NTP_CONF(5) | File Formats Manual (file) | NTP_CONF(5) |
ntp.conf
—
ntp.conf |
[--option-name ]
[--option-name value]
All arguments must be options. |
ntp.conf
configuration file is read at initial
startup by the
ntpd(1ntpdmdoc) daemon in
order to specify the synchronization sources, modes and other related
information. Usually, it is installed in the /etc
directory, but could be installed elsewhere (see the daemon's
-c
command line option).
The file format is similar to other UNIX
configuration files. Comments begin with a
‘#
’ character and extend to the end of
the line; blank lines are ignored. Configuration commands consist of an
initial keyword followed by a list of arguments, some of which may be
optional, separated by whitespace. Commands may not be continued over
multiple lines. Arguments may be host names, host addresses written in
numeric, dotted-quad form, integers, floating point numbers (when specifying
times in seconds) and text strings.
The rest of this page describes the configuration and control options. The “Notes on Configuring NTP and Setting up an NTP Subnet” page (available as part of the HTML documentation provided in /usr/share/doc/ntp) contains an extended discussion of these options. In addition to the discussion of general Configuration Options, there are sections describing the following supported functionality and the options used to control it:
Following these is a section describing
Miscellaneous Options. While
there is a rich set of options available, the only required option is one or
more pool
, server
,
peer
, broadcast
or
manycastclient
commands.
If the Basic Socket Interface Extensions for IPv6 (RFC-2553) is
detected, support for the IPv6 address family is generated in addition to
the default support of the IPv4 address family. In a few cases, including
the reslist
billboard generated by
ntpq(1ntpqmdoc) or
ntpdc(1ntpdcmdoc),
IPv6 addresses are automatically generated. IPv6 addresses can be identified
by the presence of colons “:” in the address field. IPv6
addresses can be used almost everywhere where IPv4 addresses can be used,
with the exception of reference clock addresses, which are always IPv4.
Note that in contexts where a host name is expected, a
-4
qualifier preceding the host name forces DNS
resolution to the IPv4 namespace, while a -6
qualifier forces DNS resolution to the IPv6 namespace. See IPv6 references
for the equivalent classes for that address family.
pool
address [burst
]
[iburst
] [version
version] [prefer
]
[minpoll
minpoll]
[maxpoll
maxpoll]server
address [key
key | autokey
]
[burst
] [iburst
]
[version
version]
[prefer
] [minpoll
minpoll] [maxpoll
maxpoll] [true
]peer
address [key
key | autokey
]
[version
version]
[prefer
] [minpoll
minpoll] [maxpoll
maxpoll] [true
]
[xleave
]broadcast
address [key
key | autokey
]
[version
version]
[prefer
] [minpoll
minpoll] [ttl
ttl] [xleave
]manycastclient
address [key
key | autokey
]
[version
version]
[prefer
] [minpoll
minpoll] [maxpoll
maxpoll] [ttl
ttl]These five commands specify the time server name or address to be used and the mode in which to operate. The address can be either a DNS name or an IP address in dotted-quad notation. Additional information on association behavior can be found in the “Association Management” page (available as part of the HTML documentation provided in /usr/share/doc/ntp).
pool
server
peer
broadcast
broadcastclient
or
multicastclient
commands below.manycastclient
manycastserver
command for the designated manycast
servers. The NTP multicast address 224.0.1.1 assigned by the IANA should
NOT be used, unless specific means are taken to avoid spraying large areas
of the Internet with these messages and causing a possibly massive
implosion of replies at the sender. The
manycastserver
command specifies that the local
server is to operate in client mode with the remote servers that are
discovered as the result of broadcast/multicast messages. The client
broadcasts a request message to the group address associated with the
specified address and specifically enabled servers
respond to these messages. The client selects the servers providing the
best time and continues as with the server
command. The remaining servers are discarded as if never heard.Options:
autokey
burst
calldelay
command to allow additional time for a
modem or ISDN call to complete. This is designed to improve timekeeping
quality with the server
command and s
addresses.iburst
calldelay
command to allow additional time for a
modem or ISDN call to complete. This is designed to speed the initial
synchronization acquisition with the server
command and s addresses and when
ntpd(1ntpdmdoc) is
started with the -q
option.key
keyminpoll
minpollmaxpoll
maxpollmaxpoll
option to an upper limit of 17 (36.4 h). The minimum poll interval
defaults to 6 (64 s), but can be decreased by the
minpoll
option to a lower limit of 4 (16 s).noselect
preempt
true
prefer
true
ttl
ttlversion
versionxleave
peer
and
broadcast
modes only, this flag enables interleave
mode.broadcastclient
manycastserver
address ...multicastclient
address ...mdnstries
numbermdnstries
times. After all,
ntpd
may be starting before mDNS. The default
value for mdnstries
is 5.NTPv4 retains the NTPv3 scheme, properly described as symmetric key cryptography and, in addition, provides a new Autokey scheme based on public key cryptography. Public key cryptography is generally considered more secure than symmetric key cryptography, since the security is based on a private value which is generated by each server and never revealed. With Autokey all key distribution and management functions involve only public values, which considerably simplifies key distribution and storage. Public key management is based on X.509 certificates, which can be provided by commercial services or produced by utility programs in the OpenSSL software library or the NTPv4 distribution.
While the algorithms for symmetric key cryptography are included in the NTPv4 distribution, public key cryptography requires the OpenSSL software library to be installed before building the NTP distribution. Directions for doing that are on the Building and Installing the Distribution page.
Authentication is configured separately for each association using
the key
or autokey
subcommand on the peer
,
server
, broadcast
and
manycastclient
configuration commands as described
in Configuration Options
page. The authentication options described below specify the locations of
the key files, if other than default, which symmetric keys are trusted and
the interval between various operations, if other than default.
Authentication is always enabled, although ineffective if not configured as described below. If a NTP packet arrives including a message authentication code (MAC), it is accepted only if it passes all cryptographic checks. The checks require correct key ID, key value and message digest. If the packet has been modified in any way or replayed by an intruder, it will fail one or more of these checks and be discarded. Furthermore, the Autokey scheme requires a preliminary protocol exchange to obtain the server certificate, verify its credentials and initialize the protocol
The auth
flag controls whether new
associations or remote configuration commands require cryptographic
authentication. This flag can be set or reset by the
enable
and disable
commands
and also by remote configuration commands sent by a
ntpdc(1ntpdcmdoc)
program running on another machine. If this flag is enabled, which is the
default case, new broadcast client and symmetric passive associations and
remote configuration commands must be cryptographically authenticated using
either symmetric key or public key cryptography. If this flag is disabled,
these operations are effective even if not cryptographic authenticated. It
should be understood that operating with the auth
flag disabled invites a significant vulnerability where a rogue hacker can
masquerade as a falseticker and seriously disrupt system timekeeping. It is
important to note that this flag has no purpose other than to allow or
disallow a new association in response to new broadcast and symmetric active
messages and remote configuration commands and, in particular, the flag has
no effect on the authentication process itself.
An attractive alternative where multicast support is available is manycast mode, in which clients periodically troll for servers as described in the Automatic NTP Configuration Options page. Either symmetric key or public key cryptographic authentication can be used in this mode. The principle advantage of manycast mode is that potential servers need not be configured in advance, since the client finds them during regular operation, and the configuration files for all clients can be identical.
The security model and protocol schemes for both symmetric key and
public key cryptography are summarized below; further details are in the
briefings, papers and reports at the NTP project page linked from
http://www.ntp.org/
.
When
ntpd(1ntpdmdoc) is first
started, it reads the key file specified in the keys
configuration command and installs the keys in the key cache. However,
individual keys must be activated with the trusted
command before use. This allows, for instance, the installation of possibly
several batches of keys and then activating or deactivating each batch
remotely using
ntpdc(1ntpdcmdoc).
This also provides a revocation capability that can be used if a key becomes
compromised. The requestkey
command selects the key
used as the password for the
ntpdc(1ntpdcmdoc)
utility, while the controlkey
command selects the
key used as the password for the
ntpq(1ntpqmdoc)
utility.
The Autokey protocol has several modes of operation corresponding to the various NTP modes supported. Most modes use a special cookie which can be computed independently by the client and server, but encrypted in transmission. All modes use in addition a variant of the S-KEY scheme, in which a pseudo-random key list is generated and used in reverse order. These schemes are described along with an executive summary, current status, briefing slides and reading list on the Autonomous Authentication page.
The specific cryptographic environment used by Autokey servers and
clients is determined by a set of files and soft links generated by the
ntp-keygen(1ntpkeygenmdoc)
program. This includes a required host key file, required certificate file
and optional sign key file, leapsecond file and identity scheme files. The
digest/signature scheme is specified in the X.509 certificate along with the
matching sign key. There are several schemes available in the OpenSSL
software library, each identified by a specific string such as
md5WithRSAEncryption
, which stands for the MD5
message digest with RSA encryption scheme. The current NTP distribution
supports all the schemes in the OpenSSL library, including those based on
RSA and DSA digital signatures.
NTP secure groups can be used to define cryptographic compartments and security hierarchies. It is important that every host in the group be able to construct a certificate trail to one or more trusted hosts in the same group. Each group host runs the Autokey protocol to obtain the certificates for all hosts along the trail to one or more trusted hosts. This requires the configuration file in all hosts to be engineered so that, even under anticipated failure conditions, the NTP subnet will form such that every group host can find a trail to at least one trusted host.
By convention, the name of an Autokey host is the name returned by the Unix gethostname(2) system call or equivalent in other systems. By the system design model, there are no provisions to allow alternate names or aliases. However, this is not to say that DNS aliases, different names for each interface, etc., are constrained in any way.
It is also important to note that Autokey verifies authenticity using the host name, network address and public keys, all of which are bound together by the protocol specifically to deflect masquerade attacks. For this reason Autokey includes the source and destination IP addresses in message digest computations and so the same addresses must be available at both the server and client. For this reason operation with network address translation schemes is not possible. This reflects the intended robust security model where government and corporate NTP servers are operated outside firewall perimeters.
The cryptotype of an association is determined at the time of
mobilization, either at configuration time or some time later when a message
of appropriate cryptotype arrives. When mobilized by a
server
or peer
configuration
command and no key
or
autokey
subcommands are present, the association is
not authenticated; if the key
subcommand is present,
the association is authenticated using the symmetric key ID specified; if
the autokey
subcommand is present, the association
is authenticated using Autokey.
When multiple identity schemes are supported in the Autokey protocol, the first message exchange determines which one is used. The client request message contains bits corresponding to which schemes it has available. The server response message contains bits corresponding to which schemes it has available. Both server and client match the received bits with their own and select a common scheme.
Following the principle that time is a public value, a server responds to any client packet that matches its cryptotype capabilities. Thus, a server receiving an unauthenticated packet will respond with an unauthenticated packet, while the same server receiving a packet of a cryptotype it supports will respond with packets of that cryptotype. However, unconfigured broadcast or manycast client associations or symmetric passive associations will not be mobilized unless the server supports a cryptotype compatible with the first packet received. By default, unauthenticated associations will not be mobilized unless overridden in a decidedly dangerous way.
Some examples may help to reduce confusion. Client Alice has no specific cryptotype selected. Server Bob has both a symmetric key file and minimal Autokey files. Alice's unauthenticated messages arrive at Bob, who replies with unauthenticated messages. Cathy has a copy of Bob's symmetric key file and has selected key ID 4 in messages to Bob. Bob verifies the message with his key ID 4. If it's the same key and the message is verified, Bob sends Cathy a reply authenticated with that key. If verification fails, Bob sends Cathy a thing called a crypto-NAK, which tells her something broke. She can see the evidence using the ntpq(1ntpqmdoc) program.
Denise has rolled her own host key and certificate. She also uses one of the identity schemes as Bob. She sends the first Autokey message to Bob and they both dance the protocol authentication and identity steps. If all comes out okay, Denise and Bob continue as described above.
It should be clear from the above that Bob can support all the girls at the same time, as long as he has compatible authentication and identity credentials. Now, Bob can act just like the girls in his own choice of servers; he can run multiple configured associations with multiple different servers (or the same server, although that might not be useful). But, wise security policy might preclude some cryptotype combinations; for instance, running an identity scheme with one server and no authentication with another might not be wise.
Certificates imported from OpenSSL or public certificate
authorities have certian limitations. The certificate should be in ASN.1
syntax, X.509 Version 3 format and encoded in PEM, which is the same format
used by OpenSSL. The overall length of the certificate encoded in ASN.1 must
not exceed 1024 bytes. The subject distinguished name field (CN) is the
fully qualified name of the host on which it is used; the remaining subject
fields are ignored. The certificate extension fields must not contain either
a subject key identifier or a issuer key identifier field; however, an
extended key usage field for a trusted host must contain the value
trustRoot
;. Other extension fields are ignored.
autokey
[logsec]controlkey
keycrypto
[cert
file]
[leap
file]
[randfile
file]
[host
file]
[sign
file]
[gq
file]
[gqpar
file]
[iffpar
file]
[mvpar
file]
[pw
password]keysdir
command or default
/usr/local/etc. Following are the subcommands:
cert
filegqpar
filehost
fileiffpar
fileleap
filemvpar
filepw
passwordrandfile
filesign
filekeys
keyfile-k
command line option.keysdir
pathrequestkey
keyrevoke
logsectrustedkey
key ...statistics
command below for a listing and example of
each type of statistics currently supported. Statistic files are managed using
file generation sets and scripts in the ./scripts
directory of the source code distribution. Using these facilities and
UNIX
cron(8) jobs, the data can be
automatically summarized and archived for retrospective analysis.
statistics
name ...clockstats
clockstats
:
49213 525.624 127.127.4.1 93 226 00:08:29.606 D
The first two fields show the date (Modified Julian Day) and time (seconds and fraction past UTC midnight). The next field shows the clock address in dotted-quad notation. The final field shows the last timecode received from the clock in decoded ASCII format, where meaningful. In some clock drivers a good deal of additional information can be gathered and displayed as well. See information specific to each clock for further details.
cryptostats
cryptostats
:
49213 525.624 127.127.4.1 message
The first two fields show the date (Modified Julian Day) and time (seconds and fraction past UTC midnight). The next field shows the peer address in dotted-quad notation, The final message field includes the message type and certain ancillary information. See the Authentication Options section for further information.
loopstats
loopstats
:
50935 75440.031 0.000006019 13.778190 0.000351733 0.0133806
The first two fields show the date (Modified Julian Day) and time (seconds and fraction past UTC midnight). The next five fields show time offset (seconds), frequency offset (parts per million - PPM), RMS jitter (seconds), Allan deviation (PPM) and clock discipline time constant.
peerstats
peerstats
:
48773 10847.650 127.127.4.1 9714 -0.001605376 0.000000000 0.001424877 0.000958674
The first two fields show the date (Modified Julian Day) and time (seconds and fraction past UTC midnight). The next two fields show the peer address in dotted-quad notation and status, respectively. The status field is encoded in hex in the format described in Appendix A of the NTP specification RFC 1305. The final four fields show the offset, delay, dispersion and RMS jitter, all in seconds.
rawstats
rawstats
:
50928 2132.543 128.4.1.1 128.4.1.20 3102453281.584327000 3102453281.58622800031 02453332.540806000 3102453332.541458000
The first two fields show the date (Modified Julian Day) and time (seconds and fraction past UTC midnight). The next two fields show the remote peer or clock address followed by the local address in dotted-quad notation. The final four fields show the originate, receive, transmit and final NTP timestamps in order. The timestamp values are as received and before processing by the various data smoothing and mitigation algorithms.
sysstats
sysstats
:
50928 2132.543 36000 81965 0 9546 56 71793 512 540 10 147
The first two fields show the date (Modified Julian Day) and time (seconds and fraction past UTC midnight). The remaining ten fields show the statistics counter values accumulated since the last generated line.
36000
81965
0
9546
56
71793
512
540
10
147
statsdir
directory_pathfilegen
filename prefix to be modified for
file generation sets, which is useful for handling statistics
logs.filegen
name [file
filename] [type
typename] [link
|
nolink
] [enable
|
disable
]Note that this command can be sent from the ntpdc(1ntpdcmdoc) program running at a remote location.
name
statistics
command.file
filenameprefix
,
file ... filename
and file ... suffix
:
prefix
filename
/
’). This can be
modified using the file argument to the
filegen statement. No
.. elements are allowed in this
component to prevent filenames referring to parts outside the
filesystem hierarchy denoted by
prefix.suffix
type
typenamenone
pid
.
’ to
concatenated prefix and
filename strings, and appending the
decimal representation of the process ID of the
ntpd(1ntpdmdoc)
server process.day
.
’ and a day
specification in the form YYYYMMdd
.
YYYY
is a 4-digit year number (e.g.,
1992). MM
is a two digit month number.
dd
is a two digit day number. Thus,
all information written at 10 December 1992 would end up in a
file named prefix
filename.19921210.week
W
, and a 2-digit week number. For
example, information from January, 10th 1992 would end up in a
file with suffix .1992W1.month
year
age
a
, and an 8-digit number. This number
is taken to be the number of seconds the server is running at
the start of the corresponding 24-hour period. Information is
only written to a file generation by specifying
enable
; output is prevented by
specifying disable
.link
|
nolink
link
and disabled using
nolink
. If link is specified, a hard link
from the current file set element to a file without suffix is
created. When there is already a file with this name and the
number of links of this file is one, it is renamed appending a
dot, the letter C
, and the pid of the
ntpd(1ntpdmdoc)
server process. When the number of links is greater than one, the
file is unlinked. This allows the current file to be accessed by a
constant name.enable
|
disable
The restriction facility was implemented in conformance with the access policies for the original NSFnet backbone time servers. Later the facility was expanded to deflect cryptographic and clogging attacks. While this facility may be useful for keeping unwanted or broken or malicious clients from congesting innocent servers, it should not be considered an alternative to the NTP authentication facilities. Source address based restrictions are easily circumvented by a determined cracker.
Clients can be denied service because they are explicitly included
in the restrict list created by the restrict
command
or implicitly as the result of cryptographic or rate limit violations.
Cryptographic violations include certificate or identity verification
failure; rate limit violations generally result from defective NTP
implementations that send packets at abusive rates. Some violations cause
denied service only for the offending packet, others cause denied service
for a timed period and others cause the denied service for an indefinite
period. When a client or network is denied access for an indefinite period,
the only way at present to remove the restrictions is by restarting the
server.
noserve
or notrust
flag
of the matching restrict list entry is set, the code is "DENY"; if
the limited
flag is set and the rate limit is
exceeded, the code is "RATE". Finally, if a cryptographic violation
occurs, the code is "CRYP".
A client receiving a KoD performs a set of sanity checks to minimize security exposure, then updates the stratum and reference identifier peer variables, sets the access denied (TEST4) bit in the peer flash variable and sends a message to the log. As long as the TEST4 bit is set, the client will send no further packets to the server. The only way at present to recover from this condition is to restart the protocol at both the client and server. This happens automatically at the client when the association times out. It will happen at the server only if the server operator cooperates.
discard
[average
avg]
[minimum
min]
[monitor
prob]limited
facility which
protects the server from client abuse. The average
subcommand specifies the minimum average packet spacing, while the
minimum
subcommand specifies the minimum packet
spacing. Packets that violate these minima are discarded and a
kiss-o'-death packet returned if enabled. The default minimum average and
minimum are 5 and 2, respectively. The monitor
subcommand specifies the probability of discard for packets that overflow
the rate-control window.restrict
address
[mask
mask]
[ippeerlimit
int]
[flag ...]255.255.255.255
, meaning that the
address is treated as the address of an individual
host. A default entry (address 0.0.0.0
, mask
0.0.0.0
) is always included and is always the
first entry in the list. Note that text string
default
, with no mask option, may be used to
indicate the default entry. The ippeerlimit
directive limits the number of peer requests for each IP to
int, where a value of -1 means
"unlimited", the current default. A value of 0 means
"none". There would usually be at most 1 peering request per IP,
but if the remote peering requests are behind a proxy there could well be
more than 1 per IP. In the current implementation,
flag
always restricts access, i.e., an entry with
no flags indicates that free access to the server is to be given. The
flags are not orthogonal, in that more restrictive flags will often make
less restrictive ones redundant. The flags can generally be classed into
two categories, those which restrict time service and those which restrict
informational queries and attempts to do run-time reconfiguration of the
server. One or more of the following flags may be specified:
ignore
kod
limited
discard
command. A history of clients
is kept using the monitoring capability of
ntpd(1ntpdmdoc).
Thus, monitoring is always active as long as there is a restriction
entry with the limited
flag.lowpriotrap
noepeer
noepeer
to become the
default in ntp-4.4.nomodify
noquery
nopeer
pool
associations, so if you want to use
servers from a pool
directive and also want to
use nopeer
by default, you'll want a
restrict source ...
line as well that does
not include the nopeer
directive.noserve
notrap
notrust
ntpport
ntpport
and
non-ntpport
may be specified. The
ntpport
is considered more specific and is
sorted later in the list.version
Default restriction list entries with the flags ignore, interface, ntpport, for each of the local host's interface addresses are inserted into the table at startup to prevent the server from attempting to synchronize to its own time. A default entry is also always present, though if it is otherwise unconfigured; no flags are associated with the default entry (i.e., everything besides your own NTP server is unrestricted).
Note that the manycasting paradigm does not coincide with the anycast paradigm described in RFC-1546, which is designed to find a single server from a clique of servers providing the same service. The manycast paradigm is designed to find a plurality of redundant servers satisfying defined optimality criteria.
Manycasting can be used with either symmetric key or public key
cryptography. The public key infrastructure (PKI) offers the best protection
against compromised keys and is generally considered stronger, at least with
relatively large key sizes. It is implemented using the Autokey protocol and
the OpenSSL cryptographic library available from
http://www.openssl.org/
. The library can also be
used with other NTPv4 modes as well and is highly recommended, especially
for broadcast modes.
A persistent manycast client association is configured using the
manycastclient
command, which is similar to the
server
command but with a multicast (IPv4 class
D
or IPv6 prefix FF
) group
address. The IANA has designated IPv4 address 224.1.1.1 and IPv6 address
FF05::101 (site local) for NTP. When more servers are needed, it broadcasts
manycast client messages to this address at the minimum feasible rate and
minimum feasible time-to-live (TTL) hops, depending on how many servers have
already been found. There can be as many manycast client associations as
different group address, each one serving as a template for a future
ephemeral unicast client/server association.
Manycast servers configured with the
manycastserver
command listen on the specified group
address for manycast client messages. Note the distinction between manycast
client, which actively broadcasts messages, and manycast server, which
passively responds to them. If a manycast server is in scope of the current
TTL and is itself synchronized to a valid source and operating at a stratum
level equal to or lower than the manycast client, it replies to the manycast
client message with an ordinary unicast server message.
The manycast client receiving this message mobilizes an ephemeral client/server association according to the matching manycast client template, but only if cryptographically authenticated and the server stratum is less than or equal to the client stratum. Authentication is explicitly required and either symmetric key or public key (Autokey) can be used. Then, the client polls the server at its unicast address in burst mode in order to reliably set the host clock and validate the source. This normally results in a volley of eight client/server at 2-s intervals during which both the synchronization and cryptographic protocols run concurrently. Following the volley, the client runs the NTP intersection and clustering algorithms, which act to discard all but the "best" associations according to stratum and synchronization distance. The surviving associations then continue in ordinary client/server mode.
The manycast client polling strategy is designed to reduce as much
as possible the volume of manycast client messages and the effects of
implosion due to near-simultaneous arrival of manycast server messages. The
strategy is determined by the manycastclient
,
tos
and ttl
configuration
commands. The manycast poll interval is normally eight times the system poll
interval, which starts out at the minpoll
value
specified in the manycastclient
, command and, under
normal circumstances, increments to the maxpolll
value specified in this command. Initially, the TTL is set at the minimum
hops specified by the ttl
command. At each
retransmission the TTL is increased until reaching the maximum hops
specified by this command or a sufficient number client associations have
been found. Further retransmissions use the same TTL.
The quality and reliability of the suite of associations
discovered by the manycast client is determined by the NTP mitigation
algorithms and the minclock
and
minsane
values specified in the
tos
configuration command. At least
minsane
candidate servers must be available and the
mitigation algorithms produce at least minclock
survivors in order to synchronize the clock. Byzantine agreement principles
require at least four candidates in order to correctly discard a single
falseticker. For legacy purposes, minsane
defaults
to 1 and minclock
defaults to 3. For manycast
service minsane
should be explicitly set to 4,
assuming at least that number of servers are available.
If at least minclock
servers are found,
the manycast poll interval is immediately set to eight times
maxpoll
. If less than
minclock
servers are found when the TTL has reached
the maximum hops, the manycast poll interval is doubled. For each
transmission after that, the poll interval is doubled again until reaching
the maximum of eight times maxpoll
. Further
transmissions use the same poll interval and TTL values. Note that while all
this is going on, each client/server association found is operating normally
it the system poll interval.
Administratively scoped multicast boundaries are normally
specified by the network router configuration and, in the case of IPv6, the
link/site scope prefix. By default, the increment for TTL hops is 32
starting from 31; however, the ttl
configuration
command can be used to modify the values to match the scope rules.
It is often useful to narrow the range of acceptable servers which
can be found by manycast client associations. Because manycast servers
respond only when the client stratum is equal to or greater than the server
stratum, primary (stratum 1) servers fill find only primary servers in TTL
range, which is probably the most common objective. However, unless
configured otherwise, all manycast clients in TTL range will eventually find
all primary servers in TTL range, which is probably not the most common
objective in large networks. The tos
command can be
used to modify this behavior. Servers with stratum below
floor
or above ceiling
specified in the tos
command are strongly
discouraged during the selection process; however, these servers may be
temporally accepted if the number of servers within TTL range is less than
minclock
.
The above actions occur for each manycast client message, which
repeats at the designated poll interval. However, once the ephemeral client
association is mobilized, subsequent manycast server replies are discarded,
since that would result in a duplicate association. If during a poll
interval the number of client associations falls below
minclock
, all manycast client prototype associations
are reset to the initial poll interval and TTL hops and operation resumes
from the beginning. It is important to avoid frequent manycast client
messages, since each one requires all manycast servers in TTL range to
respond. The result could well be an implosion, either minor or major,
depending on the number of servers in range. The recommended value for
maxpoll
is 12 (4,096 s).
It is possible and frequently useful to configure a host as both
manycast client and manycast server. A number of hosts configured this way
and sharing a common group address will automatically organize themselves in
an optimum configuration based on stratum and synchronization distance. For
example, consider an NTP subnet of two primary servers and a hundred or more
dependent clients. With two exceptions, all servers and clients have
identical configuration files including both
multicastclient
and
multicastserver
commands using, for instance,
multicast group address 239.1.1.1. The only exception is that each primary
server configuration file must include commands for the primary reference
source such as a GPS receiver.
The remaining configuration files for all secondary servers and
clients have the same contents, except for the tos
command, which is specific for each stratum level. For stratum 1 and stratum
2 servers, that command is not necessary. For stratum 3 and above servers
the floor
value is set to the intended stratum
number. Thus, all stratum 3 configuration files are identical, all stratum 4
files are identical and so forth.
Once operations have stabilized in this scenario, the primary servers will find the primary reference source and each other, since they both operate at the same stratum (1), but not with any secondary server or client, since these operate at a higher stratum. The secondary servers will find the servers at the same stratum level. If one of the primary servers loses its GPS receiver, it will continue to operate as a client and other clients will time out the corresponding association and re-associate accordingly.
Some administrators prefer to avoid running
ntpd(1ntpdmdoc)
continuously and run either
sntp(1sntpmdoc) or
ntpd(1ntpdmdoc)
-q
as a cron job. In either case the servers must be
configured in advance and the program fails if none are available when the
cron job runs. A really slick application of manycast is with
ntpd(1ntpdmdoc)
-q
. The program wakes up, scans the local landscape
looking for the usual suspects, selects the best from among the rascals,
sets the clock and then departs. Servers do not have to be configured in
advance and all clients throughout the network can have the same
configuration file.
About once an hour or less often if the poll interval exceeds this, the client regenerates the Autokey key list. This is in general transparent in client/server mode. However, about once per day the server private value used to generate cookies is refreshed along with all manycast client associations. In this case all cryptographic values including certificates is refreshed. If a new certificate has been generated since the last refresh epoch, it will automatically revoke all prior certificates that happen to be in the certificate cache. At the same time, the manycast scheme starts all over from the beginning and the expanding ring shrinks to the minimum and increments from there while collecting all servers in scope.
tos
[bcpollbstep
gate]tos
[ceiling
ceiling |
cohort { 0
| 1 }
|
floor
floor |
minclock
minclock |
minsane
minsane]ceiling
ceilingceiling
will be
discarded if there are at least minclock
peers
remaining. This value defaults to 15, but can be changed to any number
from 1 to 15.cohort
{0 | 1}floor
floorfloor
will be
discarded if there are at least minclock
peers
remaining. This value defaults to 1, but can be changed to any number
from 1 to 15.minclock
minclockminclock
associations
remain. This value defaults to 3, but can be changed to any number
from 1 to the number of configured sources.minsane
minsaneminsane
should be at least 4 in
order to detect and discard a single falseticker.ttl
hop ...A reference clock will generally (though not always) be a radio timecode receiver which is synchronized to a source of standard time such as the services offered by the NRC in Canada and NIST and USNO in the US. The interface between the computer and the timecode receiver is device dependent, but is usually a serial port. A device driver specific to each reference clock must be selected and compiled in the distribution; however, most common radio, satellite and modem clocks are included by default. Note that an attempt to configure a reference clock when the driver has not been compiled or the hardware port has not been appropriately configured results in a scalding remark to the system log file, but is otherwise non hazardous.
For the purposes of configuration,
ntpd(1ntpdmdoc) treats
reference clocks in a manner analogous to normal NTP peers as much as
possible. Reference clocks are identified by a syntactically correct but
invalid IP address, in order to distinguish them from normal NTP peers.
Reference clock addresses are of the form
127.127.
t.u,
where t is an integer denoting the clock type and
u indicates the unit number in the range 0-3. While it
may seem overkill, it is in fact sometimes useful to configure multiple
reference clocks of the same type, in which case the unit numbers must be
unique.
The server
command is used to configure a
reference clock, where the address argument in that
command is the clock address. The key
,
version
and ttl
options are
not used for reference clock support. The mode
option is added for reference clock support, as described below. The
prefer
option can be useful to persuade the server
to cherish a reference clock with somewhat more enthusiasm than other
reference clocks or peers. Further information on this option can be found
in the “Mitigation Rules and the prefer Keyword” (available as
part of the HTML documentation provided in
/usr/share/doc/ntp) page. The
minpoll
and maxpoll
options
have meaning only for selected clock drivers. See the individual clock
driver document pages for additional information.
The fudge
command is used to provide
additional information for individual clock drivers and normally follows
immediately after the server
command. The
address argument specifies the clock address. The
refid
and stratum
options
can be used to override the defaults for the device. There are two optional
device-dependent time offsets and four flags that can be included in the
fudge
command as well.
The stratum number of a reference clock is by default zero. Since
the ntpd(1ntpdmdoc)
daemon adds one to the stratum of each peer, a primary server ordinarily
displays an external stratum of one. In order to provide engineered backups,
it is often useful to specify the reference clock stratum as greater than
zero. The stratum
option is used for this purpose.
Also, in cases involving both a reference clock and a pulse-per-second (PPS)
discipline signal, it is useful to specify the reference clock identifier as
other than the default, depending on the driver. The
refid
option is used for this purpose. Except where
noted, these options apply to all clock drivers.
server
127.127.
t.u
[prefer
] [mode
int] [minpoll
int] [maxpoll
int]prefer
mode
intminpoll
intmaxpoll
intminpoll
and
maxpoll
default to 6 (64 s). For modem
reference clocks, minpoll
defaults to 10 (17.1
m) and maxpoll
defaults to 14 (4.5 h). The
allowable range is 4 (16 s) to 17 (36.4 h) inclusive.fudge
127.127.
t.u
[time1
sec]
[time2
sec]
[stratum
int]
[refid
string]
[mode
int]
[flag1
0 |
1
] [flag2
0
|
1
] [flag3
0 |
1
]
[flag4
0 |
1
]server
command which
configures the driver. Note that the same capability is possible at run
time using the
ntpdc(1ntpdcmdoc)
program. The options are interpreted as follows:
time1
secenable
command described in
Miscellaneous Options
page and operates as described in the “Reference Clock
Drivers” page (available as part of the HTML documentation
provided in /usr/share/doc/ntp).time2
secsstratum
intrefid
stringmode
intflag1
0 |
1
flag2
0 |
1
flag3
0 |
1
flag4
0 |
1
flag4
is used to enable recording monitoring
data to the clockstats
file configured with
the filegen
command. Further information on
the filegen
command can be found in
Monitoring Options.broadcastdelay
secondscalldelay
delaydriftfile
driftfile-f
command line option. If the
file exists, it is read at startup in order to set the initial frequency
and then updated once per hour with the current frequency computed by the
daemon. If the file name is specified, but the file itself does not exist,
the starts with an initial frequency of zero and creates the file when
writing it for the first time. If this command is not given, the daemon
will always start with an initial frequency of zero.
The file format consists of a single line containing a single floating point number, which records the frequency offset measured in parts-per-million (PPM). The file is updated by first writing the current drift value into a temporary file and then renaming this file to replace the old version. This implies that ntpd(1ntpdmdoc) must have write permission for the directory the drift file is located in, and that file system links, symbolic or otherwise, should be avoided.
dscp
valueenable
[auth
| bclient
|
calibrate
| kernel
|
mode7
| monitor
|
ntp
| stats
|
peer_clear_digest_early
|
unpeer_crypto_early
|
unpeer_crypto_nak_early
|
unpeer_digest_early
]disable
[auth
| bclient
|
calibrate
| kernel
|
mode7
| monitor
|
ntp
| stats
|
peer_clear_digest_early
|
unpeer_crypto_early
|
unpeer_crypto_nak_early
|
unpeer_digest_early
]auth
enable
.bclient
multicastclient
command with default address. The default for this flag is
disable
.calibrate
disable
.kernel
enable
if support is available,
otherwise disable
.mode7
monitor
monlist
command or further
information. The default for this flag is
enable
.ntp
enable
.peer_clear_digest_early
peerstats
file for evidence of any of these
attacks. The default for this flag is
enable
.stats
disable
.unpeer_crypto_early
peerstats
file for evidence of any of these
attacks. The default for this flag is
enable
.unpeer_crypto_nak_early
peerstats
file for evidence of any of these
attacks. The default for this flag is
enable
.unpeer_digest_early
peerstats
file for evidence of any of these
attacks. The default for this flag is
enable
.includefile
includefileinterface
[listen
| ignore
|
drop
] [all
|
ipv4
| ipv6
|
wildcard
name |
address [/
prefixlen]]interface
directive controls which network
addresses
ntpd(1ntpdmdoc) opens,
and whether input is dropped without processing. The first parameter
determines the action for addresses which match the second parameter. The
second parameter specifies a class of addresses, or a specific interface
name, or an address. In the address case, prefixlen
determines how many bits must match for this rule to apply.
ignore
prevents opening matching addresses,
drop
causes
ntpd(1ntpdmdoc) to
open the address and drop all received packets without examination.
Multiple interface
directives can be used. The
last rule which matches a particular address determines the action for it.
interface
directives are disabled if any
-I
, --interface
,
-L
, or --novirtualips
command-line options are specified in the configuration file, all
available network addresses are opened. The nic
directive is an alias for interface
.leapfile
leapfilehttps://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list
or
ftp://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list
.
The leapfile
is scanned when
ntpd(1ntpdmdoc)
processes the leapfile directive or when
ntpd detects that the
leapfile has changed. ntpd
checks once a day to see if the leapfile has
changed. The
update-leap(1update_leapmdoc)
script can be run to see if the leapfile should be
updated.leapsmearinterval
seconds--enable-leap-smear
option to the
configure
script. It specifies the interval over
which a leap second correction will be applied. Recommended values for
this option are between 7200 (2 hours) and 86400 (24 hours).
DO NOT USE THIS OPTION ON PUBLIC-ACCESS SERVERS! See
http://bugs.ntp.org/2855 for more information.logconfig
configkeywordlogfile
log file. By default, all output
is turned on. All configkeyword keywords can be
prefixed with ‘=
’,
‘+
’ and
‘-
’, where
‘=
’ sets the
syslog(3) priority mask,
‘+
’ adds and
‘-
’ removes messages.
syslog(3) messages can be
controlled in four classes (clock
,
peer
, sys
and
sync
). Within these classes four types of messages
can be controlled: informational messages (info
),
event messages (events
), statistics messages
(statistics
) and status messages
(status
).
Configuration keywords are formed by concatenating the message
class with the event class. The all
prefix can
be used instead of a message class. A message class may also be followed
by the all
keyword to enable/disable all
messages of the respective message class. Thus, a minimal log
configuration could look like this:
logconfig =syncstatus +sysevents
This would just list the synchronizations state of ntpd(1ntpdmdoc) and the major system events. For a simple reference server, the following minimum message configuration could be useful:
logconfig =syncall +clockall
This configuration will list all clock information and synchronization information. All other events and messages about peers, system events and so on is suppressed.
logfile
logfile-l
command line
option.mru
[maxdepth
count |
maxmem
kilobytes |
mindepth
count |
maxage
seconds |
initialloc
count |
initmem
kilobytes |
incalloc
count |
incmem
kilobytes]maxdepth
countmaxmem
kilobytesincalloc
entries or
incmem
kilobytes larger. As with all of the
mru
options offered in units of entries or
kilobytes, if both maxdepth
and
maxmem are used, the last one used controls.
The default is 1024 kilobytes.mindepth
countmindepth
entries, existing entries are never
removed to make room for newer ones, regardless of their age. The
default is 600 entries.maxage
secondsmindepth
entries and an
additional client is to ba added to the list, if the oldest entry was
updated more than maxage
seconds ago, that
entry is removed and its storage is reused. If the oldest entry was
updated more recently the MRU list is grown, subject to
maxdepth / moxmem
. The default is 64
seconds.initalloc
countinitmem
kilobytesincalloc
countincmem
kilobytesnonvolatile
thresholddriftfile
(frequency file)
will be written, with a default value of 1e-7 (0.1 PPM). The frequency
file is inspected each hour. If the difference between the current
frequency and the last value written exceeds the threshold, the file is
written and the threshold
becomes the new
threshold value. If the threshold is not exceeeded, it is reduced by half.
This is intended to reduce the number of file writes for embedded systems
with nonvolatile memory.phone
dial ...reset
[allpeers
] [auth
]
[ctl
] [io
]
[mem
] [sys
]
[timer
]ntpd
and exposed by ntpq
and ntpdc
.rlimit
[memlock
Nmegabytes |
stacksize
N4kPages
filenum
Nfiledescriptors]memlock
Nmegabytes-i
option). The
default is 32 megabytes on non-Linux machines, and -1 under Linux. -1
means "do not lock the process into memory". 0 means
"lock whatever memory the process wants into memory".stacksize
N4kPagesmlockall
() function. Defaults to 50 4k pages
(200 4k pages in OpenBSD).filenum
Nfiledescriptorssaveconfigdir
directory_pathntpq 's
saveconfig
command. If saveconfigdir
does not appear in the
configuration file, saveconfig
requests are
rejected by ntpd
.saveconfig
filename:config
or
config-from-file
to the
ntpd
host's filename in the
saveconfigdir
. This command will be rejected
unless the saveconfigdir
directive appears in
ntpd 's
configuration file.
filename can use
strftime(3) format
directives to substitute the current date and time, for example,
saveconfig ntp-%Y%m%d-%H%M%S.conf
. The
filename used is stored in the system variable
savedconfig
. Authentication is required.setvar
variable [default
]default
keyword, the variable will be listed as
part of the default system variables
(ntpq(1ntpqmdoc)
rv
command)). These additional variables serve
informational purposes only. They are not related to the protocol other
that they can be listed. The known protocol variables will always override
any variables defined via the setvar
mechanism.
There are three special variables that contain the names of all variable
of the same group. The sys_var_list holds the names
of all system variables. The peer_var_list holds the
names of all peer variables and the clock_var_list
holds the names of the reference clock variables.sysinfo
sysstats
tinker
[allan
allan |
dispersion
dispersion |
freq
freq |
huffpuff
huffpuff |
panic
panic |
step
step |
stepback
stepback |
stepfwd
stepfwd |
stepout
stepout]The variables operate as follows:
allan
allandispersion
dispersionfreq
freqhuffpuff
huffpuffpanic
panicstep
stepstepback
stepbackstepfwd
stepfwdstepout
stepoutwritevar
assocID name = value [,...]assocID
is zero, the variablea re from the system
variables name space, otherwise they are from the peer variables name
space. The assocID
is required, as the same name
can occur in both name spaces.trap
host_address [port
port_number] [interface
interface_address]ttl
hop ...manycast
mode these
values are used in-turn in an expanding-ring search. The default is eight
multiples of 32 starting at 31.
The trap receiver will generally log event messages and other information from the server in a log file. While such monitor programs may also request their own trap dynamically, configuring a trap receiver will ensure that no messages are lost when the server is started.
hop
...--help
--more-help
--version
[{v|c|n}]NTP_CONF_<option-name> or NTP_CONF
In addition to the manual pages provided, comprehensive
documentation is available on the world wide web at
http://www.ntp.org/
. A snapshot of this
documentation is available in HTML format in
/usr/share/doc/ntp.
David L. Mills, Network Time Protocol (Version 4), RFC5905.
The ntpkey_host files are really digital certificates. These should be obtained via secure directory services when they become universally available.
Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
This manual page was AutoGen-erated from the ntp.conf option definitions.
August 14 2018 | NetBSD 9.4 |