[ntp:questions] Linux client ntp

castellani.riccardo at tiscali.it castellani.riccardo at tiscali.it
Mon Apr 16 07:23:22 UTC 2007


Steve thanks for your full explanation.
So, if I have in my client ntp.conf: 

restrict default nomodify notrap nopeer noquery
server A
server B

I'm able to accept time from both server A and server B ? it's OK ?


----Messaggio originale----
Da: kostecke at ntp.isc.org
Data: 16/04/2007 1.07
A: <questions at lists.ntp.isc.org>
Ogg: Re: [ntp:questions] Linux client ntp

On 2007-04-15, Harlan Stenn <stenn at ntp.isc.org> wrote:
>Ricardo Castellani said:
>
>> IPv4: restrict x.y.z.w [nomodify notrap nopeer noquery]

<snip>

>> I don't understand because there also is "nomodify" option inside 
brackets.
>> If added "nomodify" option(as I told you in previous message) I 
think it
>> would not be permitted to ntpd to use time information (sent from 
specified
>> "x.y.z.w" server) to set local clock. If I want to receive time 
from
>> external servers I presume that ntpd can be modified from those 
servers.
>> Do you agree ?

No, 'nomodify' has nothing to do with time service.

According to the distribution documentation at
http://www.eecis.udel.edu/~mills/ntp/html/accopt.html:

nomodify -- "Deny ntpq and ntpdc queries which attempt to modify the
state of the server (i.e., run time reconfiguration). Queries which
return information are permitted."

According to the 'Access Control Options' section of
Support.AccessRestrictions (ironically not far below the section you
cited):

nomodify -- "Do not allow this host/subnet to modify the ntpd settings
even if they have the correct keys." By default ntpd requires
authentication with symmetric keys for modifications made with ntpdc.
So if you don't configure symmetric keys for your ntpd, or keep them
properly safeguarded, you don't need to use 'nomodify' unless you are
concerned that the NTP authentication scheme might be compromised."

> Yes.  Sometimes people want to use a server for *tracking* purposes 
only
> but they do not want to accept time from that server.

The correct configuration keyword for this purpose is 'noselect'.

> The 'nomodify' parameter is one of the optional bits.

The restrictions that are included in the brackets (as quoted above) 
are
the maximum restrictions that may be used without impeding time 
service.

> I'm wondering if it would be better to put some/each of those 
keywords
> in separate [] blocks.

No.

-- 
Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/

_______________________________________________
questions mailing list
questions at lists.ntp.isc.org
https://lists.ntp.isc.org/mailman/listinfo/questions




Naviga e telefona senza limiti con Tiscali     
Scopri le promozioni Tiscali adsl: navighi e telefoni senza canone Telecom

http://abbonati.tiscali.it/adsl/




More information about the questions mailing list