[ntp:questions] Linux client ntp

Steve Kostecke kostecke at ntp.isc.org
Sun Apr 15 23:07:11 UTC 2007


On 2007-04-15, Harlan Stenn <stenn at ntp.isc.org> wrote:
>Ricardo Castellani said:
>
>> IPv4: restrict x.y.z.w [nomodify notrap nopeer noquery]

<snip>

>> I don't understand because there also is "nomodify" option inside brackets.
>> If added "nomodify" option(as I told you in previous message) I think it
>> would not be permitted to ntpd to use time information (sent from specified
>> "x.y.z.w" server) to set local clock. If I want to receive time from
>> external servers I presume that ntpd can be modified from those servers.
>> Do you agree ?

No, 'nomodify' has nothing to do with time service.

According to the distribution documentation at
http://www.eecis.udel.edu/~mills/ntp/html/accopt.html:

nomodify -- "Deny ntpq and ntpdc queries which attempt to modify the
state of the server (i.e., run time reconfiguration). Queries which
return information are permitted."

According to the 'Access Control Options' section of
Support.AccessRestrictions (ironically not far below the section you
cited):

nomodify -- "Do not allow this host/subnet to modify the ntpd settings
even if they have the correct keys." By default ntpd requires
authentication with symmetric keys for modifications made with ntpdc.
So if you don't configure symmetric keys for your ntpd, or keep them
properly safeguarded, you don't need to use 'nomodify' unless you are
concerned that the NTP authentication scheme might be compromised."

> Yes.  Sometimes people want to use a server for *tracking* purposes only
> but they do not want to accept time from that server.

The correct configuration keyword for this purpose is 'noselect'.

> The 'nomodify' parameter is one of the optional bits.

The restrictions that are included in the brackets (as quoted above) are
the maximum restrictions that may be used without impeding time service.

> I'm wondering if it would be better to put some/each of those keywords
> in separate [] blocks.

No.

-- 
Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/




More information about the questions mailing list