as some replies indicate that I might have failed to explain my 
situation properly.

Here is my ntp.conf again:

# Default restriction.

restrict default kod nomodify notrap nopeer noquery

# Allow free access to localhost.


# Allow the local network access with the following modified restrictions.

restrict mask nomodify notrap nopeer

# Synchronization servers.  Include at least three, but no more than five.

server bigben.cac.washington.edu  iburst
server montpelier.ilan.caltech.edu   iburst
server tick.ucla.edu                        iburst
server clock.xmission.com             iburst
server clepsydra.dec.com              iburst

# Drift file location

driftfile /etc/ntp/drift

# Location of the log file

logfile /var/log/ntp/ntp.log

# NTP monitoring parameters

statsdir /var/log/ntp/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

# Authentication parameters

#keys           /etc/ntp/keys
#trustedkey     2 3 4
#controlkey     3       # To access the ntpq utility
#requestkey     2       # To access the ntpdc utility

Thanks for all the help.


"Ronan Flood" <ronan at noc.ulcc.ac.uk> wrote in message news:eia97n$kn8$1 at canard.ulcc.ac.uk...
| "Dennis Hilberg Jr" <dhilberg at comcast.net> wrote:
| > On one instance I noticed that in the output of 'ntpq -p' one of my server's
| > clients was flagged with the '+'.  notrust under version 4.2 and later now
| > means "Ignore all NTP packets that are not cryptographically authenticated"
| > instead of the 4.1 and earlier versions where it meant "Don't trust this
| > host/subnet for time."  How do I specify with version 4.2 and later that I
| > only want the five server entries in the ntp.conf to be trusted for
| > synchronization?  Or is this automatic, and that particular 'ntpq -p' output
| > a fluke?
| 'nopeer' should prevent a client establishing a symmetric-passive
| association on your server, so the ntp.conf you show in your later
| message should be working.  Post the output of 'ntpq -p' showing
| your client listed (with or without '+') and 'ntpq -classoc',
| and 'ntpq "-crv nnn"' where nnn is the number of the association
| (assID) for your client in the lassoc output.
| Hmm, "ntpdc -ncreslist" will show the active restrictions, so check
| that matches your ntp.conf.
| -- 
|                      Ronan Flood <R.Flood at noc.ulcc.ac.uk>
|                        working for but not speaking for
|             Network Services, University of London Computer Centre
|     (which means: don't bother ULCC if I've said something you don't like) 

More information about the questions mailing list