10Sduke<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> 213002Skbarrett<html> 30Sduke<!-- Created by GNU Texinfo 6.6, http://www.gnu.org/software/texinfo/ --> 40Sduke<head> 50Sduke<meta http-equiv="Content-Type" content="text/html; charset=utf-8"> 60Sduke<title>NTP Configuration File User’s Manual</title> 70Sduke 80Sduke<meta name="description" content="NTP Configuration File User’s Manual"> 90Sduke<meta name="keywords" content="NTP Configuration File User’s Manual"> 100Sduke<meta name="resource-type" content="document"> 110Sduke<meta name="distribution" content="global"> 120Sduke<meta name="Generator" content="makeinfo"> 130Sduke<link href="#Top" rel="start" title="Top"> 140Sduke<link href="dir.html#Top" rel="up" title="(dir)"> 150Sduke<style type="text/css"> 160Sduke<!-- 170Sdukea.summary-letter {text-decoration: none} 180Sdukeblockquote.indentedblock {margin-right: 0em} 191472Strimsdiv.display {margin-left: 3.2em} 201472Strimsdiv.example {margin-left: 3.2em} 211472Strimsdiv.lisp {margin-left: 3.2em} 220Sdukekbd {font-style: oblique} 230Sdukepre.display {font-family: inherit} 240Sdukepre.format {font-family: inherit} 251879Sstefankpre.menu-comment {font-family: serif} 261879Sstefankpre.menu-preformatted {font-family: serif} 271879Sstefankspan.nolinebreak {white-space: nowrap} 281879Sstefankspan.roman {font-family: initial; font-weight: normal} 2910762Sjprovinospan.sansserif {font-family: sans-serif; font-weight: normal} 301879Sstefankul.no-bullet {list-style: none} 311879Sstefank--> 321879Sstefank</style> 331879Sstefank 341879Sstefank 351879Sstefank</head> 361879Sstefank 371879Sstefank<body lang="en"> 381879Sstefank<h1 class="settitle" align="center">NTP Configuration File User’s Manual</h1> 391879Sstefank 401879Sstefank 416219Smorris 421879Sstefank 431879Sstefank 4413249Sstefank<span id="Top"></span><div class="header"> 450Sduke<p> 460SdukeNext: <a href="#ntp_002econf-Description" accesskey="n" rel="next">ntp.conf Description</a>, Previous: <a href="dir.html#Top" accesskey="p" rel="prev">(dir)</a>, Up: <a href="dir.html#Top" accesskey="u" rel="up">(dir)</a> </p> 475104Sadlertz</div> 480Sduke<span id="NTP_0027s-Configuration-File-User-Manual"></span><h1 class="top">NTP’s Configuration File User Manual</h1> 490Sduke 500Sduke<p>This document describes the configuration file for the NTP Project’s 510Sduke<code>ntpd</code> program. 520Sduke</p> 530Sduke<p>This document applies to version 4.2.8p18 of <code>ntp.conf</code>. 540Sduke</p> 550Sduke<span id="SEC_Overview"></span> 560Sduke<h2 class="shortcontents-heading">Short Table of Contents</h2> 570Sduke 580Sduke<div class="shortcontents"> 590Sduke<ul class="no-bullet"> 600Sduke<li><a id="stoc-Description" href="#toc-Description">1 Description</a></li> 610Sduke</ul> 62295Snever</div> 630Sduke 640Sduke 650Sduke<table class="menu" border="0" cellspacing="0"> 660Sduke<tr><td align="left" valign="top">• <a href="#ntp_002econf-Description" accesskey="1">ntp.conf Description</a></td><td> </td><td align="left" valign="top"> 670Sduke</td></tr> 680Sduke<tr><td align="left" valign="top">• <a href="#ntp_002econf-Notes" accesskey="2">ntp.conf Notes</a></td><td> </td><td align="left" valign="top"> 690Sduke</td></tr> 700Sduke</table> 710Sduke 720Sduke<hr> 730Sduke<span id="ntp_002econf-Description"></span><div class="header"> 740Sduke<p> 750SdukePrevious: <a href="#Top" accesskey="p" rel="prev">Top</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> </p> 760Sduke</div> 770Sduke<span id="Description"></span><h2 class="chapter">1 Description</h2> 780Sduke 793447Skvn<p>The behavior of <code>ntpd</code> can be changed by a configuration file, 800Sdukeby default <code>ntp.conf</code>. 810Sduke</p> 820Sduke<table class="menu" border="0" cellspacing="0"> 830Sduke<tr><td align="left" valign="top">• <a href="#ntp_002econf-Notes" accesskey="1">Notes about ntp.conf</a></td><td> </td><td align="left" valign="top"> 840Sduke</td></tr> 850Sduke</table> 860Sduke 870Sduke<hr> 880Sduke<span id="ntp_002econf-Notes"></span><div class="header"> 890Sduke<p> 900SdukePrevious: <a href="#ntp_002econf-Bugs" accesskey="p" rel="prev">ntp.conf Bugs</a>, Up: <a href="#ntp_002econf-Description" accesskey="u" rel="up">ntp.conf Description</a> </p> 910Sduke</div> 920Sduke<span id="Notes-about-ntp_002econf"></span><h3 class="section">1.1 Notes about ntp.conf</h3> 930Sduke<span id="index-ntp_002econf"></span> 940Sduke<span id="index-Network-Time-Protocol-_0028NTP_0029-daemon-configuration-file-format"></span> 950Sduke 960Sduke 970Sduke 980Sduke<p>The 990Sduke<code>ntp.conf</code> 1000Sdukeconfiguration file is read at initial startup by the 1010Sduke<code>ntpd(1ntpdmdoc)</code> 1020Sdukedaemon in order to specify the synchronization sources, 1030Sdukemodes and other related information. 1040SdukeUsually, it is installed in the 1050Sduke<samp>/etc</samp> 1060Sdukedirectory, 1070Sdukebut could be installed elsewhere 1080Sduke(see the daemon’s 1090Sduke<code>-c</code> 1100Sdukecommand line option). 1110Sduke</p> 1120Sduke<p>The file format is similar to other 1130Sduke<small>UNIX</small> 1140Sdukeconfiguration files. 1150SdukeComments begin with a 1160Sduke‘#’ 1170Sdukecharacter and extend to the end of the line; 1180Sdukeblank lines are ignored. 1190SdukeConfiguration commands consist of an initial keyword 1200Sdukefollowed by a list of arguments, 1210Sdukesome of which may be optional, separated by whitespace. 1220SdukeCommands may not be continued over multiple lines. 1230SdukeArguments may be host names, 1240Sdukehost addresses written in numeric, dotted-quad form, 1250Sdukeintegers, floating point numbers (when specifying times in seconds) 1260Sdukeand text strings. 1270Sduke</p> 1280Sduke<p>The rest of this page describes the configuration and control options. 1290SdukeThe 1304514Sneliasso"Notes on Configuring NTP and Setting up an NTP Subnet" 1314514Sneliassopage 1324514Sneliasso(available as part of the HTML documentation 1335287Sadlertzprovided in 1344514Sneliasso<samp>/usr/share/doc/ntp</samp>) 1354514Sneliassocontains an extended discussion of these options. 1364514SneliassoIn addition to the discussion of general 1375287Sadlertz‘Configuration Options’, 1384514Sneliassothere are sections describing the following supported functionality 1394514Sneliassoand the options used to control it: 1404514Sneliasso</p><ul> 1414514Sneliasso<li> <a href="#Authentication-Support">Authentication Support</a> 1424514Sneliasso</li><li> <a href="#Monitoring-Support">Monitoring Support</a> 1435287Sadlertz</li><li> <a href="#Access-Control-Support">Access Control Support</a> 1445287Sadlertz</li><li> <a href="#Automatic-NTP-Configuration-Options">Automatic NTP Configuration Options</a> 1454514Sneliasso</li><li> <a href="#Reference-Clock-Support">Reference Clock Support</a> 1464514Sneliasso</li><li> <a href="#Miscellaneous-Options">Miscellaneous Options</a> 1474514Sneliasso</li></ul> 1484514Sneliasso 1494514Sneliasso<p>Following these is a section describing 1504514Sneliasso<a href="#Miscellaneous-Options">Miscellaneous Options</a>. 1514514SneliassoWhile there is a rich set of options available, 1524514Sneliassothe only required option is one or more 1534514Sneliasso<code>pool</code>, 1545287Sadlertz<code>server</code>, 1554514Sneliasso<code>peer</code>, 1564514Sneliasso<code>broadcast</code> 1575287Sadlertzor 1584514Sneliasso<code>manycastclient</code> 1594514Sneliassocommands. 1604514Sneliasso</p><table class="menu" border="0" cellspacing="0"> 1614514Sneliasso<tr><td align="left" valign="top">• <a href="#Configuration-Support" accesskey="1">Configuration Support</a></td><td> </td><td align="left" valign="top"> 1624514Sneliasso</td></tr> 1634514Sneliasso<tr><td align="left" valign="top">• <a href="#Authentication-Support" accesskey="2">Authentication Support</a></td><td> </td><td align="left" valign="top"> 1644514Sneliasso</td></tr> 1655287Sadlertz<tr><td align="left" valign="top">• <a href="#Monitoring-Support" accesskey="3">Monitoring Support</a></td><td> </td><td align="left" valign="top"> 1664514Sneliasso</td></tr> 1675287Sadlertz<tr><td align="left" valign="top">• <a href="#Access-Control-Support" accesskey="4">Access Control Support</a></td><td> </td><td align="left" valign="top"> 1684514Sneliasso</td></tr> 1694514Sneliasso<tr><td align="left" valign="top">• <a href="#Automatic-NTP-Configuration-Options" accesskey="5">Automatic NTP Configuration Options</a></td><td> </td><td align="left" valign="top"> 1705287Sadlertz</td></tr> 1714514Sneliasso<tr><td align="left" valign="top">• <a href="#Reference-Clock-Support" accesskey="6">Reference Clock Support</a></td><td> </td><td align="left" valign="top"> 1724514Sneliasso</td></tr> 1734514Sneliasso<tr><td align="left" valign="top">• <a href="#Miscellaneous-Options" accesskey="7">Miscellaneous Options</a></td><td> </td><td align="left" valign="top"> 1744514Sneliasso</td></tr> 1754514Sneliasso<tr><td align="left" valign="top">• <a href="#ntp_002econf-Files" accesskey="8">ntp.conf Files</a></td><td> </td><td align="left" valign="top"> 1764514Sneliasso</td></tr> 1774514Sneliasso<tr><td align="left" valign="top">• <a href="#ntp_002econf-See-Also" accesskey="9">ntp.conf See Also</a></td><td> </td><td align="left" valign="top"> 1784514Sneliasso</td></tr> 1794514Sneliasso<tr><td align="left" valign="top">• <a href="#ntp_002econf-Bugs">ntp.conf Bugs</a></td><td> </td><td align="left" valign="top"> 1804514Sneliasso</td></tr> 1814514Sneliasso<tr><td align="left" valign="top">• ntp.conf Notes</td><td> </td><td align="left" valign="top"> 1824514Sneliasso</td></tr> 1834514Sneliasso</table> 1844514Sneliasso 1854514Sneliasso<hr> 1864514Sneliasso<span id="Configuration-Support"></span><div class="header"> 1875287Sadlertz<p> 1884514SneliassoNext: <a href="#Authentication-Support" accesskey="n" rel="next">Authentication Support</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> </p> 1894514Sneliasso</div> 1904514Sneliasso<span id="Configuration-Support-1"></span><h4 class="subsection">1.1.1 Configuration Support</h4> 1915287Sadlertz<p>Following is a description of the configuration commands in 1924514SneliassoNTPv4. 1934514SneliassoThese commands have the same basic functions as in NTPv3 and 1944514Sneliassoin some cases new functions and new arguments. 1954514SneliassoThere are two 1969016Smcbergclasses of commands, configuration commands that configure a 1970Sdukepersistent association with a remote server or peer or reference 1980Sdukeclock, and auxiliary commands that specify environmental variables 1990Sdukethat control various related operations. 2000Sduke</p><span id="Configuration-Commands"></span><h4 class="subsubsection">1.1.1.1 Configuration Commands</h4> 2010Sduke<p>The various modes are determined by the command keyword and the 2020Sduketype of the required IP address. 2034514SneliassoAddresses are classed by type as 2045287Sadlertz(s) a remote server or peer (IPv4 class A, B and C), (b) the 2054514Sneliassobroadcast address of a local interface, (m) a multicast address (IPv4 2064514Sneliassoclass D), or (r) a reference clock address (127.127.x.x). 2074514SneliassoNote that 2084514Sneliassoonly those options applicable to each command are listed below. 2094514SneliassoUse 2109016Smcbergof options not listed may not be caught as an error, but may result 2119016Smcbergin some weird and even destructive behavior. 2129016Smcberg</p> 2139016Smcberg<p>If the Basic Socket Interface Extensions for IPv6 (RFC-2553) 2149016Smcbergis detected, support for the IPv6 address family is generated 2150Sdukein addition to the default support of the IPv4 address family. 2169191SneliassoIn a few cases, including the 2170Sduke<code>reslist</code> 2180Sdukebillboard generated 2197145Sshadeby 220673Skvn<code>ntpq(1ntpqmdoc)</code> 2216053Sadlertzor 222673Skvn<code>ntpdc(1ntpdcmdoc)</code>, 2230SdukeIPv6 addresses are automatically generated. 2245104SadlertzIPv6 addresses can be identified by the presence of colons 2250Sduke“:” 2260Sdukein the address field. 2270SdukeIPv6 addresses can be used almost everywhere where 2280SdukeIPv4 addresses can be used, 2290Sdukewith the exception of reference clock addresses, 2304514Sneliassowhich are always IPv4. 2315104Sadlertz</p> 2320Sduke<p>Note that in contexts where a host name is expected, a 2330Sduke<code>-4</code> 2340Sdukequalifier preceding 2350Sdukethe host name forces DNS resolution to the IPv4 namespace, 2365104Sadlertzwhile a 2370Sduke<code>-6</code> 2380Sdukequalifier forces DNS resolution to the IPv6 namespace. 2390SdukeSee IPv6 references for the 2400Sdukeequivalent classes for that address family. 2415104Sadlertz</p><dl compact="compact"> 2424514Sneliasso<dt><code>pool</code> <kbd>address</kbd> <code>[<code>burst</code>]</code> <code>[<code>iburst</code>]</code> <code>[<code>version</code> <kbd>version</kbd>]</code> <code>[<code>prefer</code>]</code> <code>[<code>minpoll</code> <kbd>minpoll</kbd>]</code> <code>[<code>maxpoll</code> <kbd>maxpoll</kbd>]</code> <code>[<code>xmtnonce</code>]</code></dt> 2435104Sadlertz<dt><code>server</code> <kbd>address</kbd> <code>[<code>key</code> <kbd>key</kbd> <kbd>|</kbd> <code>autokey</code>]</code> <code>[<code>burst</code>]</code> <code>[<code>iburst</code>]</code> <code>[<code>version</code> <kbd>version</kbd>]</code> <code>[<code>prefer</code>]</code> <code>[<code>minpoll</code> <kbd>minpoll</kbd>]</code> <code>[<code>maxpoll</code> <kbd>maxpoll</kbd>]</code> <code>[<code>true</code>]</code> <code>[<code>xmtnonce</code>]</code></dt> 2440Sduke<dt><code>peer</code> <kbd>address</kbd> <code>[<code>key</code> <kbd>key</kbd> <kbd>|</kbd> <code>autokey</code>]</code> <code>[<code>version</code> <kbd>version</kbd>]</code> <code>[<code>prefer</code>]</code> <code>[<code>minpoll</code> <kbd>minpoll</kbd>]</code> <code>[<code>maxpoll</code> <kbd>maxpoll</kbd>]</code> <code>[<code>true</code>]</code> <code>[<code>xleave</code>]</code></dt> 2455104Sadlertz<dt><code>broadcast</code> <kbd>address</kbd> <code>[<code>key</code> <kbd>key</kbd> <kbd>|</kbd> <code>autokey</code>]</code> <code>[<code>version</code> <kbd>version</kbd>]</code> <code>[<code>prefer</code>]</code> <code>[<code>minpoll</code> <kbd>minpoll</kbd>]</code> <code>[<code>ttl</code> <kbd>ttl</kbd>]</code> <code>[<code>xleave</code>]</code></dt> 2464514Sneliasso<dt><code>manycastclient</code> <kbd>address</kbd> <code>[<code>key</code> <kbd>key</kbd> <kbd>|</kbd> <code>autokey</code>]</code> <code>[<code>version</code> <kbd>version</kbd>]</code> <code>[<code>prefer</code>]</code> <code>[<code>minpoll</code> <kbd>minpoll</kbd>]</code> <code>[<code>maxpoll</code> <kbd>maxpoll</kbd>]</code> <code>[<code>ttl</code> <kbd>ttl</kbd>]</code></dt> 2470Sduke</dl> 2480Sduke 2490Sduke<p>These five commands specify the time server name or address to 2500Sdukebe used and the mode in which to operate. 2510SdukeThe 2524514Sneliasso<kbd>address</kbd> 2534514Sneliassocan be 2540Sdukeeither a DNS name or an IP address in dotted-quad notation. 2550SdukeAdditional information on association behavior can be found in the 2560Sduke"Association Management" 2570Sdukepage 2585104Sadlertz(available as part of the HTML documentation 2590Sdukeprovided in 2600Sduke<samp>/usr/share/doc/ntp</samp>). 2614514Sneliasso</p><dl compact="compact"> 2624514Sneliasso<dt><code>pool</code></dt> 2634514Sneliasso<dd><p>For type s addresses, this command mobilizes a persistent 2644514Sneliassoclient mode association with a number of remote servers. 2654514SneliassoIn this mode the local clock can synchronized to the 2664514Sneliassoremote server, but the remote server can never be synchronized to 2674514Sneliassothe local clock. 2684514Sneliasso</p></dd> 2694514Sneliasso<dt><code>server</code></dt> 2704514Sneliasso<dd><p>For type s and r addresses, this command mobilizes a persistent 2714514Sneliassoclient mode association with the specified remote server or local 2724514Sneliassoradio clock. 2734514SneliassoIn this mode the local clock can synchronized to the 2744514Sneliassoremote server, but the remote server can never be synchronized to 2754514Sneliassothe local clock. 2764514SneliassoThis command should 2774514Sneliasso<em>not</em> 2784514Sneliassobe used for type 2794514Sneliassob or m addresses. 2804514Sneliasso</p></dd> 2815108Skvn<dt><code>peer</code></dt> 2825108Skvn<dd><p>For type s addresses (only), this command mobilizes a 2835108Skvnpersistent symmetric-active mode association with the specified 2845108Skvnremote peer. 2855108SkvnIn this mode the local clock can be synchronized to 2865108Skvnthe remote peer or the remote peer can be synchronized to the local 2875108Skvnclock. 2885108SkvnThis is useful in a network of servers where, depending on 2895108Skvnvarious failure scenarios, either the local or remote peer may be 2905108Skvnthe better source of time. 2915108SkvnThis command should NOT be used for type 2925108Skvnb, m or r addresses. 2935108Skvn</p></dd> 2945108Skvn<dt><code>broadcast</code></dt> 2955200Sadlertz<dd><p>For type b and m addresses (only), this 2965108Skvncommand mobilizes a persistent broadcast mode association. 2975108SkvnMultiple 2985108Skvncommands can be used to specify multiple local broadcast interfaces 2994514Sneliasso(subnets) and/or multiple multicast groups. 3005108SkvnNote that local 3014514Sneliassobroadcast messages go only to the interface associated with the 3024514Sneliassosubnet specified, but multicast messages go to all interfaces. 3034514SneliassoIn broadcast mode the local server sends periodic broadcast 3044514Sneliassomessages to a client population at the 3057145Sshade<kbd>address</kbd> 3067145Sshadespecified, which is usually the broadcast address on (one of) the 3074514Sneliassolocal network(s) or a multicast address assigned to NTP. 3084514SneliassoThe IANA 3094514Sneliassohas assigned the multicast group address IPv4 224.0.1.1 and 3104514SneliassoIPv6 ff05::101 (site local) exclusively to 3114514SneliassoNTP, but other nonconflicting addresses can be used to contain the 3124514Sneliassomessages within administrative boundaries. 3134514SneliassoOrdinarily, this 3144514Sneliassospecification applies only to the local server operating as a 3154514Sneliassosender; for operation as a broadcast client, see the 3164514Sneliasso<code>broadcastclient</code> 3174514Sneliassoor 3184514Sneliasso<code>multicastclient</code> 3194514Sneliassocommands 3204514Sneliassobelow. 3214514Sneliasso</p></dd> 3224514Sneliasso<dt><code>manycastclient</code></dt> 3234514Sneliasso<dd><p>For type m addresses (only), this command mobilizes a 3244514Sneliassomanycast client mode association for the multicast address 3254514Sneliassospecified. 3264514SneliassoIn this case a specific address must be supplied which 3274514Sneliassomatches the address used on the 3284514Sneliasso<code>manycastserver</code> 3294514Sneliassocommand for 3304514Sneliassothe designated manycast servers. 3314514SneliassoThe NTP multicast address 3324514Sneliasso224.0.1.1 assigned by the IANA should NOT be used, unless specific 3334514Sneliassomeans are taken to avoid spraying large areas of the Internet with 3344514Sneliassothese messages and causing a possibly massive implosion of replies 3354514Sneliassoat the sender. 3360SdukeThe 3370Sduke<code>manycastserver</code> 3380Sdukecommand specifies that the local server 3390Sdukeis to operate in client mode with the remote servers that are 3400Sdukediscovered as the result of broadcast/multicast messages. 3410SdukeThe 3420Sdukeclient broadcasts a request message to the group address associated 3430Sdukewith the specified 3440Sduke<kbd>address</kbd> 3450Sdukeand specifically enabled 3460Sdukeservers respond to these messages. 3470SdukeThe client selects the servers 3480Sdukeproviding the best time and continues as with the 3490Sduke<code>server</code> 3500Sdukecommand. 3513584SkvnThe remaining servers are discarded as if never 3520Sdukeheard. 3530Sduke</p></dd> 3540Sduke</dl> 3550Sduke 3560Sduke<p>Options: 3570Sduke</p><dl compact="compact"> 3580Sduke<dt><code>autokey</code></dt> 3590Sduke<dd><p>All packets sent to and received from the server or peer are to 3609016Smcberginclude authentication fields encrypted using the autokey scheme 3610Sdukedescribed in 3620Sduke‘Authentication Options’. 3634514Sneliasso</p></dd> 3640Sduke<dt><code>burst</code></dt> 3650Sduke<dd><p>when the server is reachable, send a burst of six packets 3660Sdukeinstead of the usual one. The packet spacing is 2 s. 3670SdukeThis is designed to improve timekeeping quality with the 3680Sduke<code>server</code> 3690Sdukecommand and s addresses. 3700Sduke</p></dd> 3710Sduke<dt><code>iburst</code></dt> 3720Sduke<dd><p>When the server is unreachable, send a burst of eight packets 3730Sdukeinstead of the usual one. 3740SdukeThe packet spacing is 2 s. 375566SkvnThis is designed to speed the initial synchronization 376566Skvnacquisition with the 377566Skvn<code>server</code> 378566Skvncommand and s addresses and when 379566Skvn<code>ntpd(1ntpdmdoc)</code> 3800Sdukeis started with the 3817145Sshade<code>-q</code> 3820Sdukeoption. 3830Sduke</p></dd> 3840Sduke<dt><code>key</code> <kbd>key</kbd></dt> 3854514Sneliasso<dd><p>All packets sent to and received from the server or peer are to 3860Sdukeinclude authentication fields encrypted using the specified 3874514Sneliasso<kbd>key</kbd> 3880Sdukeidentifier with values from 1 to 65535, inclusive. 3890SdukeThe 3900Sdukedefault is to include no encryption field. 3910Sduke</p></dd> 3920Sduke<dt><code>minpoll</code> <kbd>minpoll</kbd></dt> 3930Sduke<dt><code>maxpoll</code> <kbd>maxpoll</kbd></dt> 3940Sduke<dd><p>These options specify the minimum and maximum poll intervals 3950Sdukefor NTP messages, as a power of 2 in seconds 3960SdukeThe maximum poll 3974514Sneliassointerval defaults to 10 (1,024 s), but can be increased by the 3987145Sshade<code>maxpoll</code> 3990Sdukeoption to an upper limit of 17 (36.4 h). 4000SdukeThe 4010Sdukeminimum poll interval defaults to 6 (64 s), but can be decreased by 4020Sdukethe 4034514Sneliasso<code>minpoll</code> 4044514Sneliassooption to a lower limit of 4 (16 s). 4054514Sneliasso</p></dd> 4060Sduke<dt><code>noselect</code></dt> 4070Sduke<dd><p>Marks the server as unused, except for display purposes. 4080SdukeThe server is discarded by the selection algroithm. 4094514Sneliasso</p></dd> 4100Sduke<dt><code>preempt</code></dt> 4117145Sshade<dd><p>Says the association can be preempted. 4127145Sshade</p></dd> 4137145Sshade<dt><code>prefer</code></dt> 4147145Sshade<dd><p>Marks the server as preferred. 4157145SshadeAll other things being equal, 4167145Sshadethis host will be chosen for synchronization among a set of 4177145Sshadecorrectly operating hosts. 4187145SshadeSee the 4190Sduke"Mitigation Rules and the prefer Keyword" 4200Sdukepage 4210Sduke(available as part of the HTML documentation 4220Sdukeprovided in 4237145Sshade<samp>/usr/share/doc/ntp</samp>) 4240Sdukefor further information. 4254514Sneliasso</p></dd> 4264514Sneliasso<dt><code>true</code></dt> 4270Sduke<dd><p>Marks the server as a truechimer, 4280Sdukeforcing the association to always survive the selection and clustering algorithms. 4290SdukeThis option should almost certainly 4304850Sdrchase<em>only</em> 4314850Sdrchasebe used while testing an association. 4324850Sdrchase</p></dd> 4330Sduke<dt><code>ttl</code> <kbd>ttl</kbd></dt> 4340Sduke<dd><p>This option is used only with broadcast server and manycast 4350Sdukeclient modes. 4360SdukeIt specifies the time-to-live 4370Sduke<kbd>ttl</kbd> 4387145Sshadeto 4390Sdukeuse on broadcast server and multicast server and the maximum 4400Sduke<kbd>ttl</kbd> 4410Sdukefor the expanding ring search with manycast 4424514Sneliassoclient packets. 4430SdukeSelection of the proper value, which defaults to 4444514Sneliasso127, is something of a black art and should be coordinated with the 4450Sdukenetwork administrator. 4460Sduke</p></dd> 4470Sduke<dt><code>version</code> <kbd>version</kbd></dt> 4480Sduke<dd><p>Specifies the version number to be used for outgoing NTP 4490Sdukepackets. 4504514SneliassoVersions 1-4 are the choices, with version 4 the 4510Sdukedefault. 4524514Sneliasso</p></dd> 4534514Sneliasso<dt><code>xleave</code></dt> 4544514Sneliasso<dd><p>Valid in 4554514Sneliasso<code>peer</code> 4560Sdukeand 4570Sduke<code>broadcast</code> 4584514Sneliassomodes only, this flag enables interleave mode. 4594514Sneliasso</p></dd> 4604514Sneliasso<dt><code>xmtnonce</code></dt> 4614514Sneliasso<dd><p>Valid only for 4624514Sneliasso<code>server</code> 4634514Sneliassoand 4640Sduke<code>pool</code> 4650Sdukemodes, this flag puts a random number in the packet’s transmit timestamp. 4660Sduke</p> 4674514Sneliasso</dd> 4684514Sneliasso</dl> 4694514Sneliasso<span id="Auxiliary-Commands"></span><h4 class="subsubsection">1.1.1.2 Auxiliary Commands</h4> 4700Sduke<dl compact="compact"> 4714514Sneliasso<dt><code>broadcastclient</code></dt> 4720Sduke<dd><p>This command enables reception of broadcast server messages to 4730Sdukeany local interface (type b) address. 4740SdukeUpon receiving a message for 4750Sdukethe first time, the broadcast client measures the nominal server 4767145Sshadepropagation delay using a brief client/server exchange with the 4770Sdukeserver, then enters the broadcast client mode, in which it 4780Sdukesynchronizes to succeeding broadcast messages. 4790SdukeNote that, in order 4804514Sneliassoto avoid accidental or malicious disruption in this mode, both the 4810Sdukeserver and client should operate using symmetric-key or public-key 4824514Sneliassoauthentication as described in 4830Sduke‘Authentication Options’. 4840Sduke</p></dd> 4854514Sneliasso<dt><code>manycastserver</code> <kbd>address</kbd> <kbd>...</kbd></dt> 4860Sduke<dd><p>This command enables reception of manycast client messages to 4870Sdukethe multicast group address(es) (type m) specified. 4880SdukeAt least one 4894514Sneliassoaddress is required, but the NTP multicast address 224.0.1.1 4907145Sshadeassigned by the IANA should NOT be used, unless specific means are 4910Sduketaken to limit the span of the reply and avoid a possibly massive 4924514Sneliassoimplosion at the original sender. 4930SdukeNote that, in order to avoid 4940Sdukeaccidental or malicious disruption in this mode, both the server 4954514Sneliassoand client should operate using symmetric-key or public-key 4960Sdukeauthentication as described in 4974514Sneliasso‘Authentication Options’. 4980Sduke</p></dd> 4990Sduke<dt><code>multicastclient</code> <kbd>address</kbd> <kbd>...</kbd></dt> 500566Skvn<dd><p>This command enables reception of multicast server messages to 5010Sdukethe multicast group address(es) (type m) specified. 5020SdukeUpon receiving 5030Sdukea message for the first time, the multicast client measures the 5040Sdukenominal server propagation delay using a brief client/server 5050Sdukeexchange with the server, then enters the broadcast client mode, in 5060Sdukewhich it synchronizes to succeeding multicast messages. 5070SdukeNote that, 5080Sdukein order to avoid accidental or malicious disruption in this mode, 5090Sdukeboth the server and client should operate using symmetric-key or 5100Sdukepublic-key authentication as described in 5110Sduke‘Authentication Options’. 5120Sduke</p></dd> 5130Sduke<dt><code>mdnstries</code> <kbd>number</kbd></dt> 5140Sduke<dd><p>If we are participating in mDNS, 5150Sdukeafter we have synched for the first time 5160Sdukewe attempt to register with the mDNS system. 5170SdukeIf that registration attempt fails, 5180Sdukewe try again at one minute intervals for up to 5190Sduke<code>mdnstries</code> 5200Sduketimes. 5210SdukeAfter all, 5220Sduke<code>ntpd</code> 5230Sdukemay be starting before mDNS. 5240SdukeThe default value for 5250Sduke<code>mdnstries</code> 5260Sdukeis 5. 5270Sduke</p></dd> 5280Sduke</dl> 5290Sduke<hr> 5300Sduke<span id="Authentication-Support"></span><div class="header"> 5314514Sneliasso<p> 5324514SneliassoNext: <a href="#Monitoring-Support" accesskey="n" rel="next">Monitoring Support</a>, Previous: <a href="#Configuration-Support" accesskey="p" rel="prev">Configuration Support</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> </p> 5334514Sneliasso</div> 5344514Sneliasso<span id="Authentication-Support-1"></span><h4 class="subsection">1.1.2 Authentication Support</h4> 5354514Sneliasso<p>Authentication support allows the NTP client to verify that the 5360Sdukeserver is in fact known and trusted and not an intruder intending 5374514Sneliassoaccidentally or on purpose to masquerade as that server. 5384514SneliassoThe NTPv3 5394514Sneliassospecification RFC-1305 defines a scheme which provides 5404514Sneliassocryptographic authentication of received NTP packets. 5410SdukeOriginally, 5424514Sneliassothis was done using the Data Encryption Standard (DES) algorithm 5430Sdukeoperating in Cipher Block Chaining (CBC) mode, commonly called 5440SdukeDES-CBC. 5450SdukeSubsequently, this was replaced by the RSA Message Digest 5467145Sshade5 (MD5) algorithm using a private key, commonly called keyed-MD5. 5470SdukeEither algorithm computes a message digest, or one-way hash, which 5480Sdukecan be used to verify the server has the correct private key and 5490Sdukekey identifier. 5504514Sneliasso</p> 5510Sduke<p>NTPv4 retains the NTPv3 scheme, properly described as symmetric key 5520Sdukecryptography and, in addition, provides a new Autokey scheme 5530Sdukebased on public key cryptography. 5544514SneliassoPublic key cryptography is generally considered more secure 5554514Sneliassothan symmetric key cryptography, since the security is based 5560Sdukeon a private value which is generated by each server and 5570Sdukenever revealed. 5584514SneliassoWith Autokey all key distribution and 5590Sdukemanagement functions involve only public values, which 5600Sdukeconsiderably simplifies key distribution and storage. 5610SdukePublic key management is based on X.509 certificates, 5620Sdukewhich can be provided by commercial services or 5634514Sneliassoproduced by utility programs in the OpenSSL software library 5647145Sshadeor the NTPv4 distribution. 5650Sduke</p> 5664514Sneliasso<p>While the algorithms for symmetric key cryptography are 5670Sdukeincluded in the NTPv4 distribution, public key cryptography 5684514Sneliassorequires the OpenSSL software library to be installed 5690Sdukebefore building the NTP distribution. 5704514SneliassoDirections for doing that 5710Sdukeare on the Building and Installing the Distribution page. 572566Skvn</p> 5730Sduke<p>Authentication is configured separately for each association 5740Sdukeusing the 5750Sduke<code>key</code> 5760Sdukeor 5770Sduke<code>autokey</code> 5780Sdukesubcommand on the 5790Sduke<code>peer</code>, 5800Sduke<code>server</code>, 5810Sduke<code>broadcast</code> 5824514Sneliassoand 5830Sduke<code>manycastclient</code> 5840Sdukeconfiguration commands as described in 5850Sduke‘Configuration Options’ 5860Sdukepage. 5870SdukeThe authentication 5880Sdukeoptions described below specify the locations of the key files, 5890Sdukeif other than default, which symmetric keys are trusted 5900Sdukeand the interval between various operations, if other than default. 5910Sduke</p> 5927738Siveresov<p>Authentication is always enabled, 5937738Siveresovalthough ineffective if not configured as 5947738Siveresovdescribed below. 595566SkvnIf a NTP packet arrives 596566Skvnincluding a message authentication 597566Skvncode (MAC), it is accepted only if it 598566Skvnpasses all cryptographic checks. 599566SkvnThe 6000Sdukechecks require correct key ID, key value 6010Sdukeand message digest. 6024514SneliassoIf the packet has 6030Sdukebeen modified in any way or replayed 6044514Sneliassoby an intruder, it will fail one or more 6054514Sneliassoof these checks and be discarded. 6064514SneliassoFurthermore, the Autokey scheme requires a 6074514Sneliassopreliminary protocol exchange to obtain 6080Sdukethe server certificate, verify its 6090Sdukecredentials and initialize the protocol 6100Sduke</p> 61113244Sstefank<p>The 6128003Sgoetz<code>auth</code> 6130Sdukeflag controls whether new associations or 6140Sdukeremote configuration commands require cryptographic authentication. 6154514SneliassoThis flag can be set or reset by the 6160Sduke<code>enable</code> 6174514Sneliassoand 6180Sduke<code>disable</code> 6190Sdukecommands and also by remote 6200Sdukeconfiguration commands sent by a 6210Sduke<code>ntpdc(1ntpdcmdoc)</code> 6220Sdukeprogram running on 6230Sdukeanother machine. 6240SdukeIf this flag is enabled, which is the default 6250Sdukecase, new broadcast client and symmetric passive associations and 6260Sdukeremote configuration commands must be cryptographically 6270Sdukeauthenticated using either symmetric key or public key cryptography. 6280SdukeIf this 6294514Sneliassoflag is disabled, these operations are effective 6304514Sneliassoeven if not cryptographic 6314514Sneliassoauthenticated. 6320SdukeIt should be understood 6334514Sneliassothat operating with the 6340Sduke<code>auth</code> 6350Sdukeflag disabled invites a significant vulnerability 6364514Sneliassowhere a rogue hacker can 6374514Sneliassomasquerade as a falseticker and seriously 6384514Sneliassodisrupt system timekeeping. 6394514SneliassoIt is 6403447Skvnimportant to note that this flag has no purpose 6413572Skvnother than to allow or disallow 6423447Skvna new association in response to new broadcast 6433572Skvnand symmetric active messages 6443572Skvnand remote configuration commands and, in particular, 6453572Skvnthe flag has no effect on 6460Sdukethe authentication process itself. 6470Sduke</p> 6483572Skvn<p>An attractive alternative where multicast support is available 6493572Skvnis manycast mode, in which clients periodically troll 6503572Skvnfor servers as described in the 6513572Skvn<a href="#Automatic-NTP-Configuration-Options">Automatic NTP Configuration Options</a> 6523572Skvnpage. 6533572SkvnEither symmetric key or public key 6543572Skvncryptographic authentication can be used in this mode. 6553572SkvnThe principle advantage 6563572Skvnof manycast mode is that potential servers need not be 6573572Skvnconfigured in advance, 6580Sdukesince the client finds them during regular operation, 6590Sdukeand the configuration 6600Sdukefiles for all clients can be identical. 6610Sduke</p> 6623572Skvn<p>The security model and protocol schemes for 6630Sdukeboth symmetric key and public key 6640Sdukecryptography are summarized below; 6650Sdukefurther details are in the briefings, papers 6660Sdukeand reports at the NTP project page linked from 6673572Skvn<code>http://www.ntp.org/</code>. 6680Sduke</p><span id="Symmetric_002dKey-Cryptography"></span><h4 class="subsubsection">1.1.2.1 Symmetric-Key Cryptography</h4> 6690Sduke<p>The original RFC-1305 specification allows any one of possibly 6700Sduke65,535 keys, each distinguished by a 32-bit key identifier, to 6710Sdukeauthenticate an association. 6720SdukeThe servers and clients involved must 6730Sdukeagree on the key and key identifier to 6740Sdukeauthenticate NTP packets. 6750SdukeKeys and 6760Sdukerelated information are specified in a key 6770Sdukefile, usually called 6780Sduke<samp>ntp.keys</samp>, 6790Sdukewhich must be distributed and stored using 6800Sdukesecure means beyond the scope of the NTP protocol itself. 6810SdukeBesides the keys used 6820Sdukefor ordinary NTP associations, 6835104Sadlertzadditional keys can be used as passwords for the 6845104Sadlertz<code>ntpq(1ntpqmdoc)</code> 6855200Sadlertzand 6860Sduke<code>ntpdc(1ntpdcmdoc)</code> 6870Sdukeutility programs. 6880Sduke</p> 6895200Sadlertz<p>When 6900Sduke<code>ntpd(1ntpdmdoc)</code> 6910Sdukeis first started, it reads the key file specified in the 6924514Sneliasso<code>keys</code> 6930Sdukeconfiguration command and installs the keys 6940Sdukein the key cache. 6955287SadlertzHowever, 6960Sdukeindividual keys must be activated with the 6974514Sneliasso<code>trusted</code> 6980Sdukecommand before use. 6990SdukeThis 7009016Smcbergallows, for instance, the installation of possibly 7019016Smcbergseveral batches of keys and 7029016Smcbergthen activating or deactivating each batch 7039016Smcbergremotely using 7049016Smcberg<code>ntpdc(1ntpdcmdoc)</code>. 7059016SmcbergThis also provides a revocation capability that can be used 7069016Smcbergif a key becomes compromised. 7079016SmcbergThe 7089016Smcberg<code>requestkey</code> 7099016Smcbergcommand selects the key used as the password for the 7109016Smcberg<code>ntpdc(1ntpdcmdoc)</code> 7119016Smcbergutility, while the 7129016Smcberg<code>controlkey</code> 7139016Smcbergcommand selects the key used as the password for the 7149016Smcberg<code>ntpq(1ntpqmdoc)</code> 7159016Smcbergutility. 7169016Smcberg</p><span id="Public-Key-Cryptography"></span><h4 class="subsubsection">1.1.2.2 Public Key Cryptography</h4> 7179016Smcberg<p>NTPv4 supports the original NTPv3 symmetric key scheme 7189016Smcbergdescribed in RFC-1305 and in addition the Autokey protocol, 7199016Smcbergwhich is based on public key cryptography. 7209016SmcbergThe Autokey Version 2 protocol described on the Autokey Protocol 7219016Smcbergpage verifies packet integrity using MD5 message digests 7229016Smcbergand verifies the source with digital signatures and any of several 7230Sdukedigest/signature schemes. 7240SdukeOptional identity schemes described on the Identity Schemes 7250Sdukepage and based on cryptographic challenge/response algorithms 7260Sdukeare also available. 7270SdukeUsing all of these schemes provides strong security against 7280Sdukereplay with or without modification, spoofing, masquerade 7295104Sadlertzand most forms of clogging attacks. 7300Sduke</p> 7310Sduke<p>The Autokey protocol has several modes of operation 7320Sdukecorresponding to the various NTP modes supported. 7335104SadlertzMost modes use a special cookie which can be 7345104Sadlertzcomputed independently by the client and server, 7350Sdukebut encrypted in transmission. 7360SdukeAll modes use in addition a variant of the S-KEY scheme, 7375200Sadlertzin which a pseudo-random key list is generated and used 7385200Sadlertzin reverse order. 7390SdukeThese schemes are described along with an executive summary, 7409016Smcbergcurrent status, briefing slides and reading list on the 7415104Sadlertz‘Autonomous Authentication’ 7429016Smcbergpage. 7435104Sadlertz</p> 7445104Sadlertz<p>The specific cryptographic environment used by Autokey servers 7450Sdukeand clients is determined by a set of files 7460Sdukeand soft links generated by the 7470Sduke<code>ntp-keygen(1ntpkeygenmdoc)</code> 7484514Sneliassoprogram. 7495104SadlertzThis includes a required host key file, 7505104Sadlertzrequired certificate file and optional sign key file, 7510Sdukeleapsecond file and identity scheme files. 7520SdukeThe 7535104Sadlertzdigest/signature scheme is specified in the X.509 certificate 7540Sdukealong with the matching sign key. 7554514SneliassoThere are several schemes 7565104Sadlertzavailable in the OpenSSL software library, each identified 7570Sdukeby a specific string such as 7580Sduke<code>md5WithRSAEncryption</code>, 7590Sdukewhich stands for the MD5 message digest with RSA 7600Sdukeencryption scheme. 7610SdukeThe current NTP distribution supports 7620Sdukeall the schemes in the OpenSSL library, including 7635104Sadlertzthose based on RSA and DSA digital signatures. 7640Sduke</p> 7655104Sadlertz<p>NTP secure groups can be used to define cryptographic compartments 7660Sdukeand security hierarchies. 7670SdukeIt is important that every host 7680Sdukein the group be able to construct a certificate trail to one 7690Sdukeor more trusted hosts in the same group. 7705104SadlertzEach group 7710Sdukehost runs the Autokey protocol to obtain the certificates 7725104Sadlertzfor all hosts along the trail to one or more trusted hosts. 7730SdukeThis requires the configuration file in all hosts to be 7745104Sadlertzengineered so that, even under anticipated failure conditions, 7750Sdukethe NTP subnet will form such that every group host can find 7760Sdukea trail to at least one trusted host. 7770Sduke</p><span id="Naming-and-Addressing"></span><h4 class="subsubsection">1.1.2.3 Naming and Addressing</h4> 7780Sduke<p>It is important to note that Autokey does not use DNS to 7790Sdukeresolve addresses, since DNS can’t be completely trusted 7800Sdukeuntil the name servers have synchronized clocks. 7811605SkvnThe cryptographic name used by Autokey to bind the host identity 7820Sdukecredentials and cryptographic values must be independent 7830Sdukeof interface, network and any other naming convention. 7840SdukeThe name appears in the host certificate in either or both 7850Sdukethe subject and issuer fields, so protection against 7860SdukeDNS compromise is essential. 7870Sduke</p> 7880Sduke<p>By convention, the name of an Autokey host is the name returned 7890Sdukeby the Unix 7900Sduke<code>gethostname(2)</code> 7910Sdukesystem call or equivalent in other systems. 7920SdukeBy the system design 7930Sdukemodel, there are no provisions to allow alternate names or aliases. 7940SdukeHowever, this is not to say that DNS aliases, different names 7950Sdukefor each interface, etc., are constrained in any way. 7960Sduke</p> 79713002Skbarrett<p>It is also important to note that Autokey verifies authenticity 7980Sdukeusing the host name, network address and public keys, 7990Sdukeall of which are bound together by the protocol specifically 8003447Skvnto deflect masquerade attacks. 8013447SkvnFor this reason Autokey 8023447Skvnincludes the source and destination IP addresses in message digest 8033447Skvncomputations and so the same addresses must be available 8043447Skvnat both the server and client. 8053447SkvnFor this reason operation 8065991Sgoetzwith network address translation schemes is not possible. 8073447SkvnThis reflects the intended robust security model where government 8083447Skvnand corporate NTP servers are operated outside firewall perimeters. 8093447Skvn</p><span id="Operation"></span><h4 class="subsubsection">1.1.2.4 Operation</h4> 8103447Skvn<p>A specific combination of authentication scheme (none, 8115104Sadlertzsymmetric key, public key) and identity scheme is called 8123447Skvna cryptotype, although not all combinations are compatible. 8135104SadlertzThere may be management configurations where the clients, 8143447Skvnservers and peers may not all support the same cryptotypes. 8153447SkvnA secure NTPv4 subnet can be configured in many ways while 8165104Sadlertzkeeping in mind the principles explained above and 8175104Sadlertzin this section. 8185104SadlertzNote however that some cryptotype 8193447Skvncombinations may successfully interoperate with each other, 8200Sdukebut may not represent good security practice. 8210Sduke</p> 8225104Sadlertz<p>The cryptotype of an association is determined at the time 8230Sdukeof mobilization, either at configuration time or some time 8240Sdukelater when a message of appropriate cryptotype arrives. 8250SdukeWhen mobilized by a 8260Sduke<code>server</code> 8270Sdukeor 8280Sduke<code>peer</code> 8290Sdukeconfiguration command and no 8300Sduke<code>key</code> 8310Sdukeor 8320Sduke<code>autokey</code> 8330Sdukesubcommands are present, the association is not 8340Sdukeauthenticated; if the 8350Sduke<code>key</code> 8360Sdukesubcommand is present, the association is authenticated 8370Sdukeusing the symmetric key ID specified; if the 8380Sduke<code>autokey</code> 8390Sdukesubcommand is present, the association is authenticated 8400Sdukeusing Autokey. 8410Sduke</p> 8420Sduke<p>When multiple identity schemes are supported in the Autokey 8430Sdukeprotocol, the first message exchange determines which one is used. 8440SdukeThe client request message contains bits corresponding 8450Sduketo which schemes it has available. 8460SdukeThe server response message 8470Sdukecontains bits corresponding to which schemes it has available. 8480SdukeBoth server and client match the received bits with their own 8490Sdukeand select a common scheme. 8500Sduke</p> 8510Sduke<p>Following the principle that time is a public value, 8520Sdukea server responds to any client packet that matches 8530Sdukeits cryptotype capabilities. 8540SdukeThus, a server receiving 8550Sdukean unauthenticated packet will respond with an unauthenticated 8560Sdukepacket, while the same server receiving a packet of a cryptotype 8570Sdukeit supports will respond with packets of that cryptotype. 8580SdukeHowever, unconfigured broadcast or manycast client 8590Sdukeassociations or symmetric passive associations will not be 8600Sdukemobilized unless the server supports a cryptotype compatible 8610Sdukewith the first packet received. 8620SdukeBy default, unauthenticated associations will not be mobilized 8630Sdukeunless overridden in a decidedly dangerous way. 8640Sduke</p> 8650Sduke<p>Some examples may help to reduce confusion. 8660SdukeClient Alice has no specific cryptotype selected. 8670SdukeServer Bob has both a symmetric key file and minimal Autokey files. 8680SdukeAlice’s unauthenticated messages arrive at Bob, who replies with 8690Sdukeunauthenticated messages. 8700SdukeCathy has a copy of Bob’s symmetric 8710Sdukekey file and has selected key ID 4 in messages to Bob. 8720SdukeBob verifies the message with his key ID 4. 8730SdukeIf it’s the 8740Sdukesame key and the message is verified, Bob sends Cathy a reply 8750Sdukeauthenticated with that key. 8760SdukeIf verification fails, 8770SdukeBob sends Cathy a thing called a crypto-NAK, which tells her 8780Sdukesomething broke. 8790SdukeShe can see the evidence using the 8800Sduke<code>ntpq(1ntpqmdoc)</code> 8810Sdukeprogram. 8827983Sdlong</p> 8830Sduke<p>Denise has rolled her own host key and certificate. 8840SdukeShe also uses one of the identity schemes as Bob. 8850SdukeShe sends the first Autokey message to Bob and they 8860Sdukeboth dance the protocol authentication and identity steps. 8870SdukeIf all comes out okay, Denise and Bob continue as described above. 8880Sduke</p> 8890Sduke<p>It should be clear from the above that Bob can support 8900Sdukeall the girls at the same time, as long as he has compatible 8910Sdukeauthentication and identity credentials. 8920SdukeNow, Bob can act just like the girls in his own choice of servers; 8930Sdukehe can run multiple configured associations with multiple different 8940Sdukeservers (or the same server, although that might not be useful). 8950SdukeBut, wise security policy might preclude some cryptotype 8960Sdukecombinations; for instance, running an identity scheme 8970Sdukewith one server and no authentication with another might not be wise. 8983447Skvn</p><span id="Key-Management"></span><h4 class="subsubsection">1.1.2.5 Key Management</h4> 8990Sduke<p>The cryptographic values used by the Autokey protocol are 9000Sdukeincorporated as a set of files generated by the 9010Sduke<code>ntp-keygen(1ntpkeygenmdoc)</code> 9020Sdukeutility program, including symmetric key, host key and 9030Sdukepublic certificate files, as well as sign key, identity parameters 9040Sdukeand leapseconds files. 905113ScoleenpAlternatively, host and sign keys and 9060Sdukecertificate files can be generated by the OpenSSL utilities 9070Sdukeand certificates can be imported from public certificate 9080Sdukeauthorities. 9090SdukeNote that symmetric keys are necessary for the 9100Sduke<code>ntpq(1ntpqmdoc)</code> 9110Sdukeand 9120Sduke<code>ntpdc(1ntpdcmdoc)</code> 9130Sdukeutility programs. 9140SdukeThe remaining files are necessary only for the 9153447SkvnAutokey protocol. 9163447Skvn</p> 9173447Skvn<p>Certificates imported from OpenSSL or public certificate 9183447Skvnauthorities have certian limitations. 9193447SkvnThe certificate should be in ASN.1 syntax, X.509 Version 3 9203447Skvnformat and encoded in PEM, which is the same format 9213447Skvnused by OpenSSL. 9223447SkvnThe overall length of the certificate encoded 9233447Skvnin ASN.1 must not exceed 1024 bytes. 9243447SkvnThe subject distinguished 9253447Skvnname field (CN) is the fully qualified name of the host 9263447Skvnon which it is used; the remaining subject fields are ignored. 9273447SkvnThe certificate extension fields must not contain either 9283447Skvna subject key identifier or a issuer key identifier field; 9293447Skvnhowever, an extended key usage field for a trusted host must 9303447Skvncontain the value 9313447Skvn<code>trustRoot</code>;. 9323447SkvnOther extension fields are ignored. 9333447Skvn</p><span id="Authentication-Commands"></span><h4 class="subsubsection">1.1.2.6 Authentication Commands</h4> 9343447Skvn<dl compact="compact"> 9353447Skvn<dt><code>autokey</code> <code>[<kbd>logsec</kbd>]</code></dt> 9363447Skvn<dd><p>Specifies the interval between regenerations of the session key 9373447Skvnlist used with the Autokey protocol. 9383447SkvnNote that the size of the key 9393447Skvnlist for each association depends on this interval and the current 9403447Skvnpoll interval. 9413447SkvnThe default value is 12 (4096 s or about 1.1 hours). 9428379SkvnFor poll intervals above the specified interval, a session key list 9438379Skvnwith a single entry will be regenerated for every message 9448379Skvnsent. 9458379Skvn</p></dd> 9468379Skvn<dt><code>controlkey</code> <kbd>key</kbd></dt> 9478379Skvn<dd><p>Specifies the key identifier to use with the 9488379Skvn<code>ntpq(1ntpqmdoc)</code> 9490Sdukeutility, which uses the standard 9500Sdukeprotocol defined in RFC-1305. 9510SdukeThe 9520Sduke<kbd>key</kbd> 9530Sdukeargument is 9540Sdukethe key identifier for a trusted key, where the value can be in the 9550Sdukerange 1 to 65,535, inclusive. 9560Sduke</p></dd> 9570Sduke<dt><code>crypto</code> <code>[<code>cert</code> <kbd>file</kbd>]</code> <code>[<code>leap</code> <kbd>file</kbd>]</code> <code>[<code>randfile</code> <kbd>file</kbd>]</code> <code>[<code>host</code> <kbd>file</kbd>]</code> <code>[<code>gq</code> <kbd>file</kbd>]</code> <code>[<code>gqpar</code> <kbd>file</kbd>]</code> <code>[<code>iffpar</code> <kbd>file</kbd>]</code> <code>[<code>mvpar</code> <kbd>file</kbd>]</code> <code>[<code>pw</code> <kbd>password</kbd>]</code></dt> 9580Sduke<dd><p>This command requires the OpenSSL library. 9590SdukeIt activates public key 9600Sdukecryptography, selects the message digest and signature 9610Sdukeencryption scheme and loads the required private and public 9620Sdukevalues described above. 9630SdukeIf one or more files are left unspecified, 9649016Smcbergthe default names are used as described above. 9650SdukeUnless the complete path and name of the file are specified, the 9660Sdukelocation of a file is relative to the keys directory specified 9674514Sneliassoin the 9684514Sneliasso<code>keysdir</code> 9694514Sneliassocommand or default 9704514Sneliasso<samp>/usr/local/etc</samp>. 9710SdukeFollowing are the subcommands: 9720Sduke</p><dl compact="compact"> 9730Sduke<dt><code>cert</code> <kbd>file</kbd></dt> 9740Sduke<dd><p>Specifies the location of the required host public certificate file. 9750SdukeThis overrides the link 9760Sduke<samp>ntpkey_cert_</samp><kbd>hostname</kbd> 9770Sdukein the keys directory. 9780Sduke</p></dd> 9790Sduke<dt><code>gqpar</code> <kbd>file</kbd></dt> 9800Sduke<dd><p>Specifies the location of the optional GQ parameters file. 9810SdukeThis 9820Sdukeoverrides the link 9830Sduke<samp>ntpkey_gq_</samp><kbd>hostname</kbd> 9849016Smcbergin the keys directory. 9859016Smcberg</p></dd> 9869016Smcberg<dt><code>host</code> <kbd>file</kbd></dt> 9879016Smcberg<dd><p>Specifies the location of the required host key file. 9889016SmcbergThis overrides 9899016Smcbergthe link 9900Sduke<samp>ntpkey_key_</samp><kbd>hostname</kbd> 9910Sdukein the keys directory. 9920Sduke</p></dd> 9930Sduke<dt><code>iffpar</code> <kbd>file</kbd></dt> 9940Sduke<dd><p>Specifies the location of the optional IFF parameters file. 9950SdukeThis overrides the link 9960Sduke<samp>ntpkey_iff_</samp><kbd>hostname</kbd> 9970Sdukein the keys directory. 9980Sduke</p></dd> 9990Sduke<dt><code>leap</code> <kbd>file</kbd></dt> 10000Sduke<dd><p>Specifies the location of the optional leapsecond file. 10010SdukeThis overrides the link 10020Sduke<samp>ntpkey_leap</samp> 10030Sdukein the keys directory. 10040Sduke</p></dd> 10050Sduke<dt><code>mvpar</code> <kbd>file</kbd></dt> 10065104Sadlertz<dd><p>Specifies the location of the optional MV parameters file. 10070SdukeThis overrides the link 10080Sduke<samp>ntpkey_mv_</samp><kbd>hostname</kbd> 10090Sdukein the keys directory. 10100Sduke</p></dd> 10110Sduke<dt><code>pw</code> <kbd>password</kbd></dt> 10120Sduke<dd><p>Specifies the password to decrypt files containing private keys and 10130Sdukeidentity parameters. 10143447SkvnThis is required only if these files have been 10150Sdukeencrypted. 10160Sduke</p></dd> 101713002Skbarrett<dt><code>randfile</code> <kbd>file</kbd></dt> 10183447Skvn<dd><p>Specifies the location of the random seed file used by the OpenSSL 10193447Skvnlibrary. 10205991SgoetzThe defaults are described in the main text above. 10213447Skvn</p></dd> 10223447Skvn</dl> 10230Sduke</dd> 10243447Skvn<dt><code>keys</code> <kbd>keyfile</kbd></dt> 10250Sduke<dd><p>Specifies the complete path and location of the MD5 key file 10260Sdukecontaining the keys and key identifiers used by 10270Sduke<code>ntpd(1ntpdmdoc)</code>, 10280Sduke<code>ntpq(1ntpqmdoc)</code> 10290Sdukeand 10303447Skvn<code>ntpdc(1ntpdcmdoc)</code> 10319016Smcbergwhen operating with symmetric key cryptography. 10328886SrolandThis is the same operation as the 10338886Sroland<code>-k</code> 10348886Srolandcommand line option. 10358886Sroland</p></dd> 10368886Sroland<dt><code>keysdir</code> <kbd>path</kbd></dt> 10378886Sroland<dd><p>This command specifies the default directory path for 10388886Srolandcryptographic keys, parameters and certificates. 10393447SkvnThe default is 10403447Skvn<samp>/usr/local/etc/</samp>. 10413447Skvn</p></dd> 10420Sduke<dt><code>requestkey</code> <kbd>key</kbd></dt> 10430Sduke<dd><p>Specifies the key identifier to use with the 10440Sduke<code>ntpdc(1ntpdcmdoc)</code> 10450Sdukeutility program, which uses a 10460Sdukeproprietary protocol specific to this implementation of 10473447Skvn<code>ntpd(1ntpdmdoc)</code>. 10483447SkvnThe 10493447Skvn<kbd>key</kbd> 10500Sdukeargument is a key identifier 10510Sdukefor the trusted key, where the value can be in the range 1 to 10520Sduke65,535, inclusive. 10530Sduke</p></dd> 10545104Sadlertz<dt><code>revoke</code> <kbd>logsec</kbd></dt> 10555104Sadlertz<dd><p>Specifies the interval between re-randomization of certain 10565104Sadlertzcryptographic values used by the Autokey scheme, as a power of 2 in 10570Sdukeseconds. 10580SdukeThese values need to be updated frequently in order to 10590Sdukedeflect brute-force attacks on the algorithms of the scheme; 10600Sdukehowever, updating some values is a relatively expensive operation. 10610SdukeThe default interval is 16 (65,536 s or about 18 hours). 10620SdukeFor poll 10634514Sneliassointervals above the specified interval, the values will be updated 10640Sdukefor every message sent. 10653447Skvn</p></dd> 10663447Skvn<dt><code>trustedkey</code> <kbd>key</kbd> <kbd>...</kbd></dt> 10673447Skvn<dd><p>Specifies the key identifiers which are trusted for the 10683447Skvnpurposes of authenticating peers with symmetric key cryptography, 10690Sdukeas well as keys used by the 10703447Skvn<code>ntpq(1ntpqmdoc)</code> 10710Sdukeand 10720Sduke<code>ntpdc(1ntpdcmdoc)</code> 10730Sdukeprograms. 10740SdukeThe authentication procedures require that both the local 10750Sdukeand remote servers share the same key and key identifier for this 10760Sdukepurpose, although different keys can be used with different 10770Sdukeservers. 10780SdukeThe 10790Sduke<kbd>key</kbd> 10800Sdukearguments are 32-bit unsigned 10810Sdukeintegers with values from 1 to 65,535. 10820Sduke</p></dd> 10830Sduke</dl> 10844514Sneliasso<span id="Error-Codes"></span><h4 class="subsubsection">1.1.2.7 Error Codes</h4> 10850Sduke<p>The following error codes are reported via the NTP control 10860Sdukeand monitoring protocol trap mechanism. 10870Sduke</p><dl compact="compact"> 10880Sduke<dt>101</dt> 10890Sduke<dd><p>(bad field format or length) 10900SdukeThe packet has invalid version, length or format. 10910Sduke</p></dd> 10920Sduke<dt>102</dt> 10930Sduke<dd><p>(bad timestamp) 10940SdukeThe packet timestamp is the same or older than the most recent received. 10950SdukeThis could be due to a replay or a server clock time step. 10960Sduke</p></dd> 10970Sduke<dt>103</dt> 10980Sduke<dd><p>(bad filestamp) 10990SdukeThe packet filestamp is the same or older than the most recent received. 11000SdukeThis could be due to a replay or a key file generation error. 11010Sduke</p></dd> 11020Sduke<dt>104</dt> 11030Sduke<dd><p>(bad or missing public key) 11040SdukeThe public key is missing, has incorrect format or is an unsupported type. 11050Sduke</p></dd> 11060Sduke<dt>105</dt> 11070Sduke<dd><p>(unsupported digest type) 11080SdukeThe server requires an unsupported digest/signature scheme. 11090Sduke</p></dd> 11100Sduke<dt>106</dt> 11110Sduke<dd><p>(mismatched digest types) 11120SdukeNot used. 11130Sduke</p></dd> 11140Sduke<dt>107</dt> 11150Sduke<dd><p>(bad signature length) 11167145SshadeThe signature length does not match the current public key. 11170Sduke</p></dd> 11184514Sneliasso<dt>108</dt> 11190Sduke<dd><p>(signature not verified) 11200SdukeThe message fails the signature check. 11210SdukeIt could be bogus or signed by a 11220Sdukedifferent private key. 11230Sduke</p></dd> 11240Sduke<dt>109</dt> 11250Sduke<dd><p>(certificate not verified) 11260SdukeThe certificate is invalid or signed with the wrong key. 11270Sduke</p></dd> 11280Sduke<dt>110</dt> 11290Sduke<dd><p>(certificate not verified) 11300SdukeThe certificate is not yet valid or has expired or the signature could not 11310Sdukebe verified. 11320Sduke</p></dd> 11330Sduke<dt>111</dt> 11340Sduke<dd><p>(bad or missing cookie) 11350SdukeThe cookie is missing, corrupted or bogus. 11360Sduke</p></dd> 11370Sduke<dt>112</dt> 11380Sduke<dd><p>(bad or missing leapseconds table) 11390SdukeThe leapseconds table is missing, corrupted or bogus. 11400Sduke</p></dd> 11410Sduke<dt>113</dt> 11420Sduke<dd><p>(bad or missing certificate) 11430SdukeThe certificate is missing, corrupted or bogus. 11440Sduke</p></dd> 11450Sduke<dt>114</dt> 11460Sduke<dd><p>(bad or missing identity) 11470SdukeThe identity key is missing, corrupt or bogus. 11480Sduke</p></dd> 11490Sduke</dl> 11500Sduke<hr> 11510Sduke<span id="Monitoring-Support"></span><div class="header"> 11520Sduke<p> 11534514SneliassoNext: <a href="#Access-Control-Support" accesskey="n" rel="next">Access Control Support</a>, Previous: <a href="#Authentication-Support" accesskey="p" rel="prev">Authentication Support</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> </p> 11544514Sneliasso</div> 11550Sduke<span id="Monitoring-Support-1"></span><h4 class="subsection">1.1.3 Monitoring Support</h4> 11564514Sneliasso<p><code>ntpd(1ntpdmdoc)</code> 11570Sdukeincludes a comprehensive monitoring facility suitable 11580Sdukefor continuous, long term recording of server and client 11590Sduketimekeeping performance. 11600SdukeSee the 11610Sduke<code>statistics</code> 11620Sdukecommand below 11630Sdukefor a listing and example of each type of statistics currently 11640Sdukesupported. 11650SdukeStatistic files are managed using file generation sets 11660Sdukeand scripts in the 11670Sduke<samp>./scripts</samp> 11680Sdukedirectory of the source code distribution. 11690SdukeUsing 11700Sdukethese facilities and 11710Sduke<small>UNIX</small> 11720Sduke<code>cron(8)</code> 11730Sdukejobs, the data can be 11740Sdukeautomatically summarized and archived for retrospective analysis. 11750Sduke</p><span id="Monitoring-Commands"></span><h4 class="subsubsection">1.1.3.1 Monitoring Commands</h4> 11760Sduke<dl compact="compact"> 11770Sduke<dt><code>statistics</code> <kbd>name</kbd> <kbd>...</kbd></dt> 11780Sduke<dd><p>Enables writing of statistics records. 11790SdukeCurrently, eight kinds of 11800Sduke<kbd>name</kbd> 11810Sdukestatistics are supported. 11820Sduke</p><dl compact="compact"> 11830Sduke<dt><code>clockstats</code></dt> 11840Sduke<dd><p>Enables recording of clock driver statistics information. 11850SdukeEach update 11860Sdukereceived from a clock driver appends a line of the following form to 11870Sdukethe file generation set named 11880Sduke<code>clockstats</code>: 11890Sduke</p><pre class="verbatim">49213 525.624 127.127.4.1 93 226 00:08:29.606 D 11900Sduke</pre> 11910Sduke<p>The first two fields show the date (Modified Julian Day) and time 11920Sduke(seconds and fraction past UTC midnight). 11930SdukeThe next field shows the 11940Sdukeclock address in dotted-quad notation. 11950SdukeThe final field shows the last 11960Sduketimecode received from the clock in decoded ASCII format, where 11970Sdukemeaningful. 11980SdukeIn some clock drivers a good deal of additional information 11990Sdukecan be gathered and displayed as well. 12007145SshadeSee information specific to each 12010Sdukeclock for further details. 12020Sduke</p></dd> 12030Sduke<dt><code>cryptostats</code></dt> 12040Sduke<dd><p>This option requires the OpenSSL cryptographic software library. 12050SdukeIt 12060Sdukeenables recording of cryptographic public key protocol information. 12070SdukeEach message received by the protocol module appends a line of the 12080Sdukefollowing form to the file generation set named 12090Sduke<code>cryptostats</code>: 12100Sduke</p><pre class="verbatim">49213 525.624 127.127.4.1 message 12110Sduke</pre> 12120Sduke<p>The first two fields show the date (Modified Julian Day) and time 12130Sduke(seconds and fraction past UTC midnight). 12140SdukeThe next field shows the peer 12150Sdukeaddress in dotted-quad notation, The final message field includes the 12160Sdukemessage type and certain ancillary information. 12170SdukeSee the 12180Sduke‘Authentication Options’ 12190Sdukesection for further information. 12200Sduke</p></dd> 12210Sduke<dt><code>loopstats</code></dt> 12220Sduke<dd><p>Enables recording of loop filter statistics information. 12230SdukeEach 12240Sdukeupdate of the local clock outputs a line of the following form to 12250Sdukethe file generation set named 12260Sduke<code>loopstats</code>: 12270Sduke</p><pre class="verbatim">50935 75440.031 0.000006019 13.778190 0.000351733 0.0133806 12280Sduke</pre> 12290Sduke<p>The first two fields show the date (Modified Julian Day) and 12300Sduketime (seconds and fraction past UTC midnight). 12310SdukeThe next five fields 12320Sdukeshow time offset (seconds), frequency offset (parts per million - 12330SdukePPM), RMS jitter (seconds), Allan deviation (PPM) and clock 12340Sdukediscipline time constant. 12350Sduke</p></dd> 12360Sduke<dt><code>peerstats</code></dt> 12370Sduke<dd><p>Enables recording of peer statistics information. 12380SdukeThis includes 12390Sdukestatistics records of all peers of a NTP server and of special 12400Sdukesignals, where present and configured. 12410SdukeEach valid update appends a 1242550Skvnline of the following form to the current element of a file 12430Sdukegeneration set named 12440Sduke<code>peerstats</code>: 12450Sduke</p><pre class="verbatim">48773 10847.650 127.127.4.1 9714 -0.001605376 0.000000000 0.001424877 0.000958674 12460Sduke</pre> 12470Sduke<p>The first two fields show the date (Modified Julian Day) and 12480Sduketime (seconds and fraction past UTC midnight). 12490SdukeThe next two fields 12500Sdukeshow the peer address in dotted-quad notation and status, 12510Sdukerespectively. 12520SdukeThe status field is encoded in hex in the format 12530Sdukedescribed in Appendix A of the NTP specification RFC 1305. 12540SdukeThe final four fields show the offset, 12550Sdukedelay, dispersion and RMS jitter, all in seconds. 12560Sduke</p></dd> 12570Sduke<dt><code>rawstats</code></dt> 12580Sduke<dd><p>Enables recording of raw-timestamp statistics information. 12590SdukeThis 12600Sdukeincludes statistics records of all peers of a NTP server and of 12610Sdukespecial signals, where present and configured. 12620SdukeEach NTP message 12630Sdukereceived from a peer or clock driver appends a line of the 12640Sdukefollowing form to the file generation set named 12650Sduke<code>rawstats</code>: 12660Sduke</p><pre class="verbatim">50928 2132.543 128.4.1.1 128.4.1.20 3102453281.584327000 3102453281.58622800031 02453332.540806000 3102453332.541458000 12670Sduke</pre> 12680Sduke<p>The first two fields show the date (Modified Julian Day) and 12690Sduketime (seconds and fraction past UTC midnight). 12701008SkvnThe next two fields 12711008Skvnshow the remote peer or clock address followed by the local address 12720Sdukein dotted-quad notation. 12730SdukeThe final four fields show the originate, 12740Sdukereceive, transmit and final NTP timestamps in order. 12751012SkvnThe timestamp 12760Sdukevalues are as received and before processing by the various data 12770Sdukesmoothing and mitigation algorithms. 12780Sduke</p></dd> 12790Sduke<dt><code>sysstats</code></dt> 12800Sduke<dd><p>Enables recording of ntpd statistics counters on a periodic basis. 12810SdukeEach 12820Sdukehour a line of the following form is appended to the file generation 12830Sdukeset named 12840Sduke<code>sysstats</code>: 12850Sduke</p><pre class="verbatim">50928 2132.543 36000 81965 0 9546 56 71793 512 540 10 147 12860Sduke</pre> 12870Sduke<p>The first two fields show the date (Modified Julian Day) and time 12880Sduke(seconds and fraction past UTC midnight). 12891008SkvnThe remaining ten fields show 12901008Skvnthe statistics counter values accumulated since the last generated 12910Sdukeline. 12920Sduke</p><dl compact="compact"> 12930Sduke<dt>Time since restart <code>36000</code></dt> 12940Sduke<dd><p>Time in hours since the system was last rebooted. 12950Sduke</p></dd> 12960Sduke<dt>Packets received <code>81965</code></dt> 12971008Skvn<dd><p>Total number of packets received. 12981008Skvn</p></dd> 12991008Skvn<dt>Packets processed <code>0</code></dt> 13001008Skvn<dd><p>Number of packets received in response to previous packets sent 13010Sduke</p></dd> 13021008Skvn<dt>Current version <code>9546</code></dt> 13031008Skvn<dd><p>Number of packets matching the current NTP version. 130413254Sjwilhelm</p></dd> 13050Sduke<dt>Previous version <code>56</code></dt> 13060Sduke<dd><p>Number of packets matching the previous NTP version. 13070Sduke</p></dd> 13081008Skvn<dt>Bad version <code>71793</code></dt> 13091008Skvn<dd><p>Number of packets matching neither NTP version. 13100Sduke</p></dd> 13110Sduke<dt>Access denied <code>512</code></dt> 13120Sduke<dd><p>Number of packets denied access for any reason. 13130Sduke</p></dd> 13140Sduke<dt>Bad length or format <code>540</code></dt> 13150Sduke<dd><p>Number of packets with invalid length, format or port number. 13160Sduke</p></dd> 13170Sduke<dt>Bad authentication <code>10</code></dt> 13180Sduke<dd><p>Number of packets not verified as authentic. 13190Sduke</p></dd> 13200Sduke<dt>Rate exceeded <code>147</code></dt> 13210Sduke<dd><p>Number of packets discarded due to rate limitation. 13220Sduke</p></dd> 13230Sduke</dl> 13240Sduke</dd> 13250Sduke<dt><code>statsdir</code> <kbd>directory_path</kbd></dt> 13260Sduke<dd><p>Indicates the full path of a directory where statistics files 13270Sdukeshould be created (see below). 13280SdukeThis keyword allows 13290Sdukethe (otherwise constant) 13300Sduke<code>filegen</code> 13310Sdukefilename prefix to be modified for file generation sets, which 13320Sdukeis useful for handling statistics logs. 13330Sduke</p></dd> 13340Sduke<dt><code>filegen</code> <kbd>name</kbd> <code>[<code>file</code> <kbd>filename</kbd>]</code> <code>[<code>type</code> <kbd>typename</kbd>]</code> <code>[<code>link</code> | <code>nolink</code>]</code> <code>[<code>enable</code> | <code>disable</code>]</code></dt> 13353572Skvn<dd><p>Configures setting of generation file set name. 13363572SkvnGeneration 13373572Skvnfile sets provide a means for handling files that are 13383572Skvncontinuously growing during the lifetime of a server. 13393572SkvnServer statistics are a typical example for such files. 13403572SkvnGeneration file sets provide access to a set of files used 13413572Skvnto store the actual data. 13423572SkvnAt any time at most one element 13433572Skvnof the set is being written to. 13443572SkvnThe type given specifies 13453572Skvnwhen and how data will be directed to a new element of the set. 13463572SkvnThis way, information stored in elements of a file set 13473572Skvnthat are currently unused are available for administrational 13483572Skvnoperations without the risk of disturbing the operation of ntpd. 13493572Skvn(Most important: they can be removed to free space for new data 13503572Skvnproduced.) 13513572Skvn</p> 13523572Skvn<p>Note that this command can be sent from the 13533572Skvn<code>ntpdc(1ntpdcmdoc)</code> 13543572Skvnprogram running at a remote location. 13553572Skvn</p><dl compact="compact"> 13563572Skvn<dt><code>name</code></dt> 13573572Skvn<dd><p>This is the type of the statistics records, as shown in the 13583572Skvn<code>statistics</code> 13593572Skvncommand. 13603572Skvn</p></dd> 13610Sduke<dt><code>file</code> <kbd>filename</kbd></dt> 13620Sduke<dd><p>This is the file name for the statistics records. 13630SdukeFilenames of set 13640Sdukemembers are built from three concatenated elements 13654514Sneliasso<code>prefix</code>, 13660Sduke<code>filename</code> 13670Sdukeand 13680Sduke<code>suffix</code>: 13690Sduke</p><dl compact="compact"> 13700Sduke<dt><code>prefix</code></dt> 13710Sduke<dd><p>This is a constant filename path. 13720SdukeIt is not subject to 13730Sdukemodifications via the 13740Sduke<kbd>filegen</kbd> 13750Sdukeoption. 13763572SkvnIt is defined by the 13770Sdukeserver, usually specified as a compile-time constant. 13780SdukeIt may, 13790Sdukehowever, be configurable for individual file generation sets 13800Sdukevia other commands. 13814514SneliassoFor example, the prefix used with 13820Sduke<kbd>loopstats</kbd> 13830Sdukeand 13840Sduke<kbd>peerstats</kbd> 13850Sdukegeneration can be configured using the 13860Sduke<kbd>statsdir</kbd> 13873572Skvnoption explained above. 13880Sduke</p></dd> 13890Sduke<dt><code>filename</code></dt> 13900Sduke<dd><p>This string is directly concatenated to the prefix mentioned 13910Sdukeabove (no intervening 13920Sduke‘/’). 13933447SkvnThis can be modified using 13943447Skvnthe file argument to the 13953447Skvn<kbd>filegen</kbd> 13960Sdukestatement. 13970SdukeNo 13980Sduke<samp>..</samp> 13990Sdukeelements are 14000Sdukeallowed in this component to prevent filenames referring to 14013447Skvnparts outside the filesystem hierarchy denoted by 14023447Skvn<kbd>prefix</kbd>. 14033447Skvn</p></dd> 14040Sduke<dt><code>suffix</code></dt> 14050Sduke<dd><p>This part is reflects individual elements of a file set. 14060SdukeIt is 14070Sdukegenerated according to the type of a file set. 14080Sduke</p></dd> 14090Sduke</dl> 14100Sduke</dd> 14110Sduke<dt><code>type</code> <kbd>typename</kbd></dt> 14120Sduke<dd><p>A file generation set is characterized by its type. 14130SdukeThe following 14140Sduketypes are supported: 14150Sduke</p><dl compact="compact"> 14160Sduke<dt><code>none</code></dt> 14170Sduke<dd><p>The file set is actually a single plain file. 14180Sduke</p></dd> 14190Sduke<dt><code>pid</code></dt> 14200Sduke<dd><p>One element of file set is used per incarnation of a ntpd 14210Sdukeserver. 14220SdukeThis type does not perform any changes to file set 14230Sdukemembers during runtime, however it provides an easy way of 14240Sdukeseparating files belonging to different 14250Sduke<code>ntpd(1ntpdmdoc)</code> 14260Sdukeserver incarnations. 14270SdukeThe set member filename is built by appending a 14280Sduke‘.’ 14290Sduketo concatenated 14300Sduke<kbd>prefix</kbd> 14310Sdukeand 14323447Skvn<kbd>filename</kbd> 14330Sdukestrings, and 14340Sdukeappending the decimal representation of the process ID of the 14350Sduke<code>ntpd(1ntpdmdoc)</code> 14360Sdukeserver process. 14370Sduke</p></dd> 14380Sduke<dt><code>day</code></dt> 14390Sduke<dd><p>One file generation set element is created per day. 14400SdukeA day is 14410Sdukedefined as the period between 00:00 and 24:00 UTC. 14420SdukeThe file set 14430Sdukemember suffix consists of a 14440Sduke‘.’ 14450Sdukeand a day specification in 14460Sdukethe form 14470Sduke<code>YYYYMMdd</code>. 14487145Sshade<code>YYYY</code> 14497145Sshadeis a 4-digit year number (e.g., 1992). 14500Sduke<code>MM</code> 14510Sdukeis a two digit month number. 14520Sduke<code>dd</code> 14530Sdukeis a two digit day number. 14540SdukeThus, all information written at 10 December 1992 would end up 14550Sdukein a file named 14560Sduke<kbd>prefix</kbd> 14570Sduke<kbd>filename</kbd>.19921210. 14580Sduke</p></dd> 14590Sduke<dt><code>week</code></dt> 14600Sduke<dd><p>Any file set member contains data related to a certain week of 14610Sdukea year. 14620SdukeThe term week is defined by computing day-of-year 14630Sdukemodulo 7. 14640SdukeElements of such a file generation set are 14650Sdukedistinguished by appending the following suffix to the file set 14660Sdukefilename base: A dot, a 4-digit year number, the letter 14670Sduke<code>W</code>, 14680Sdukeand a 2-digit week number. 14690SdukeFor example, information from January, 14700Sduke10th 1992 would end up in a file with suffix 14710Sduke.No . Ns Ar 1992W1 . 14720Sduke</p></dd> 14730Sduke<dt><code>month</code></dt> 14740Sduke<dd><p>One generation file set element is generated per month. 14750SdukeThe 14760Sdukefile name suffix consists of a dot, a 4-digit year number, and 14770Sdukea 2-digit month. 14780Sduke</p></dd> 14790Sduke<dt><code>year</code></dt> 14800Sduke<dd><p>One generation file element is generated per year. 14810SdukeThe filename 14820Sdukesuffix consists of a dot and a 4 digit year number. 14830Sduke</p></dd> 14840Sduke<dt><code>age</code></dt> 14850Sduke<dd><p>This type of file generation sets changes to a new element of 14860Sdukethe file set every 24 hours of server operation. 14870SdukeThe filename 14880Sdukesuffix consists of a dot, the letter 14890Sduke<code>a</code>, 14900Sdukeand an 8-digit number. 14910SdukeThis number is taken to be the number of seconds the server is 14920Sdukerunning at the start of the corresponding 24-hour period. 14930SdukeInformation is only written to a file generation by specifying 14940Sduke<code>enable</code>; 14950Sdukeoutput is prevented by specifying 14960Sduke<code>disable</code>. 14970Sduke</p></dd> 14980Sduke</dl> 14990Sduke</dd> 15000Sduke<dt><code>link</code> | <code>nolink</code></dt> 15010Sduke<dd><p>It is convenient to be able to access the current element of a file 15020Sdukegeneration set by a fixed name. 15030SdukeThis feature is enabled by 15040Sdukespecifying 15050Sduke<code>link</code> 15060Sdukeand disabled using 15070Sduke<code>nolink</code>. 15080SdukeIf link is specified, a 15090Sdukehard link from the current file set element to a file without 15100Sdukesuffix is created. 15110SdukeWhen there is already a file with this name and 15120Sdukethe number of links of this file is one, it is renamed appending a 15130Sdukedot, the letter 15140Sduke<code>C</code>, 15150Sdukeand the pid of the 15160Sduke<code>ntpd(1ntpdmdoc)</code> 15170Sdukeserver process. 15180SdukeWhen the 15190Sdukenumber of links is greater than one, the file is unlinked. 15200SdukeThis 15210Sdukeallows the current file to be accessed by a constant name. 15220Sduke</p></dd> 15233447Skvn<dt><code>enable</code> <code>|</code> <code>disable</code></dt> 15243447Skvn<dd><p>Enables or disables the recording function. 15253447Skvn</p></dd> 15263447Skvn</dl> 15270Sduke</dd> 15280Sduke</dl> 15290Sduke</dd> 15300Sduke</dl> 15310Sduke<hr> 15323447Skvn<span id="Access-Control-Support"></span><div class="header"> 15330Sduke<p> 15340SdukeNext: <a href="#Automatic-NTP-Configuration-Options" accesskey="n" rel="next">Automatic NTP Configuration Options</a>, Previous: <a href="#Monitoring-Support" accesskey="p" rel="prev">Monitoring Support</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> </p> 15350Sduke</div> 15360Sduke<span id="Access-Control-Support-1"></span><h4 class="subsection">1.1.4 Access Control Support</h4> 15370Sduke<p>The 15380Sduke<code>ntpd(1ntpdmdoc)</code> 15390Sdukedaemon implements a general purpose address/mask based restriction 15400Sdukelist. 15410SdukeThe list contains address/match entries sorted first 15420Sdukeby increasing address values and and then by increasing mask values. 15430SdukeA match occurs when the bitwise AND of the mask and the packet 15440Sdukesource address is equal to the bitwise AND of the mask and 15450Sdukeaddress in the list. 15460SdukeThe list is searched in order with the 15470Sdukelast match found defining the restriction flags associated 15480Sdukewith the entry. 15490SdukeAdditional information and examples can be found in the 15500Sduke"Notes on Configuring NTP and Setting up a NTP Subnet" 15510Sdukepage 15520Sduke(available as part of the HTML documentation 15530Sdukeprovided in 15540Sduke<samp>/usr/share/doc/ntp</samp>). 15550Sduke</p> 15560Sduke<p>The restriction facility was implemented in conformance 15570Sdukewith the access policies for the original NSFnet backbone 15580Sduketime servers. 15590SdukeLater the facility was expanded to deflect 15600Sdukecryptographic and clogging attacks. 15610SdukeWhile this facility may 15620Sdukebe useful for keeping unwanted or broken or malicious clients 1563605Stwistifrom congesting innocent servers, it should not be considered 15643447Skvnan alternative to the NTP authentication facilities. 15653447SkvnSource address based restrictions are easily circumvented 15663447Skvnby a determined cracker. 15678379Skvn</p> 15680Sduke<p>Clients can be denied service because they are explicitly 15690Sdukeincluded in the restrict list created by the 15703447Skvn<code>restrict</code> 15713447Skvncommand 15723447Skvnor implicitly as the result of cryptographic or rate limit 15733447Skvnviolations. 15740SdukeCryptographic violations include certificate 15750Sdukeor identity verification failure; rate limit violations generally 15760Sdukeresult from defective NTP implementations that send packets 15770Sdukeat abusive rates. 15780SdukeSome violations cause denied service 15790Sdukeonly for the offending packet, others cause denied service 15800Sdukefor a timed period and others cause the denied service for 15810Sdukean indefinite period. 15820SdukeWhen a client or network is denied access 15830Sdukefor an indefinite period, the only way at present to remove 15840Sdukethe restrictions is by restarting the server. 15850Sduke</p><span id="The-Kiss_002dof_002dDeath-Packet"></span><h4 class="subsubsection">1.1.4.1 The Kiss-of-Death Packet</h4> 15860Sduke<p>Ordinarily, packets denied service are simply dropped with no 15870Sdukefurther action except incrementing statistics counters. 15880SdukeSometimes a 15890Sdukemore proactive response is needed, such as a server message that 15900Sdukeexplicitly requests the client to stop sending and leave a message 15910Sdukefor the system operator. 15920SdukeA special packet format has been created 15930Sdukefor this purpose called the "kiss-of-death" (KoD) packet. 1594295SneverKoD packets have the leap bits set unsynchronized and stratum set 15950Sduketo zero and the reference identifier field set to a four-byte 15960SdukeASCII code. 15970SdukeIf the 15980Sduke<code>noserve</code> 15990Sdukeor 16000Sduke<code>notrust</code> 16010Sdukeflag of the matching restrict list entry is set, 16020Sdukethe code is "DENY"; if the 16030Sduke<code>limited</code> 16040Sdukeflag is set and the rate limit 16050Sdukeis exceeded, the code is "RATE". 16060SdukeFinally, if a cryptographic violation occurs, the code is "CRYP". 16070Sduke</p> 16080Sduke<p>A client receiving a KoD performs a set of sanity checks to 16090Sdukeminimize security exposure, then updates the stratum and 16100Sdukereference identifier peer variables, sets the access 16110Sdukedenied (TEST4) bit in the peer flash variable and sends 16120Sdukea message to the log. 16130SdukeAs long as the TEST4 bit is set, 16140Sdukethe client will send no further packets to the server. 16150SdukeThe only way at present to recover from this condition is 16160Sduketo restart the protocol at both the client and server. 16170SdukeThis 16180Sdukehappens automatically at the client when the association times out. 16190SdukeIt will happen at the server only if the server operator cooperates. 16200Sduke</p><span id="Access-Control-Commands"></span><h4 class="subsubsection">1.1.4.2 Access Control Commands</h4> 16210Sduke<dl compact="compact"> 16220Sduke<dt><code>discard</code> <code>[<code>average</code> <kbd>avg</kbd>]</code> <code>[<code>minimum</code> <kbd>min</kbd>]</code> <code>[<code>monitor</code> <kbd>prob</kbd>]</code></dt> 16234514Sneliasso<dd><p>Set the parameters of the 16240Sduke<code>limited</code> 16250Sdukefacility which protects the server from 16264514Sneliassoclient abuse. 16270SdukeThe 16280Sduke<code>average</code> 16290Sdukesubcommand specifies the minimum average packet 16300Sdukespacing in log2 seconds, defaulting to 3 (8s), while the 16310Sduke<code>minimum</code> 16320Sdukesubcommand specifies the minimum packet spacing 16330Sdukein seconds, defaulting to 2. 16340SdukePackets that violate these minima are discarded 16350Sdukeand a kiss-o’-death packet returned if enabled. 16360SdukeThe 16370Sduke<code>monitor</code> 16380Sdukesubcommand indirectly specifies the probability of 16390Sdukereplacing the oldest entry from the monitor (MRU) 16400Sdukelist of recent requests used to enforce rate controls, 16410Sdukewhen that list is at its maximum size. The probability 16420Sdukeof replacing the oldest entry is the age of that entry 16437145Sshadein seconds divided by the 16440Sduke<code>monitor</code> 16450Sdukevalue, default 3000. For example, if the oldest entry 16465104Sadlertzin the MRU list represents a request 300 seconds ago, 16470Sdukeby default the probability of replacing it with an 16480Sdukeentry representing the client request being processed 16495104Sadlertznow is 10%. Conversely, if the oldest entry is more 16505104Sadlertzthan 3000 seconds old, the probability is 100%. 16510Sduke</p></dd> 16520Sduke<dt><code>restrict</code> <kbd>address</kbd> <code>[<code>mask</code> <kbd>mask</kbd>]</code> <code>[<code>ippeerlimit</code> <kbd>int</kbd>]</code> <code>[<kbd>flag</kbd> <kbd>...</kbd>]</code></dt> 16535104Sadlertz<dd><p>The 16545104Sadlertz<kbd>address</kbd> 16555200Sadlertzargument expressed in 16560Sdukenumeric form is the address of a host or network. 16570SdukeAlternatively, the 16580Sduke<kbd>address</kbd> 16590Sdukeargument can be a valid hostname. When a hostname 16600Sdukeis provided, a restriction entry is created for each 16610Sdukeaddress the hostname resolves to, and any provided 16620Sduke<kbd>mask</kbd> 16630Sdukeis ignored and an individual host mask is 16640Sdukeused for each entry. 16650SdukeThe 16660Sduke<kbd>mask</kbd> 16670Sdukeargument expressed in numeric form defaults to 16680Sdukeall bits lit, meaning that the 16694514Sneliasso<kbd>address</kbd> 16700Sdukeis treated as the address of an individual host. 16710SdukeA default entry with address and mask all zeroes 16720Sdukeis always included and is always the first entry in the list. 16730SdukeNote that text string 16740Sduke<code>default</code>, 16750Sdukewith no mask option, may 16760Sdukebe used to indicate the default entry. 16770SdukeThe 16780Sduke<code>ippeerlimit</code> 16790Sdukedirective limits the number of peer requests for each IP to 16800Sduke<kbd>int</kbd>, 16810Sdukewhere a value of -1 means "unlimited", the current default. 16820SdukeA value of 0 means "none". 16830SdukeThere would usually be at most 1 peering request per IP, 16840Sdukebut if the remote peering requests are behind a proxy 16850Sdukethere could well be more than 1 per IP. 16866837SthartmannIn the current implementation, 16870Sduke<code>flag</code> 16880Sdukealways 16890Sdukerestricts access, i.e., an entry with no flags indicates that free 16900Sdukeaccess to the server is to be given. 16910SdukeThe flags are not orthogonal, 16925200Sadlertzin that more restrictive flags will often make less restrictive 16933880Sbharadwajones redundant. 16940SdukeThe flags can generally be classed into two 16950Sdukecategories, those which restrict time service and those which 16960Sdukerestrict informational queries and attempts to do run-time 16970Sdukereconfiguration of the server. 16980SdukeOne or more of the following flags 16990Sdukemay be specified: 17000Sduke</p><dl compact="compact"> 17010Sduke<dt><code>ignore</code></dt> 17020Sduke<dd><p>Deny packets of all kinds, including 17030Sduke<code>ntpq(1ntpqmdoc)</code> 17040Sdukeand 17050Sduke<code>ntpdc(1ntpdcmdoc)</code> 17060Sdukequeries. 17070Sduke</p></dd> 17080Sduke<dt><code>kod</code></dt> 17090Sduke<dd><p>If this flag is set when a rate violation occurs, a kiss-o’-death 17100Sduke(KoD) packet is sometimes sent. 17110SdukeKoD packets are rate limited to no more than one per minimum 17120Sdukeaverage interpacket spacing, set by 17130Sduke<code>discard</code> <code>average</code> 17140Sdukedefaulting to 8s. Otherwise, no response is sent. 17150Sduke</p></dd> 17160Sduke<dt><code>limited</code></dt> 17170Sduke<dd><p>Deny service if the packet spacing violates the lower limits specified 17180Sdukein the 17190Sduke<code>discard</code> 17200Sdukecommand. 17210SdukeA history of clients is kept using the 17220Sdukemonitoring capability of 17230Sduke<code>ntpd(1ntpdmdoc)</code>. 17240SdukeThus, monitoring is always active as 17250Sdukelong as there is a restriction entry with the 17260Sduke<code>limited</code> 17270Sdukeflag. 17280Sduke</p></dd> 17290Sduke<dt><code>lowpriotrap</code></dt> 17300Sduke<dd><p>Declare traps set by matching hosts to be low priority. 1731729SkvnThe 1732729Skvnnumber of traps a server can maintain is limited (the current limit 17330Sdukeis 3). 17340SdukeTraps are usually assigned on a first come, first served 1735729Skvnbasis, with later trap requestors being denied service. 17360SdukeThis flag 17370Sdukemodifies the assignment algorithm by allowing low priority traps to 17380Sdukebe overridden by later requests for normal priority traps. 17390Sduke</p></dd> 17400Sduke<dt><code>noepeer</code></dt> 1741729Skvn<dd><p>Deny ephemeral peer requests, 1742729Skvneven if they come from an authenticated source. 1743729SkvnNote that the ability to use a symmetric key for authentication may be restricted to 1744729Skvnone or more IPs or subnets via the third field of the 1745729Skvn<samp>ntp.keys</samp> 1746729Skvnfile. 17475104SadlertzThis restriction is not enabled by default, 17485074Sadlertzto maintain backward compatability. 17495784SadlertzExpect 17505784Sadlertz<code>noepeer</code> 17515074Sadlertzto become the default in ntp-4.4. 17524514Sneliasso</p></dd> 17535784Sadlertz<dt><code>nomodify</code></dt> 17545784Sadlertz<dd><p>Deny 17555784Sadlertz<code>ntpq(1ntpqmdoc)</code> 17565784Sadlertzand 17575784Sadlertz<code>ntpdc(1ntpdcmdoc)</code> 17585784Sadlertzqueries which attempt to modify the state of the 17595784Sadlertzserver (i.e., run time reconfiguration). 17605784SadlertzQueries which return 17615784Sadlertzinformation are permitted. 17625784Sadlertz</p></dd> 17635784Sadlertz<dt><code>noquery</code></dt> 1764729Skvn<dd><p>Deny 17654514Sneliasso<code>ntpq(1ntpqmdoc)</code> 1766729Skvnand 1767729Skvn<code>ntpdc(1ntpdcmdoc)</code> 17685104Sadlertzqueries. 17690SdukeTime service is not affected. 17700Sduke</p></dd> 17710Sduke<dt><code>nopeer</code></dt> 17720Sduke<dd><p>Deny unauthenticated packets which would result in mobilizing a new association. 17730SdukeThis includes 17744514Sneliassobroadcast and symmetric active packets 17759056Sdavidwhen a configured association does not exist. 17760SdukeIt also includes 17770Sduke<code>pool</code> 17780Sdukeassociations, so if you want to use servers from a 17790Sduke<code>pool</code> 17800Sdukedirective and also want to use 17810Sduke<code>nopeer</code> 17820Sdukeby default, you’ll want a 17830Sduke<code>restrict source ...</code> 17840Sdukeline as well that does 17850Sduke<em>not</em> 17860Sdukeinclude the 17870Sduke<code>nopeer</code> 17880Sdukedirective. 17890Sduke</p></dd> 17900Sduke<dt><code>noserve</code></dt> 17910Sduke<dd><p>Deny all packets except 17920Sduke<code>ntpq(1ntpqmdoc)</code> 17930Sdukeand 17940Sduke<code>ntpdc(1ntpdcmdoc)</code> 1795729Skvnqueries. 17966546Sthartmann</p></dd> 1797729Skvn<dt><code>notrap</code></dt> 17980Sduke<dd><p>Decline to provide mode 6 control message trap service to matching 1799729Skvnhosts. 1800729SkvnThe trap service is a subsystem of the 1801729Skvn<code>ntpq(1ntpqmdoc)</code> 18020Sdukecontrol message 18030Sdukeprotocol which is intended for use by remote event logging programs. 18045074Sadlertz</p></dd> 18050Sduke<dt><code>notrust</code></dt> 18065200Sadlertz<dd><p>Deny service unless the packet is cryptographically authenticated. 18070Sduke</p></dd> 18085200Sadlertz<dt><code>ntpport</code></dt> 18095074Sadlertz<dd><p>This is actually a match algorithm modifier, rather than a 18100Sdukerestriction flag. 18110SdukeIts presence causes the restriction entry to be 18120Sdukematched only if the source port in the packet is the standard NTP 18130SdukeUDP port (123). 18140SdukeThere can be two restriction entries with the same IP address if 18150Sdukeone specifies 18160Sduke<code>ntpport</code> 18170Sdukeand the other does not. 18180SdukeThe 18190Sduke<code>ntpport</code> 18200Sdukeentry is considered more specific and 18210Sdukeis sorted later in the list. 18220Sduke</p></dd> 18230Sduke<dt><code>serverresponse fuzz</code></dt> 18240Sduke<dd><p>When reponding to server requests, 18250Sdukefuzz the low order bits of the 18260Sduke<code>reftime</code>. 18270Sduke</p></dd> 18280Sduke<dt><code>version</code></dt> 18290Sduke<dd><p>Deny packets that do not match the current NTP version. 18300Sduke</p></dd> 18310Sduke</dl> 18320Sduke 18330Sduke<p>Default restriction list entries with the flags ignore, interface, 18340Sdukentpport, for each of the local host’s interface addresses are 18354514Sneliassoinserted into the table at startup to prevent ntpd 18360Sdukefrom attempting to synchronize to itself, such as with 18374514Sneliasso<code>manycastclient</code> 18380Sdukewhen 18390Sduke<code>manycast</code> 18400Sdukeis also specified with the same multicast address. 18410SdukeA default entry is also always present, though if it is 18425104Sadlertzotherwise unconfigured; no flags are associated 18435104Sadlertzwith the default entry (i.e., everything besides your own 18440SdukeNTP server is unrestricted). 18450Sduke</p></dd> 18465104Sadlertz<dt><code>delrestrict</code> <code>[source]</code> <kbd>address</kbd></dt> 18470Sduke<dd><p>Remove a previously-set restriction. This is useful for 18485104Sadlertzruntime configuration via 18495200Sadlertz<code>ntpq(1ntpqmdoc)</code> 18500Sduke. If 18510Sduke<code>source</code> 18520Sdukeis specified, a dynamic restriction created from the 18530Sduke<code>restrict</code> <code>source</code> 18540Sduketemplate at the time 18550Sdukean association was added is removed. Without 18560Sduke<code>source</code> 18570Sdukea static restriction is removed. 18580Sduke</p></dd> 18590Sduke</dl> 18600Sduke<hr> 18610Sduke<span id="Automatic-NTP-Configuration-Options"></span><div class="header"> 18620Sduke<p> 18635074SadlertzNext: <a href="#Reference-Clock-Support" accesskey="n" rel="next">Reference Clock Support</a>, Previous: <a href="#Access-Control-Support" accesskey="p" rel="prev">Access Control Support</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> </p> 18645104Sadlertz</div> 18650Sduke<span id="Automatic-NTP-Configuration-Options-1"></span><h4 class="subsection">1.1.5 Automatic NTP Configuration Options</h4> 18666546Sthartmann<span id="Manycasting"></span><h4 class="subsubsection">1.1.5.1 Manycasting</h4> 18670Sduke<p>Manycasting is a automatic discovery and configuration paradigm 18680Sdukenew to NTPv4. 18690SdukeIt is intended as a means for a multicast client 18700Sduketo troll the nearby network neighborhood to find cooperating 18710Sdukemanycast servers, validate them using cryptographic means 18720Sdukeand evaluate their time values with respect to other servers 18730Sdukethat might be lurking in the vicinity. 18740SdukeThe intended result is that each manycast client mobilizes 18754514Sneliassoclient associations with some number of the "best" 18764514Sneliassoof the nearby manycast servers, yet automatically reconfigures 18774514Sneliassoto sustain this number of servers should one or another fail. 18780Sduke</p> 18790Sduke<p>Note that the manycasting paradigm does not coincide 18800Sdukewith the anycast paradigm described in RFC-1546, 18810Sdukewhich is designed to find a single server from a clique 18820Sdukeof servers providing the same service. 18830SdukeThe manycast paradigm is designed to find a plurality 18844514Sneliassoof redundant servers satisfying defined optimality criteria. 18854514Sneliasso</p> 18864514Sneliasso<p>Manycasting can be used with either symmetric key 18870Sdukeor public key cryptography. 18880SdukeThe public key infrastructure (PKI) 18890Sdukeoffers the best protection against compromised keys 18900Sdukeand is generally considered stronger, at least with relatively 18910Sdukelarge key sizes. 18920SdukeIt is implemented using the Autokey protocol and 18930Sdukethe OpenSSL cryptographic library available from 18940Sduke<code>http://www.openssl.org/</code>. 18950SdukeThe library can also be used with other NTPv4 modes 18960Sdukeas well and is highly recommended, especially for broadcast modes. 18970Sduke</p> 18980Sduke<p>A persistent manycast client association is configured 18990Sdukeusing the 1900729Skvn<code>manycastclient</code> 1901729Skvncommand, which is similar to the 19020Sduke<code>server</code> 19030Sdukecommand but with a multicast (IPv4 class 19044514Sneliasso<code>D</code> 19054514Sneliassoor IPv6 prefix 19060Sduke<code>FF</code>) 19070Sdukegroup address. 19084514SneliassoThe IANA has designated IPv4 address 224.1.1.1 19094514Sneliassoand IPv6 address FF05::101 (site local) for NTP. 19100SdukeWhen more servers are needed, it broadcasts manycast 19110Sdukeclient messages to this address at the minimum feasible rate 19120Sdukeand minimum feasible time-to-live (TTL) hops, depending 19130Sdukeon how many servers have already been found. 19140SdukeThere can be as many manycast client associations 19154514Sneliassoas different group address, each one serving as a template 19164514Sneliassofor a future ephemeral unicast client/server association. 19174514Sneliasso</p> 19185104Sadlertz<p>Manycast servers configured with the 19190Sduke<code>manycastserver</code> 19200Sdukecommand listen on the specified group address for manycast 19210Sdukeclient messages. 19220SdukeNote the distinction between manycast client, 19230Sdukewhich actively broadcasts messages, and manycast server, 19240Sdukewhich passively responds to them. 19250SdukeIf a manycast server is 19260Sdukein scope of the current TTL and is itself synchronized 19270Sduketo a valid source and operating at a stratum level equal 19280Sduketo or lower than the manycast client, it replies to the 19290Sdukemanycast client message with an ordinary unicast server message. 19304514Sneliasso</p> 19314514Sneliasso<p>The manycast client receiving this message mobilizes 19324514Sneliassoan ephemeral client/server association according to the 19334514Sneliassomatching manycast client template, but only if cryptographically 19344514Sneliassoauthenticated and the server stratum is less than or equal 19354514Sneliassoto the client stratum. 19360SdukeAuthentication is explicitly required 19370Sdukeand either symmetric key or public key (Autokey) can be used. 19380SdukeThen, the client polls the server at its unicast address 19390Sdukein burst mode in order to reliably set the host clock 19400Sdukeand validate the source. 19410SdukeThis normally results 19420Sdukein a volley of eight client/server at 2-s intervals 19434514Sneliassoduring which both the synchronization and cryptographic 19440Sdukeprotocols run concurrently. 19450SdukeFollowing the volley, 19464514Sneliassothe client runs the NTP intersection and clustering 19470Sdukealgorithms, which act to discard all but the "best" 19484514Sneliassoassociations according to stratum and synchronization 19490Sdukedistance. 19500SdukeThe surviving associations then continue 19510Sdukein ordinary client/server mode. 19520Sduke</p> 19530Sduke<p>The manycast client polling strategy is designed to reduce 19544514Sneliassoas much as possible the volume of manycast client messages 19554514Sneliassoand the effects of implosion due to near-simultaneous 19564514Sneliassoarrival of manycast server messages. 19570SdukeThe strategy is determined by the 19580Sduke<code>manycastclient</code>, 19590Sduke<code>tos</code> 19604514Sneliassoand 19614514Sneliasso<code>ttl</code> 19620Sdukeconfiguration commands. 19634514SneliassoThe manycast poll interval is 19640Sdukenormally eight times the system poll interval, 19650Sdukewhich starts out at the 19660Sduke<code>minpoll</code> 19670Sdukevalue specified in the 19680Sduke<code>manycastclient</code>, 19690Sdukecommand and, under normal circumstances, increments to the 19700Sduke<code>maxpolll</code> 19710Sdukevalue specified in this command. 19720SdukeInitially, the TTL is 19730Sdukeset at the minimum hops specified by the 19740Sduke<code>ttl</code> 19750Sdukecommand. 19760SdukeAt each retransmission the TTL is increased until reaching 19770Sdukethe maximum hops specified by this command or a sufficient 19780Sdukenumber client associations have been found. 19790SdukeFurther retransmissions use the same TTL. 19800Sduke</p> 19810Sduke<p>The quality and reliability of the suite of associations 19820Sdukediscovered by the manycast client is determined by the NTP 19830Sdukemitigation algorithms and the 19844514Sneliasso<code>minclock</code> 19850Sdukeand 19864514Sneliasso<code>minsane</code> 19874514Sneliassovalues specified in the 19884514Sneliasso<code>tos</code> 19890Sdukeconfiguration command. 19904514SneliassoAt least 19910Sduke<code>minsane</code> 19920Sdukecandidate servers must be available and the mitigation 19930Sdukealgorithms produce at least 19940Sduke<code>minclock</code> 19950Sdukesurvivors in order to synchronize the clock. 19960SdukeByzantine agreement principles require at least four 19970Sdukecandidates in order to correctly discard a single falseticker. 19980SdukeFor legacy purposes, 19990Sduke<code>minsane</code> 20000Sdukedefaults to 1 and 20010Sduke<code>minclock</code> 20020Sdukedefaults to 3. 20030SdukeFor manycast service 20040Sduke<code>minsane</code> 20050Sdukeshould be explicitly set to 4, assuming at least that 20060Sdukenumber of servers are available. 20070Sduke</p> 20080Sduke<p>If at least 20090Sduke<code>minclock</code> 20100Sdukeservers are found, the manycast poll interval is immediately 20110Sdukeset to eight times 20120Sduke<code>maxpoll</code>. 20130SdukeIf less than 20140Sduke<code>minclock</code> 20150Sdukeservers are found when the TTL has reached the maximum hops, 20160Sdukethe manycast poll interval is doubled. 20170SdukeFor each transmission 20180Sdukeafter that, the poll interval is doubled again until 20190Sdukereaching the maximum of eight times 20200Sduke<code>maxpoll</code>. 20214514SneliassoFurther transmissions use the same poll interval and 20224514SneliassoTTL values. 20234514SneliassoNote that while all this is going on, 20244514Sneliassoeach client/server association found is operating normally 20250Sdukeit the system poll interval. 20260Sduke</p> 20270Sduke<p>Administratively scoped multicast boundaries are normally 20280Sdukespecified by the network router configuration and, 20290Sdukein the case of IPv6, the link/site scope prefix. 20300SdukeBy default, the increment for TTL hops is 32 starting 20310Sdukefrom 31; however, the 20320Sduke<code>ttl</code> 20330Sdukeconfiguration command can be 20340Sdukeused to modify the values to match the scope rules. 20350Sduke</p> 20360Sduke<p>It is often useful to narrow the range of acceptable 20370Sdukeservers which can be found by manycast client associations. 20385074SadlertzBecause manycast servers respond only when the client 20395074Sadlertzstratum is equal to or greater than the server stratum, 20400Sdukeprimary (stratum 1) servers fill find only primary servers 20410Sdukein TTL range, which is probably the most common objective. 20425200SadlertzHowever, unless configured otherwise, all manycast clients 20435200Sadlertzin TTL range will eventually find all primary servers 20440Sdukein TTL range, which is probably not the most common 20450Sdukeobjective in large networks. 20460SdukeThe 20470Sduke<code>tos</code> 20480Sdukecommand can be used to modify this behavior. 20490SdukeServers with stratum below 20500Sduke<code>floor</code> 20510Sdukeor above 20524514Sneliasso<code>ceiling</code> 20530Sdukespecified in the 20540Sduke<code>tos</code> 20550Sdukecommand are strongly discouraged during the selection 20560Sdukeprocess; however, these servers may be temporally 20570Sdukeaccepted if the number of servers within TTL range is 20580Sdukeless than 20590Sduke<code>minclock</code>. 20600Sduke</p> 20610Sduke<p>The above actions occur for each manycast client message, 20620Sdukewhich repeats at the designated poll interval. 20630SdukeHowever, once the ephemeral client association is mobilized, 20645104Sadlertzsubsequent manycast server replies are discarded, 20655104Sadlertzsince that would result in a duplicate association. 20665104SadlertzIf during a poll interval the number of client associations 20670Sdukefalls below 20680Sduke<code>minclock</code>, 20690Sdukeall manycast client prototype associations are reset 20700Sduketo the initial poll interval and TTL hops and operation 20710Sdukeresumes from the beginning. 20720SdukeIt is important to avoid 20730Sdukefrequent manycast client messages, since each one requires 20740Sdukeall manycast servers in TTL range to respond. 20750SdukeThe result could well be an implosion, either minor or major, 20760Sdukedepending on the number of servers in range. 20774514SneliassoThe recommended value for 20780Sduke<code>maxpoll</code> 20794514Sneliassois 12 (4,096 s). 20804514Sneliasso</p> 20814514Sneliasso<p>It is possible and frequently useful to configure a host 20824514Sneliassoas both manycast client and manycast server. 20834514SneliassoA number of hosts configured this way and sharing a common 20844514Sneliassogroup address will automatically organize themselves 20850Sdukein an optimum configuration based on stratum and 20866412Sdrchasesynchronization distance. 20870SdukeFor example, consider an NTP 20880Sdukesubnet of two primary servers and a hundred or more 20890Sdukedependent clients. 20900SdukeWith two exceptions, all servers 20910Sdukeand clients have identical configuration files including both 20926412Sdrchase<code>multicastclient</code> 20930Sdukeand 20940Sduke<code>multicastserver</code> 20950Sdukecommands using, for instance, multicast group address 20960Sduke239.1.1.1. 20970SdukeThe only exception is that each primary server 20986412Sdrchaseconfiguration file must include commands for the primary 20990Sdukereference source such as a GPS receiver. 21000Sduke</p> 21010Sduke<p>The remaining configuration files for all secondary 21020Sdukeservers and clients have the same contents, except for the 21030Sduke<code>tos</code> 21046412Sdrchasecommand, which is specific for each stratum level. 21050SdukeFor stratum 1 and stratum 2 servers, that command is 21060Sdukenot necessary. 21070SdukeFor stratum 3 and above servers the 21080Sduke<code>floor</code> 21090Sdukevalue is set to the intended stratum number. 21100SdukeThus, all stratum 3 configuration files are identical, 21110Sdukeall stratum 4 files are identical and so forth. 21126412Sdrchase</p> 21130Sduke<p>Once operations have stabilized in this scenario, 21140Sdukethe primary servers will find the primary reference source 21150Sdukeand each other, since they both operate at the same 21160Sdukestratum (1), but not with any secondary server or client, 21170Sdukesince these operate at a higher stratum. 21186412SdrchaseThe secondary 21190Sdukeservers will find the servers at the same stratum level. 21200SdukeIf one of the primary servers loses its GPS receiver, 21210Sdukeit will continue to operate as a client and other clients 21220Sdukewill time out the corresponding association and 21230Sdukere-associate accordingly. 21246412Sdrchase</p> 21250Sduke<p>Some administrators prefer to avoid running 21260Sduke<code>ntpd(1ntpdmdoc)</code> 21270Sdukecontinuously and run either 21280Sduke<code>sntp(1sntpmdoc)</code> 21290Sdukeor 21300Sduke<code>ntpd(1ntpdmdoc)</code> 21316412Sdrchase<code>-q</code> 21320Sdukeas a cron job. 21330SdukeIn either case the servers must be 21340Sdukeconfigured in advance and the program fails if none are 21350Sdukeavailable when the cron job runs. 21360SdukeA really slick 21370Sdukeapplication of manycast is with 21380Sduke<code>ntpd(1ntpdmdoc)</code> 21390Sduke<code>-q</code>. 21400SdukeThe program wakes up, scans the local landscape looking 21410Sdukefor the usual suspects, selects the best from among 21420Sdukethe rascals, sets the clock and then departs. 21430SdukeServers do not have to be configured in advance and 21440Sdukeall clients throughout the network can have the same 21450Sdukeconfiguration file. 21460Sduke</p><span id="Manycast-Interactions-with-Autokey"></span><h4 class="subsubsection">1.1.5.2 Manycast Interactions with Autokey</h4> 21470Sduke<p>Each time a manycast client sends a client mode packet 21488224Sslato a multicast group address, all manycast servers 21490Sdukein scope generate a reply including the host name 21500Sdukeand status word. 21510SdukeThe manycast clients then run 21520Sdukethe Autokey protocol, which collects and verifies 21530Sdukeall certificates involved. 21544514SneliassoFollowing the burst interval 21550Sdukeall but three survivors are cast off, 21560Sdukebut the certificates remain in the local cache. 21570SdukeIt often happens that several complete signing trails 21580Sdukefrom the client to the primary servers are collected in this way. 21593447Skvn</p> 21603447Skvn<p>About once an hour or less often if the poll interval 21613447Skvnexceeds this, the client regenerates the Autokey key list. 21623447SkvnThis is in general transparent in client/server mode. 21633447SkvnHowever, about once per day the server private value 21643447Skvnused to generate cookies is refreshed along with all 21653447Skvnmanycast client associations. 21663447SkvnIn this case all 21673447Skvncryptographic values including certificates is refreshed. 21683447SkvnIf a new certificate has been generated since 21693447Skvnthe last refresh epoch, it will automatically revoke 21703447Skvnall prior certificates that happen to be in the 21713447Skvncertificate cache. 21723447SkvnAt the same time, the manycast 21730Sdukescheme starts all over from the beginning and 21740Sdukethe expanding ring shrinks to the minimum and increments 21750Sdukefrom there while collecting all servers in scope. 21760Sduke</p><span id="Broadcast-Options"></span><h4 class="subsubsection">1.1.5.3 Broadcast Options</h4> 21770Sduke<dl compact="compact"> 21780Sduke<dt><code>tos</code> <code>[<code>bcpollbstep</code> <kbd>gate</kbd>]</code></dt> 21790Sduke<dd><p>This command provides a way to delay, 21800Sdukeby the specified number of broadcast poll intervals, 21810Sdukebelieving backward time steps from a broadcast server. 21824514SneliassoBroadcast time networks are expected to be trusted. 21830SdukeIn the event a broadcast server’s time is stepped backwards, 21840Sdukethere is clear benefit to having the clients notice this change 21850Sdukeas soon as possible. 21860SdukeAttacks such as replay attacks can happen, however, 21870Sdukeand even though there are a number of protections built in to 21880Sdukebroadcast mode, attempts to perform a replay attack are possible. 21890SdukeThis value defaults to 0, but can be changed 21900Sduketo any number of poll intervals between 0 and 4. 21910Sduke</p></dd> 21920Sduke</dl> 21930Sduke<span id="Manycast-Options"></span><h4 class="subsubsection">1.1.5.4 Manycast Options</h4> 21940Sduke<dl compact="compact"> 21950Sduke<dt><code>tos</code> <code>[<code>ceiling</code> <kbd>ceiling</kbd> | <code>cohort</code> <code>{</code> <code>0</code> | <code>1</code> <code>}</code> | <code>floor</code> <kbd>floor</kbd> | <code>minclock</code> <kbd>minclock</kbd> | <code>minsane</code> <kbd>minsane</kbd>]</code></dt> 21960Sduke<dd><p>This command affects the clock selection and clustering 21970Sdukealgorithms. 21980SdukeIt can be used to select the quality and 21990Sdukequantity of peers used to synchronize the system clock 22000Sdukeand is most useful in manycast mode. 22010SdukeThe variables operate 22020Sdukeas follows: 22030Sduke</p><dl compact="compact"> 22040Sduke<dt><code>ceiling</code> <kbd>ceiling</kbd></dt> 22050Sduke<dd><p>Peers with strata above 22060Sduke<code>ceiling</code> 22070Sdukewill be discarded if there are at least 22080Sduke<code>minclock</code> 22090Sdukepeers remaining. 22106412SdrchaseThis value defaults to 15, but can be changed 22110Sduketo any number from 1 to 15. 22120Sduke</p></dd> 22130Sduke<dt><code>cohort</code> <code>{0 | 1}</code></dt> 22140Sduke<dd><p>This is a binary flag which enables (0) or disables (1) 22150Sdukemanycast server replies to manycast clients with the same 22160Sdukestratum level. 22170SdukeThis is useful to reduce implosions where 22180Sdukelarge numbers of clients with the same stratum level 22190Sdukeare present. 22200SdukeThe default is to enable these replies. 22210Sduke</p></dd> 22220Sduke<dt><code>floor</code> <kbd>floor</kbd></dt> 22230Sduke<dd><p>Peers with strata below 22240Sduke<code>floor</code> 22250Sdukewill be discarded if there are at least 22260Sduke<code>minclock</code> 22270Sdukepeers remaining. 22280SdukeThis value defaults to 1, but can be changed 22290Sduketo any number from 1 to 15. 22300Sduke</p></dd> 22310Sduke<dt><code>minclock</code> <kbd>minclock</kbd></dt> 22326412Sdrchase<dd><p>The clustering algorithm repeatedly casts out outlier 22330Sdukeassociations until no more than 22340Sduke<code>minclock</code> 22350Sdukeassociations remain. 22360SdukeThis value defaults to 3, 22370Sdukebut can be changed to any number from 1 to the number of 22380Sdukeconfigured sources. 22390Sduke</p></dd> 22400Sduke<dt><code>minsane</code> <kbd>minsane</kbd></dt> 22410Sduke<dd><p>This is the minimum number of candidates available 22420Sduketo the clock selection algorithm in order to produce 22430Sdukeone or more truechimers for the clustering algorithm. 22440SdukeIf fewer than this number are available, the clock is 22450Sdukeundisciplined and allowed to run free. 22460SdukeThe default is 1 22470Sdukefor legacy purposes. 22480SdukeHowever, according to principles of 22490SdukeByzantine agreement, 22500Sduke<code>minsane</code> 22513142Skvnshould be at least 4 in order to detect and discard 22523142Skvna single falseticker. 22533142Skvn</p></dd> 22543142Skvn</dl> 22550Sduke</dd> 22563142Skvn<dt><code>ttl</code> <kbd>hop</kbd> <kbd>...</kbd></dt> 22570Sduke<dd><p>This command specifies a list of TTL values in increasing 22583142Skvnorder, up to 8 values can be specified. 22590SdukeIn manycast mode these values are used in turn 22603142Skvnin an expanding-ring search. 22613142SkvnThe default is eight 22623142Skvnmultiples of 32 starting at 31. 22633142Skvn</p></dd> 22643142Skvn</dl> 22653142Skvn<hr> 22663142Skvn<span id="Reference-Clock-Support"></span><div class="header"> 22673142Skvn<p> 22683142SkvnNext: <a href="#Miscellaneous-Options" accesskey="n" rel="next">Miscellaneous Options</a>, Previous: <a href="#Automatic-NTP-Configuration-Options" accesskey="p" rel="prev">Automatic NTP Configuration Options</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> </p> 22693142Skvn</div> 22700Sduke<span id="Reference-Clock-Support-1"></span><h4 class="subsection">1.1.6 Reference Clock Support</h4> 22713142Skvn<p>The NTP Version 4 daemon supports some three dozen different radio, 22723142Skvnsatellite and modem reference clocks plus a special pseudo-clock 22733142Skvnused for backup or when no other clock source is available. 22740SdukeDetailed descriptions of individual device drivers and options can 22750Sdukebe found in the 22760Sduke"Reference Clock Drivers" 22770Sdukepage 22780Sduke(available as part of the HTML documentation 22790Sdukeprovided in 22800Sduke<samp>/usr/share/doc/ntp</samp>). 22810SdukeAdditional information can be found in the pages linked 22820Sdukethere, including the 22830Sduke"Debugging Hints for Reference Clock Drivers" 22840Sdukeand 22850Sduke"How To Write a Reference Clock Driver" 22860Sdukepages 22870Sduke(available as part of the HTML documentation 22880Sdukeprovided in 22890Sduke<samp>/usr/share/doc/ntp</samp>). 22900SdukeIn addition, support for a PPS 22910Sdukesignal is available as described in the 22920Sduke"Pulse-per-second (PPS) Signal Interfacing" 22930Sdukepage 22940Sduke(available as part of the HTML documentation 22950Sdukeprovided in 22960Sduke<samp>/usr/share/doc/ntp</samp>). 22970SdukeMany 22980Sdukedrivers support special line discipline/streams modules which can 22990Sdukesignificantly improve the accuracy using the driver. 23005104SadlertzThese are 23015104Sadlertzdescribed in the 23025104Sadlertz"Line Disciplines and Streams Drivers" 23035104Sadlertzpage 23045104Sadlertz(available as part of the HTML documentation 23050Sdukeprovided in 23060Sduke<samp>/usr/share/doc/ntp</samp>). 23070Sduke</p> 23081923Snever<p>A reference clock will generally (though not always) be a radio 23090Sduketimecode receiver which is synchronized to a source of standard 23100Sduketime such as the services offered by the NRC in Canada and NIST and 23114514SneliassoUSNO in the US. 23124514SneliassoThe interface between the computer and the timecode 23130Sdukereceiver is device dependent, but is usually a serial port. 23140SdukeA 23150Sdukedevice driver specific to each reference clock must be selected and 23160Sdukecompiled in the distribution; however, most common radio, satellite 23174514Sneliassoand modem clocks are included by default. 23184514SneliassoNote that an attempt to 23194514Sneliassoconfigure a reference clock when the driver has not been compiled 23204514Sneliassoor the hardware port has not been appropriately configured results 23214514Sneliassoin a scalding remark to the system log file, but is otherwise non 23220Sdukehazardous. 23231923Snever</p> 23241923Snever<p>For the purposes of configuration, 23250Sduke<code>ntpd(1ntpdmdoc)</code> 23260Sduketreats 23270Sdukereference clocks in a manner analogous to normal NTP peers as much 23280Sdukeas possible. 23295104SadlertzReference clocks are identified by a syntactically 23305104Sadlertzcorrect but invalid IP address, in order to distinguish them from 23310Sdukenormal NTP peers. 23320SdukeReference clock addresses are of the form 23330Sduke<code>127.127.</code><kbd>t</kbd>.<kbd>u</kbd>, 23345200Sadlertzwhere 23355200Sadlertz<kbd>t</kbd> 23364514Sneliassois an integer 23374514Sneliassodenoting the clock type and 23380Sduke<kbd>u</kbd> 23395104Sadlertzindicates the unit 23400Sdukenumber in the range 0-3. 23410SdukeWhile it may seem overkill, it is in fact 23420Sdukesometimes useful to configure multiple reference clocks of the same 23430Sduketype, in which case the unit numbers must be unique. 23441923Snever</p> 23451923Snever<p>The 23461923Snever<code>server</code> 23471923Snevercommand is used to configure a reference 23484514Sneliassoclock, where the 23494514Sneliasso<kbd>address</kbd> 23504514Sneliassoargument in that command 23514514Sneliassois the clock address. 23524514SneliassoThe 23531923Snever<code>key</code>, 23545104Sadlertz<code>version</code> 23551923Sneverand 23561923Snever<code>ttl</code> 23570Sdukeoptions are not used for reference clock support. 23580SdukeThe 23590Sduke<code>mode</code> 23600Sdukeoption is added for reference clock support, as 23610Sdukedescribed below. 23620SdukeThe 23630Sduke<code>prefer</code> 23640Sdukeoption can be useful to 23650Sdukepersuade the server to cherish a reference clock with somewhat more 23660Sdukeenthusiasm than other reference clocks or peers. 23670SdukeFurther 23680Sdukeinformation on this option can be found in the 23690Sduke"Mitigation Rules and the prefer Keyword" 23700Sduke(available as part of the HTML documentation 23710Sdukeprovided in 23720Sduke<samp>/usr/share/doc/ntp</samp>) 23730Sdukepage. 23740SdukeThe 23750Sduke<code>minpoll</code> 23760Sdukeand 23770Sduke<code>maxpoll</code> 23780Sdukeoptions have 23790Sdukemeaning only for selected clock drivers. 23800SdukeSee the individual clock 23810Sdukedriver document pages for additional information. 23820Sduke</p> 23830Sduke<p>The 23840Sduke<code>fudge</code> 23850Sdukecommand is used to provide additional 23860Sdukeinformation for individual clock drivers and normally follows 23870Sdukeimmediately after the 23880Sduke<code>server</code> 23890Sdukecommand. 23900SdukeThe 23910Sduke<kbd>address</kbd> 23920Sdukeargument specifies the clock address. 23930SdukeThe 23940Sduke<code>refid</code> 23950Sdukeand 23960Sduke<code>stratum</code> 23970Sdukeoptions can be used to 23980Sdukeoverride the defaults for the device. 23990SdukeThere are two optional 24000Sdukedevice-dependent time offsets and four flags that can be included 24010Sdukein the 24020Sduke<code>fudge</code> 24030Sdukecommand as well. 24040Sduke</p> 24050Sduke<p>The stratum number of a reference clock is by default zero. 24060SdukeSince the 24070Sduke<code>ntpd(1ntpdmdoc)</code> 24080Sdukedaemon adds one to the stratum of each 24090Sdukepeer, a primary server ordinarily displays an external stratum of 24100Sdukeone. 24110SdukeIn order to provide engineered backups, it is often useful to 2412specify the reference clock stratum as greater than zero. 2413The 2414<code>stratum</code> 2415option is used for this purpose. 2416Also, in cases 2417involving both a reference clock and a pulse-per-second (PPS) 2418discipline signal, it is useful to specify the reference clock 2419identifier as other than the default, depending on the driver. 2420The 2421<code>refid</code> 2422option is used for this purpose. 2423Except where noted, 2424these options apply to all clock drivers. 2425</p><span id="Reference-Clock-Commands"></span><h4 class="subsubsection">1.1.6.1 Reference Clock Commands</h4> 2426<dl compact="compact"> 2427<dt><code>server</code> <code>127.127.</code><kbd>t</kbd>.<kbd>u</kbd> <code>[<code>prefer</code>]</code> <code>[<code>mode</code> <kbd>int</kbd>]</code> <code>[<code>minpoll</code> <kbd>int</kbd>]</code> <code>[<code>maxpoll</code> <kbd>int</kbd>]</code></dt> 2428<dd><p>This command can be used to configure reference clocks in 2429special ways. 2430The options are interpreted as follows: 2431</p><dl compact="compact"> 2432<dt><code>prefer</code></dt> 2433<dd><p>Marks the reference clock as preferred. 2434All other things being 2435equal, this host will be chosen for synchronization among a set of 2436correctly operating hosts. 2437See the 2438"Mitigation Rules and the prefer Keyword" 2439page 2440(available as part of the HTML documentation 2441provided in 2442<samp>/usr/share/doc/ntp</samp>) 2443for further information. 2444</p></dd> 2445<dt><code>mode</code> <kbd>int</kbd></dt> 2446<dd><p>Specifies a mode number which is interpreted in a 2447device-specific fashion. 2448For instance, it selects a dialing 2449protocol in the ACTS driver and a device subtype in the 2450parse 2451drivers. 2452</p></dd> 2453<dt><code>minpoll</code> <kbd>int</kbd></dt> 2454<dt><code>maxpoll</code> <kbd>int</kbd></dt> 2455<dd><p>These options specify the minimum and maximum polling interval 2456for reference clock messages, as a power of 2 in seconds 2457For 2458most directly connected reference clocks, both 2459<code>minpoll</code> 2460and 2461<code>maxpoll</code> 2462default to 6 (64 s). 2463For modem reference clocks, 2464<code>minpoll</code> 2465defaults to 10 (17.1 m) and 2466<code>maxpoll</code> 2467defaults to 14 (4.5 h). 2468The allowable range is 4 (16 s) to 17 (36.4 h) inclusive. 2469</p></dd> 2470</dl> 2471</dd> 2472<dt><code>fudge</code> <code>127.127.</code><kbd>t</kbd>.<kbd>u</kbd> <code>[<code>time1</code> <kbd>sec</kbd>]</code> <code>[<code>time2</code> <kbd>sec</kbd>]</code> <code>[<code>stratum</code> <kbd>int</kbd>]</code> <code>[<code>refid</code> <kbd>string</kbd>]</code> <code>[<code>mode</code> <kbd>int</kbd>]</code> <code>[<code>flag1</code> <code>0</code> <code>|</code> <code>1</code>]</code> <code>[<code>flag2</code> <code>0</code> <code>|</code> <code>1</code>]</code> <code>[<code>flag3</code> <code>0</code> <code>|</code> <code>1</code>]</code> <code>[<code>flag4</code> <code>0</code> <code>|</code> <code>1</code>]</code></dt> 2473<dd><p>This command can be used to configure reference clocks in 2474special ways. 2475It must immediately follow the 2476<code>server</code> 2477command which configures the driver. 2478Note that the same capability 2479is possible at run time using the 2480<code>ntpdc(1ntpdcmdoc)</code> 2481program. 2482The options are interpreted as 2483follows: 2484</p><dl compact="compact"> 2485<dt><code>time1</code> <kbd>sec</kbd></dt> 2486<dd><p>Specifies a constant to be added to the time offset produced by 2487the driver, a fixed-point decimal number in seconds. 2488This is used 2489as a calibration constant to adjust the nominal time offset of a 2490particular clock to agree with an external standard, such as a 2491precision PPS signal. 2492It also provides a way to correct a 2493systematic error or bias due to serial port or operating system 2494latencies, different cable lengths or receiver internal delay. 2495The 2496specified offset is in addition to the propagation delay provided 2497by other means, such as internal DIPswitches. 2498Where a calibration 2499for an individual system and driver is available, an approximate 2500correction is noted in the driver documentation pages. 2501Note: in order to facilitate calibration when more than one 2502radio clock or PPS signal is supported, a special calibration 2503feature is available. 2504It takes the form of an argument to the 2505<code>enable</code> 2506command described in 2507<a href="#Miscellaneous-Options">Miscellaneous Options</a> 2508page and operates as described in the 2509"Reference Clock Drivers" 2510page 2511(available as part of the HTML documentation 2512provided in 2513<samp>/usr/share/doc/ntp</samp>). 2514</p></dd> 2515<dt><code>time2</code> <kbd>secs</kbd></dt> 2516<dd><p>Specifies a fixed-point decimal number in seconds, which is 2517interpreted in a driver-dependent way. 2518See the descriptions of 2519specific drivers in the 2520"Reference Clock Drivers" 2521page 2522(available as part of the HTML documentation 2523provided in 2524<samp>/usr/share/doc/ntp</samp> <samp>).</samp> 2525</p></dd> 2526<dt><code>stratum</code> <kbd>int</kbd></dt> 2527<dd><p>Specifies the stratum number assigned to the driver, an integer 2528between 0 and 15. 2529This number overrides the default stratum number 2530ordinarily assigned by the driver itself, usually zero. 2531</p></dd> 2532<dt><code>refid</code> <kbd>string</kbd></dt> 2533<dd><p>Specifies an ASCII string of from one to four characters which 2534defines the reference identifier used by the driver. 2535This string 2536overrides the default identifier ordinarily assigned by the driver 2537itself. 2538</p></dd> 2539<dt><code>mode</code> <kbd>int</kbd></dt> 2540<dd><p>Specifies a mode number which is interpreted in a 2541device-specific fashion. 2542For instance, it selects a dialing 2543protocol in the ACTS driver and a device subtype in the 2544parse 2545drivers. 2546</p></dd> 2547<dt><code>flag1</code> <code>0</code> <code>|</code> <code>1</code></dt> 2548<dt><code>flag2</code> <code>0</code> <code>|</code> <code>1</code></dt> 2549<dt><code>flag3</code> <code>0</code> <code>|</code> <code>1</code></dt> 2550<dt><code>flag4</code> <code>0</code> <code>|</code> <code>1</code></dt> 2551<dd><p>These four flags are used for customizing the clock driver. 2552The 2553interpretation of these values, and whether they are used at all, 2554is a function of the particular clock driver. 2555However, by 2556convention 2557<code>flag4</code> 2558is used to enable recording monitoring 2559data to the 2560<code>clockstats</code> 2561file configured with the 2562<code>filegen</code> 2563command. 2564Further information on the 2565<code>filegen</code> 2566command can be found in 2567‘Monitoring Options’. 2568</p></dd> 2569</dl> 2570</dd> 2571</dl> 2572<hr> 2573<span id="Miscellaneous-Options"></span><div class="header"> 2574<p> 2575Next: <a href="#ntp_002econf-Files" accesskey="n" rel="next">ntp.conf Files</a>, Previous: <a href="#Reference-Clock-Support" accesskey="p" rel="prev">Reference Clock Support</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> </p> 2576</div> 2577<span id="Miscellaneous-Options-1"></span><h4 class="subsection">1.1.7 Miscellaneous Options</h4> 2578<dl compact="compact"> 2579<dt><code>broadcastdelay</code> <kbd>seconds</kbd></dt> 2580<dd><p>The broadcast and multicast modes require a special calibration 2581to determine the network delay between the local and remote 2582servers. 2583Ordinarily, this is done automatically by the initial 2584protocol exchanges between the client and server. 2585In some cases, 2586the calibration procedure may fail due to network or server access 2587controls, for example. 2588This command specifies the default delay to 2589be used under these circumstances. 2590Typically (for Ethernet), a 2591number between 0.003 and 0.007 seconds is appropriate. 2592The default 2593when this command is not used is 0.004 seconds. 2594</p></dd> 2595<dt><code>driftfile</code> <kbd>driftfile</kbd></dt> 2596<dd><p>This command specifies the complete path and name of the file used to 2597record the frequency of the local clock oscillator. 2598This is the same 2599operation as the 2600<code>-f</code> 2601command line option. 2602If the file exists, it is read at 2603startup in order to set the initial frequency and then updated once per 2604hour with the current frequency computed by the daemon. 2605If the file name is 2606specified, but the file itself does not exist, the starts with an initial 2607frequency of zero and creates the file when writing it for the first time. 2608If this command is not given, the daemon will always start with an initial 2609frequency of zero. 2610</p> 2611<p>The file format consists of a single line containing a single 2612floating point number, which records the frequency offset measured 2613in parts-per-million (PPM). 2614The file is updated by first writing 2615the current drift value into a temporary file and then renaming 2616this file to replace the old version. 2617This implies that 2618<code>ntpd(1ntpdmdoc)</code> 2619must have write permission for the directory the 2620drift file is located in, and that file system links, symbolic or 2621otherwise, should be avoided. 2622</p></dd> 2623<dt><code>dscp</code> <kbd>value</kbd></dt> 2624<dd><p>This option specifies the Differentiated Services Control Point (DSCP) value, 2625a 6-bit code. 2626The default value is 46, signifying Expedited Forwarding. 2627</p></dd> 2628<dt><code>enable</code> <code>[<code>auth</code> | <code>bclient</code> | <code>calibrate</code> | <code>kernel</code> | <code>mode7</code> | <code>monitor</code> | <code>ntp</code> | <code>stats</code> | <code>peer_clear_digest_early</code> | <code>unpeer_crypto_early</code> | <code>unpeer_crypto_nak_early</code> | <code>unpeer_digest_early</code>]</code></dt> 2629<dt><code>disable</code> <code>[<code>auth</code> | <code>bclient</code> | <code>calibrate</code> | <code>kernel</code> | <code>mode7</code> | <code>monitor</code> | <code>ntp</code> | <code>stats</code> | <code>peer_clear_digest_early</code> | <code>unpeer_crypto_early</code> | <code>unpeer_crypto_nak_early</code> | <code>unpeer_digest_early</code>]</code></dt> 2630<dd><p>Provides a way to enable or disable various server options. 2631Flags not mentioned are unaffected. 2632Note that all of these flags 2633can be controlled remotely using the 2634<code>ntpdc(1ntpdcmdoc)</code> 2635utility program. 2636</p><dl compact="compact"> 2637<dt><code>auth</code></dt> 2638<dd><p>Enables the server to synchronize with unconfigured peers only if the 2639peer has been correctly authenticated using either public key or 2640private key cryptography. 2641The default for this flag is 2642<code>enable</code>. 2643</p></dd> 2644<dt><code>bclient</code></dt> 2645<dd><p>Enables the server to listen for a message from a broadcast or 2646multicast server, as in the 2647<code>multicastclient</code> 2648command with default 2649address. 2650The default for this flag is 2651<code>disable</code>. 2652</p></dd> 2653<dt><code>calibrate</code></dt> 2654<dd><p>Enables the calibrate feature for reference clocks. 2655The default for 2656this flag is 2657<code>disable</code>. 2658</p></dd> 2659<dt><code>kernel</code></dt> 2660<dd><p>Enables the kernel time discipline, if available. 2661The default for this 2662flag is 2663<code>enable</code> 2664if support is available, otherwise 2665<code>disable</code>. 2666</p></dd> 2667<dt><code>mode7</code></dt> 2668<dd><p>Enables processing of NTP mode 7 implementation-specific requests 2669which are used by the deprecated 2670<code>ntpdc(1ntpdcmdoc)</code> 2671program. 2672The default for this flag is disable. 2673This flag is excluded from runtime configuration using 2674<code>ntpq(1ntpqmdoc)</code>. 2675The 2676<code>ntpq(1ntpqmdoc)</code> 2677program provides the same capabilities as 2678<code>ntpdc(1ntpdcmdoc)</code> 2679using standard mode 6 requests. 2680</p></dd> 2681<dt><code>monitor</code></dt> 2682<dd><p>Enables the monitoring facility. 2683See the 2684<code>ntpdc(1ntpdcmdoc)</code> 2685program 2686and the 2687<code>monlist</code> 2688command or further information. 2689The 2690default for this flag is 2691<code>enable</code>. 2692</p></dd> 2693<dt><code>ntp</code></dt> 2694<dd><p>Enables time and frequency discipline. 2695In effect, this switch opens and 2696closes the feedback loop, which is useful for testing. 2697The default for 2698this flag is 2699<code>enable</code>. 2700</p></dd> 2701<dt><code>peer_clear_digest_early</code></dt> 2702<dd><p>By default, if 2703<code>ntpd(1ntpdmdoc)</code> 2704is using autokey and it 2705receives a crypto-NAK packet that 2706passes the duplicate packet and origin timestamp checks 2707the peer variables are immediately cleared. 2708While this is generally a feature 2709as it allows for quick recovery if a server key has changed, 2710a properly forged and appropriately delivered crypto-NAK packet 2711can be used in a DoS attack. 2712If you have active noticable problems with this type of DoS attack 2713then you should consider 2714disabling this option. 2715You can check your 2716<code>peerstats</code> 2717file for evidence of any of these attacks. 2718The 2719default for this flag is 2720<code>enable</code>. 2721</p></dd> 2722<dt><code>stats</code></dt> 2723<dd><p>Enables the statistics facility. 2724See the 2725‘Monitoring Options’ 2726section for further information. 2727The default for this flag is 2728<code>disable</code>. 2729</p></dd> 2730<dt><code>unpeer_crypto_early</code></dt> 2731<dd><p>By default, if 2732<code>ntpd(1ntpdmdoc)</code> 2733receives an autokey packet that fails TEST9, 2734a crypto failure, 2735the association is immediately cleared. 2736This is almost certainly a feature, 2737but if, in spite of the current recommendation of not using autokey, 2738you are 2739.B still 2740using autokey 2741.B and 2742you are seeing this sort of DoS attack 2743disabling this flag will delay 2744tearing down the association until the reachability counter 2745becomes zero. 2746You can check your 2747<code>peerstats</code> 2748file for evidence of any of these attacks. 2749The 2750default for this flag is 2751<code>enable</code>. 2752</p></dd> 2753<dt><code>unpeer_crypto_nak_early</code></dt> 2754<dd><p>By default, if 2755<code>ntpd(1ntpdmdoc)</code> 2756receives a crypto-NAK packet that 2757passes the duplicate packet and origin timestamp checks 2758the association is immediately cleared. 2759While this is generally a feature 2760as it allows for quick recovery if a server key has changed, 2761a properly forged and appropriately delivered crypto-NAK packet 2762can be used in a DoS attack. 2763If you have active noticable problems with this type of DoS attack 2764then you should consider 2765disabling this option. 2766You can check your 2767<code>peerstats</code> 2768file for evidence of any of these attacks. 2769The 2770default for this flag is 2771<code>enable</code>. 2772</p></dd> 2773<dt><code>unpeer_digest_early</code></dt> 2774<dd><p>By default, if 2775<code>ntpd(1ntpdmdoc)</code> 2776receives what should be an authenticated packet 2777that passes other packet sanity checks but 2778contains an invalid digest 2779the association is immediately cleared. 2780While this is generally a feature 2781as it allows for quick recovery, 2782if this type of packet is carefully forged and sent 2783during an appropriate window it can be used for a DoS attack. 2784If you have active noticable problems with this type of DoS attack 2785then you should consider 2786disabling this option. 2787You can check your 2788<code>peerstats</code> 2789file for evidence of any of these attacks. 2790The 2791default for this flag is 2792<code>enable</code>. 2793</p></dd> 2794</dl> 2795</dd> 2796<dt><code>includefile</code> <kbd>includefile</kbd></dt> 2797<dd><p>This command allows additional configuration commands 2798to be included from a separate file. 2799Include files may 2800be nested to a depth of five; upon reaching the end of any 2801include file, command processing resumes in the previous 2802configuration file. 2803This option is useful for sites that run 2804<code>ntpd(1ntpdmdoc)</code> 2805on multiple hosts, with (mostly) common options (e.g., a 2806restriction list). 2807</p></dd> 2808<dt><code>interface</code> <code>[<code>listen</code> | <code>ignore</code> | <code>drop</code>]</code> <code>[<code>all</code> | <code>ipv4</code> | <code>ipv6</code> | <code>wildcard</code> <kbd>name</kbd> | <kbd>address</kbd> <code>[<code>/</code> <kbd>prefixlen</kbd>]</code>]</code></dt> 2809<dd><p>The 2810<code>interface</code> 2811directive controls which network addresses 2812<code>ntpd(1ntpdmdoc)</code> 2813opens, and whether input is dropped without processing. 2814The first parameter determines the action for addresses 2815which match the second parameter. 2816The second parameter specifies a class of addresses, 2817or a specific interface name, 2818or an address. 2819In the address case, 2820<kbd>prefixlen</kbd> 2821determines how many bits must match for this rule to apply. 2822<code>ignore</code> 2823prevents opening matching addresses, 2824<code>drop</code> 2825causes 2826<code>ntpd(1ntpdmdoc)</code> 2827to open the address and drop all received packets without examination. 2828Multiple 2829<code>interface</code> 2830directives can be used. 2831The last rule which matches a particular address determines the action for it. 2832<code>interface</code> 2833directives are disabled if any 2834<code>-I</code>, 2835<code>--interface</code>, 2836<code>-L</code>, 2837or 2838<code>--novirtualips</code> 2839command-line options are specified in the configuration file, 2840all available network addresses are opened. 2841The 2842<code>nic</code> 2843directive is an alias for 2844<code>interface</code>. 2845</p></dd> 2846<dt><code>leapfile</code> <kbd>leapfile</kbd></dt> 2847<dd><p>This command loads the IERS leapseconds file and initializes the 2848leapsecond values for the next leapsecond event, leapfile expiration 2849time, and TAI offset. 2850The file can be obtained directly from the IERS at 2851<code>https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list</code> 2852or 2853<code>ftp://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list</code>. 2854The 2855<code>leapfile</code> 2856is scanned when 2857<code>ntpd(1ntpdmdoc)</code> 2858processes the 2859<code>leapfile</code> <code>directive</code> <code>or</code> <code>when</code> 2860<code>ntpd</code> <code>detects</code> <code>that</code> <code>the</code> 2861<kbd>leapfile</kbd> 2862has changed. 2863<code>ntpd</code> 2864checks once a day to see if the 2865<kbd>leapfile</kbd> 2866has changed. 2867The 2868<code>update-leap(1update_leapmdoc)</code> 2869script can be run to see if the 2870<kbd>leapfile</kbd> 2871should be updated. 2872</p></dd> 2873<dt><code>leapsmearinterval</code> <kbd>seconds</kbd></dt> 2874<dd><p>This EXPERIMENTAL option is only available if 2875<code>ntpd(1ntpdmdoc)</code> 2876was built with the 2877<code>--enable-leap-smear</code> 2878option to the 2879<code>configure</code> 2880script. 2881It specifies the interval over which a leap second correction will be applied. 2882Recommended values for this option are between 28837200 (2 hours) and 86400 (24 hours). 2884.Sy DO NOT USE THIS OPTION ON PUBLIC-ACCESS SERVERS! 2885See http://bugs.ntp.org/2855 for more information. 2886</p></dd> 2887<dt><code>logconfig</code> <kbd>configkeyword</kbd></dt> 2888<dd><p>This command controls the amount and type of output written to 2889the system 2890<code>syslog(3)</code> 2891facility or the alternate 2892<code>logfile</code> 2893log file. 2894By default, all output is turned on. 2895All 2896<kbd>configkeyword</kbd> 2897keywords can be prefixed with 2898‘=’, 2899‘+’ 2900and 2901‘-’, 2902where 2903‘=’ 2904sets the 2905<code>syslog(3)</code> 2906priority mask, 2907‘+’ 2908adds and 2909‘-’ 2910removes 2911messages. 2912<code>syslog(3)</code> 2913messages can be controlled in four 2914classes 2915(<code>clock</code>, <code>peer</code>, <code>sys</code> and <code>sync</code>). 2916Within these classes four types of messages can be 2917controlled: informational messages 2918(<code>info</code>), 2919event messages 2920(<code>events</code>), 2921statistics messages 2922(<code>statistics</code>) 2923and 2924status messages 2925(<code>status</code>). 2926</p> 2927<p>Configuration keywords are formed by concatenating the message class with 2928the event class. 2929The 2930<code>all</code> 2931prefix can be used instead of a message class. 2932A 2933message class may also be followed by the 2934<code>all</code> 2935keyword to enable/disable all 2936messages of the respective message class. 2937Thus, a minimal log configuration 2938could look like this: 2939</p><pre class="verbatim">logconfig =syncstatus +sysevents 2940</pre> 2941<p>This would just list the synchronizations state of 2942<code>ntpd(1ntpdmdoc)</code> 2943and the major system events. 2944For a simple reference server, the 2945following minimum message configuration could be useful: 2946</p><pre class="verbatim">logconfig =syncall +clockall 2947</pre> 2948<p>This configuration will list all clock information and 2949synchronization information. 2950All other events and messages about 2951peers, system events and so on is suppressed. 2952</p></dd> 2953<dt><code>logfile</code> <kbd>logfile</kbd></dt> 2954<dd><p>This command specifies the location of an alternate log file to 2955be used instead of the default system 2956<code>syslog(3)</code> 2957facility. 2958This is the same operation as the 2959<code>-l</code> 2960command line option. 2961</p></dd> 2962<dt><code>mru</code> <code>[<code>maxdepth</code> <kbd>count</kbd> | <code>maxmem</code> <kbd>kilobytes</kbd> | <code>mindepth</code> <kbd>count</kbd> | <code>maxage</code> <kbd>seconds</kbd> | <code>initialloc</code> <kbd>count</kbd> | <code>initmem</code> <kbd>kilobytes</kbd> | <code>incalloc</code> <kbd>count</kbd> | <code>incmem</code> <kbd>kilobytes</kbd>]</code></dt> 2963<dd><p>Controls size limite of the monitoring facility’s Most Recently Used 2964(MRU) list 2965of client addresses, which is also used by the 2966rate control facility. 2967</p><dl compact="compact"> 2968<dt><code>maxdepth</code> <kbd>count</kbd></dt> 2969<dt><code>maxmem</code> <kbd>kilobytes</kbd></dt> 2970<dd><p>Equivalent upper limits on the size of the MRU list, in terms of entries or kilobytes. 2971The acutal limit will be up to 2972<code>incalloc</code> 2973entries or 2974<code>incmem</code> 2975kilobytes larger. 2976As with all of the 2977<code>mru</code> 2978options offered in units of entries or kilobytes, if both 2979<code>maxdepth</code> 2980and 2981<code>maxmem</code> <code>are</code> <code>used,</code> <code>the</code> <code>last</code> <code>one</code> <code>used</code> <code>controls.</code> 2982The default is 1024 kilobytes. 2983</p></dd> 2984<dt><code>mindepth</code> <kbd>count</kbd></dt> 2985<dd><p>Lower limit on the MRU list size. 2986When the MRU list has fewer than 2987<code>mindepth</code> 2988entries, existing entries are never removed to make room for newer ones, 2989regardless of their age. 2990The default is 600 entries. 2991</p></dd> 2992<dt><code>maxage</code> <kbd>seconds</kbd></dt> 2993<dd><p>Once the MRU list has 2994<code>mindepth</code> 2995entries and an additional client is to ba added to the list, 2996if the oldest entry was updated more than 2997<code>maxage</code> 2998seconds ago, that entry is removed and its storage is reused. 2999If the oldest entry was updated more recently the MRU list is grown, 3000subject to 3001<code>maxdepth</code> <code>/</code> <code>moxmem</code>. 3002The default is 64 seconds. 3003</p></dd> 3004<dt><code>initalloc</code> <kbd>count</kbd></dt> 3005<dt><code>initmem</code> <kbd>kilobytes</kbd></dt> 3006<dd><p>Initial memory allocation at the time the monitoringfacility is first enabled, 3007in terms of the number of entries or kilobytes. 3008The default is 4 kilobytes. 3009</p></dd> 3010<dt><code>incalloc</code> <kbd>count</kbd></dt> 3011<dt><code>incmem</code> <kbd>kilobytes</kbd></dt> 3012<dd><p>Size of additional memory allocations when growing the MRU list, in entries or kilobytes. 3013The default is 4 kilobytes. 3014</p></dd> 3015</dl> 3016</dd> 3017<dt><code>nonvolatile</code> <kbd>threshold</kbd></dt> 3018<dd><p>Specify the 3019<kbd>threshold</kbd> 3020delta in seconds before an hourly change to the 3021<code>driftfile</code> 3022(frequency file) will be written, with a default value of 1e-7 (0.1 PPM). 3023The frequency file is inspected each hour. 3024If the difference between the current frequency and the last value written 3025exceeds the threshold, the file is written and the 3026<code>threshold</code> 3027becomes the new threshold value. 3028If the threshold is not exceeeded, it is reduced by half. 3029This is intended to reduce the number of file writes 3030for embedded systems with nonvolatile memory. 3031</p></dd> 3032<dt><code>phone</code> <kbd>dial</kbd> <kbd>...</kbd></dt> 3033<dd><p>This command is used in conjunction with 3034the ACTS modem driver (type 18) 3035or the JJY driver (type 40, mode 100 - 180). 3036For the ACTS modem driver (type 18), the arguments consist of 3037a maximum of 10 telephone numbers used to dial USNO, NIST, or European 3038time service. 3039For the JJY driver (type 40 mode 100 - 180), the argument is 3040one telephone number used to dial the telephone JJY service. 3041The Hayes command ATDT is normally prepended to the number. 3042The number can contain other modem control codes as well. 3043</p></dd> 3044<dt><code>pollskewlist</code> <code>[<kbd>poll</kbd> <kbd>early</kbd> <kbd>late</kbd>]</code> <kbd>...</kbd> <code>[<code>default</code> <kbd>early</kbd> <kbd>late</kbd>]</code></dt> 3045<dd><p>Enable skewing of our poll requests to our servers. 3046<kbd>poll</kbd> 3047is a number between 3 and 17 inclusive, identifying a specific poll interval. 3048A poll interval is 2^n seconds in duration, 3049so a poll value of 3 corresponds to 8 seconds 3050and 3051a poll interval of 17 corresponds to 3052131,072 seconds, or about a day and a half. 3053The next two numbers must be between 0 and one-half of the poll interval, 3054inclusive. 3055Ar early 3056specifies how early the poll may start, 3057while 3058Ar late 3059specifies how late the poll may be delayed. 3060With no arguments, internally specified default values are chosen. 3061</p></dd> 3062<dt><code>reset</code> <code>[<code>allpeers</code>]</code> <code>[<code>auth</code>]</code> <code>[<code>ctl</code>]</code> <code>[<code>io</code>]</code> <code>[<code>mem</code>]</code> <code>[<code>sys</code>]</code> <code>[<code>timer</code>]</code></dt> 3063<dd><p>Reset one or more groups of counters maintained by 3064<code>ntpd</code> 3065and exposed by 3066<code>ntpq</code> 3067and 3068<code>ntpdc</code>. 3069</p></dd> 3070<dt><code>rlimit</code> <code>[<code>memlock</code> <kbd>Nmegabytes</kbd> | <code>stacksize</code> <kbd>N4kPages</kbd> <code>filenum</code> <kbd>Nfiledescriptors</kbd>]</code></dt> 3071<dd><dl compact="compact"> 3072<dt><code>memlock</code> <kbd>Nmegabytes</kbd></dt> 3073<dd><p>Specify the number of megabytes of memory that should be 3074allocated and locked. 3075Probably only available under Linux, this option may be useful 3076when dropping root (the 3077<code>-i</code> 3078option). 3079The default is 32 megabytes on non-Linux machines, and -1 under Linux. 3080-1 means "do not lock the process into memory". 30810 means "lock whatever memory the process wants into memory". 3082</p></dd> 3083<dt><code>stacksize</code> <kbd>N4kPages</kbd></dt> 3084<dd><p>Specifies the maximum size of the process stack on systems with the 3085<code>mlockall()</code> 3086function. 3087Defaults to 50 4k pages (200 4k pages in OpenBSD). 3088</p></dd> 3089<dt><code>filenum</code> <kbd>Nfiledescriptors</kbd></dt> 3090<dd><p>Specifies the maximum number of file descriptors ntpd may have open at once. 3091Defaults to the system default. 3092</p></dd> 3093</dl> 3094</dd> 3095<dt><code>saveconfigdir</code> <kbd>directory_path</kbd></dt> 3096<dd><p>Specify the directory in which to write configuration snapshots 3097requested with 3098.Cm ntpq ’s 3099<code>saveconfig</code> 3100command. 3101If 3102<code>saveconfigdir</code> 3103does not appear in the configuration file, 3104<code>saveconfig</code> 3105requests are rejected by 3106<code>ntpd</code>. 3107</p></dd> 3108<dt><code>saveconfig</code> <kbd>filename</kbd></dt> 3109<dd><p>Write the current configuration, including any runtime 3110modifications given with 3111<code>:config</code> 3112or 3113<code>config-from-file</code> 3114to the 3115<code>ntpd</code> 3116host’s 3117<kbd>filename</kbd> 3118in the 3119<code>saveconfigdir</code>. 3120This command will be rejected unless the 3121<code>saveconfigdir</code> 3122directive appears in 3123.Cm ntpd ’s 3124configuration file. 3125<kbd>filename</kbd> 3126can use 3127<code>strftime(3)</code> 3128format directives to substitute the current date and time, 3129for example, 3130<code>saveconfig\ ntp-%Y%m%d-%H%M%S.conf</code>. 3131The filename used is stored in the system variable 3132<code>savedconfig</code>. 3133Authentication is required. 3134</p></dd> 3135<dt><code>setvar</code> <kbd>variable</kbd> <code>[<code>default</code>]</code></dt> 3136<dd><p>This command adds an additional system variable. 3137These 3138variables can be used to distribute additional information such as 3139the access policy. 3140If the variable of the form 3141<code>name</code><code>=</code><kbd>value</kbd> 3142is followed by the 3143<code>default</code> 3144keyword, the 3145variable will be listed as part of the default system variables 3146(<code>rv</code> command)). 3147These additional variables serve 3148informational purposes only. 3149They are not related to the protocol 3150other that they can be listed. 3151The known protocol variables will 3152always override any variables defined via the 3153<code>setvar</code> 3154mechanism. 3155There are three special variables that contain the names 3156of all variable of the same group. 3157The 3158<code>sys_var_list</code> 3159holds 3160the names of all system variables. 3161The 3162<code>peer_var_list</code> 3163holds 3164the names of all peer variables and the 3165<code>clock_var_list</code> 3166holds the names of the reference clock variables. 3167</p></dd> 3168<dt><code>sysinfo</code></dt> 3169<dd><p>Display operational summary. 3170</p></dd> 3171<dt><code>sysstats</code></dt> 3172<dd><p>Show statistics counters maintained in the protocol module. 3173</p></dd> 3174<dt><code>tinker</code> <code>[<code>allan</code> <kbd>allan</kbd> | <code>dispersion</code> <kbd>dispersion</kbd> | <code>freq</code> <kbd>freq</kbd> | <code>huffpuff</code> <kbd>huffpuff</kbd> | <code>panic</code> <kbd>panic</kbd> | <code>step</code> <kbd>step</kbd> | <code>stepback</code> <kbd>stepback</kbd> | <code>stepfwd</code> <kbd>stepfwd</kbd> | <code>stepout</code> <kbd>stepout</kbd>]</code></dt> 3175<dd><p>This command can be used to alter several system variables in 3176very exceptional circumstances. 3177It should occur in the 3178configuration file before any other configuration options. 3179The 3180default values of these variables have been carefully optimized for 3181a wide range of network speeds and reliability expectations. 3182In 3183general, they interact in intricate ways that are hard to predict 3184and some combinations can result in some very nasty behavior. 3185Very 3186rarely is it necessary to change the default values; but, some 3187folks cannot resist twisting the knobs anyway and this command is 3188for them. 3189Emphasis added: twisters are on their own and can expect 3190no help from the support group. 3191</p> 3192<p>The variables operate as follows: 3193</p><dl compact="compact"> 3194<dt><code>allan</code> <kbd>allan</kbd></dt> 3195<dd><p>The argument becomes the new value for the minimum Allan 3196intercept, which is a parameter of the PLL/FLL clock discipline 3197algorithm. 3198The value in log2 seconds defaults to 7 (1024 s), which is also the lower 3199limit. 3200</p></dd> 3201<dt><code>dispersion</code> <kbd>dispersion</kbd></dt> 3202<dd><p>The argument becomes the new value for the dispersion increase rate, 3203normally .000015 s/s. 3204</p></dd> 3205<dt><code>freq</code> <kbd>freq</kbd></dt> 3206<dd><p>The argument becomes the initial value of the frequency offset in 3207parts-per-million. 3208This overrides the value in the frequency file, if 3209present, and avoids the initial training state if it is not. 3210</p></dd> 3211<dt><code>huffpuff</code> <kbd>huffpuff</kbd></dt> 3212<dd><p>The argument becomes the new value for the experimental 3213huff-n’-puff filter span, which determines the most recent interval 3214the algorithm will search for a minimum delay. 3215The lower limit is 3216900 s (15 m), but a more reasonable value is 7200 (2 hours). 3217There 3218is no default, since the filter is not enabled unless this command 3219is given. 3220</p></dd> 3221<dt><code>panic</code> <kbd>panic</kbd></dt> 3222<dd><p>The argument is the panic threshold, normally 1000 s. 3223If set to zero, 3224the panic sanity check is disabled and a clock offset of any value will 3225be accepted. 3226</p></dd> 3227<dt><code>step</code> <kbd>step</kbd></dt> 3228<dd><p>The argument is the step threshold, which by default is 0.128 s. 3229It can 3230be set to any positive number in seconds. 3231If set to zero, step 3232adjustments will never occur. 3233Note: The kernel time discipline is 3234disabled if the step threshold is set to zero or greater than the 3235default. 3236</p></dd> 3237<dt><code>stepback</code> <kbd>stepback</kbd></dt> 3238<dd><p>The argument is the step threshold for the backward direction, 3239which by default is 0.128 s. 3240It can 3241be set to any positive number in seconds. 3242If both the forward and backward step thresholds are set to zero, step 3243adjustments will never occur. 3244Note: The kernel time discipline is 3245disabled if 3246each direction of step threshold are either 3247set to zero or greater than .5 second. 3248</p></dd> 3249<dt><code>stepfwd</code> <kbd>stepfwd</kbd></dt> 3250<dd><p>As for stepback, but for the forward direction. 3251</p></dd> 3252<dt><code>stepout</code> <kbd>stepout</kbd></dt> 3253<dd><p>The argument is the stepout timeout, which by default is 900 s. 3254It can 3255be set to any positive number in seconds. 3256If set to zero, the stepout 3257pulses will not be suppressed. 3258</p></dd> 3259</dl> 3260</dd> 3261<dt><code>writevar</code> <kbd>assocID\ name</kbd> <kbd>=</kbd> <kbd>value</kbd> <kbd>[,...]</kbd></dt> 3262<dd><p>Write (create or update) the specified variables. 3263If the 3264<code>assocID</code> 3265is zero, the variablea re from the 3266system variables 3267name space, otherwise they are from the 3268peer variables 3269name space. 3270The 3271<code>assocID</code> 3272is required, as the same name can occur in both name spaces. 3273</p></dd> 3274<dt><code>trap</code> <kbd>host_address</kbd> <code>[<code>port</code> <kbd>port_number</kbd>]</code> <code>[<code>interface</code> <kbd>interface_address</kbd>]</code></dt> 3275<dd><p>This command configures a trap receiver at the given host 3276address and port number for sending messages with the specified 3277local interface address. 3278If the port number is unspecified, a value 3279of 18447 is used. 3280If the interface address is not specified, the 3281message is sent with a source address of the local interface the 3282message is sent through. 3283Note that on a multihomed host the 3284interface used may vary from time to time with routing changes. 3285</p></dd> 3286<dt><code>ttl</code> <kbd>hop</kbd> <kbd>...</kbd></dt> 3287<dd><p>This command specifies a list of TTL values in increasing order. 3288Up to 8 values can be specified. 3289In 3290<code>manycast</code> 3291mode these values are used in-turn in an expanding-ring search. 3292The default is eight multiples of 32 starting at 31. 3293</p> 3294<p>The trap receiver will generally log event messages and other 3295information from the server in a log file. 3296While such monitor 3297programs may also request their own trap dynamically, configuring a 3298trap receiver will ensure that no messages are lost when the server 3299is started. 3300</p></dd> 3301<dt><code>hop</code> <kbd>...</kbd></dt> 3302<dd><p>This command specifies a list of TTL values in increasing order, up to 8 3303values can be specified. 3304In manycast mode these values are used in turn in 3305an expanding-ring search. 3306The default is eight multiples of 32 starting at 330731. 3308</p></dd> 3309</dl> 3310 3311<p>This section was generated by <strong>AutoGen</strong>, 3312using the <code>agtexi-cmd</code> template and the option descriptions for the <code>ntp.conf</code> program. 3313This software is released under the NTP license, <http://ntp.org/license>. 3314</p> 3315<table class="menu" border="0" cellspacing="0"> 3316<tr><td align="left" valign="top">• <a href="#ntp_002econf-Files" accesskey="1">ntp.conf Files</a></td><td> </td><td align="left" valign="top">Files 3317</td></tr> 3318<tr><td align="left" valign="top">• <a href="#ntp_002econf-See-Also" accesskey="2">ntp.conf See Also</a></td><td> </td><td align="left" valign="top">See Also 3319</td></tr> 3320<tr><td align="left" valign="top">• <a href="#ntp_002econf-Bugs" accesskey="3">ntp.conf Bugs</a></td><td> </td><td align="left" valign="top">Bugs 3321</td></tr> 3322<tr><td align="left" valign="top">• <a href="#ntp_002econf-Notes" accesskey="4">ntp.conf Notes</a></td><td> </td><td align="left" valign="top">Notes 3323</td></tr> 3324</table> 3325 3326<hr> 3327<span id="ntp_002econf-Files"></span><div class="header"> 3328<p> 3329Next: <a href="#ntp_002econf-See-Also" accesskey="n" rel="next">ntp.conf See Also</a>, Previous: <a href="#Miscellaneous-Options" accesskey="p" rel="prev">Miscellaneous Options</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> </p> 3330</div> 3331<span id="ntp_002econf-Files-1"></span><h4 class="subsection">1.1.8 ntp.conf Files</h4> 3332<dl compact="compact"> 3333<dt><samp>/etc/ntp.conf</samp></dt> 3334<dd><p>the default name of the configuration file 3335</p></dd> 3336<dt><samp>ntp.keys</samp></dt> 3337<dd><p>private MD5 keys 3338</p></dd> 3339<dt><samp>ntpkey</samp></dt> 3340<dd><p>RSA private key 3341</p></dd> 3342<dt><samp>ntpkey_</samp><kbd>host</kbd></dt> 3343<dd><p>RSA public key 3344</p></dd> 3345<dt><samp>ntp_dh</samp></dt> 3346<dd><p>Diffie-Hellman agreement parameters 3347</p></dd> 3348</dl> 3349<hr> 3350<span id="ntp_002econf-See-Also"></span><div class="header"> 3351<p> 3352Next: <a href="#ntp_002econf-Bugs" accesskey="n" rel="next">ntp.conf Bugs</a>, Previous: <a href="#ntp_002econf-Files" accesskey="p" rel="prev">ntp.conf Files</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> </p> 3353</div> 3354<span id="ntp_002econf-See-Also-1"></span><h4 class="subsection">1.1.9 ntp.conf See Also</h4> 3355<p><code>ntpd(1ntpdmdoc)</code>, 3356<code>ntpdc(1ntpdcmdoc)</code>, 3357<code>ntpq(1ntpqmdoc)</code> 3358</p> 3359<p>In addition to the manual pages provided, 3360comprehensive documentation is available on the world wide web 3361at 3362<code>http://www.ntp.org/</code>. 3363A snapshot of this documentation is available in HTML format in 3364<samp>/usr/share/doc/ntp</samp>. 3365<br> 3366</p> 3367<br> 3368<p>David L. Mills, <em>Network Time Protocol (Version 4)</em>, RFC5905 3369</p><hr> 3370<span id="ntp_002econf-Bugs"></span><div class="header"> 3371<p> 3372Previous: <a href="#ntp_002econf-See-Also" accesskey="p" rel="prev">ntp.conf See Also</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> </p> 3373</div> 3374<span id="ntp_002econf-Bugs-1"></span><h4 class="subsection">1.1.10 ntp.conf Bugs</h4> 3375<p>The syntax checking is not picky; some combinations of 3376ridiculous and even hilarious options and modes may not be 3377detected. 3378</p> 3379<p>The 3380<samp>ntpkey_</samp><kbd>host</kbd> 3381files are really digital 3382certificates. 3383These should be obtained via secure directory 3384services when they become universally available. 3385</p><hr> 3386<div class="header"> 3387<p> 3388 </p> 3389</div> 3390<span id="ntp_002econf-Notes-1"></span><h4 class="subsection">1.1.11 ntp.conf Notes</h4> 3391<p>This document was derived from FreeBSD. 3392</p><hr> 3393 3394 3395 3396</body> 3397</html> 3398