Date: Wed, 18 Oct 2006 06:51:39 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Chuck Swiger <cswiger@mac.com> Cc: Zbigniew Szalbot <zbyszek@szalbot.homedns.org>, freebsd-questions@freebsd.org Subject: Re: ntpd not adjusting the clock? Message-ID: <4535C0EB.8000700@infracaninophile.co.uk> In-Reply-To: <F5EF37C8-7955-4246-932E-833A537A4009@mac.com> References: <20061018000853.O49453@192.168.11.51> <F5EF37C8-7955-4246-932E-833A537A4009@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig3B84A5F9DC40F41B503F9935
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable
Chuck Swiger wrote:
> On Oct 17, 2006, at 3:13 PM, Zbigniew Szalbot wrote:
>> My ntp.conf file looks like that:
>>
>> server 2.pl.pool.ntp.org prefer
>> server 1.europe.pool.ntp.org
>> server 0.europe.pool.ntp.org
>> restrict default ignore
>> driftfile /var/db/ntp.drift
>=20
> Unless you've got additional restrict lines which permit some hosts to
> make changes, using only "restrict default ignore" will prevent ntpd
> from paying attention to the timeservers you've listed and it will even=
> prevent ntpd from changing the local clock or being administered via
> ntpq from localhost.
>=20
> This misconfiguration will also cause your ntpd to generate excessive
> numbers of queries, rather than syncing up and reducing the NTP polling=
> interval from minpoll to maxpoll. [1]
>=20
> Remove that line and restart ntpd.
That means that anyone can connect to your NTP daemon and poll it for tim=
e
service or use ntpdc to muck around with your configuration. It's better=
to use at minimum:
restrict default nopeer nomodify
restrict localhost
(the 'restrict localhost' line actually removes all limitations on access=
from localhost. Ain't ntp.conf syntax wonderful.)
Ideally, you'ld be able to use 'restrict default ignore' then apply
restrict 2.pl.pool.ntp.org nopeer nomodify=20
server 2.pl.pool.ntp.org prefer
for each server you configure. That works well if you specify individual=
servers by name. Unfortunately the way NTP pool mechanism works makes th=
at =20
approach unworkable.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enig3B84A5F9DC40F41B503F9935
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFNcDw8Mjk52CukIwRCHiPAJ9YxiEXr0MHWibOqjvIj5gMUm2w9gCgg7Rg
XGWPFrjF7uFI3s5VoXxOFA4=
=gsWp
-----END PGP SIGNATURE-----
--------------enig3B84A5F9DC40F41B503F9935--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4535C0EB.8000700>