From owner-freebsd-security  Fri Aug 20  9:29:10 1999
Delivered-To: freebsd-security@freebsd.org
Received: from dt011n65.san.rr.com (dt010nb9.san.rr.com [204.210.12.185])
	by hub.freebsd.org (Postfix) with ESMTP id 147C914CB9
	for <freebsd-security@FreeBSD.ORG>; Fri, 20 Aug 1999 09:29:04 -0700 (PDT)
	(envelope-from Doug@gorean.org)
Received: from gorean.org (master [10.0.0.2])
	by dt011n65.san.rr.com (8.9.3/8.8.8) with ESMTP id JAA66866;
	Fri, 20 Aug 1999 09:26:38 -0700 (PDT)
	(envelope-from Doug@gorean.org)
Message-ID: <37BD81C7.46F9F9E3@gorean.org>
Date: Fri, 20 Aug 1999 09:26:47 -0700
From: Doug <Doug@gorean.org>
Organization: Triborough Bridge & Tunnel Authority
X-Mailer: Mozilla 4.61 [en] (X11; U; FreeBSD 4.0-CURRENT-0815 i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Brett Glass <brett@lariat.org>
Cc: Archie Cobbs <archie@whistle.com>,
	Lowkrantz Goran <Goran.Lowkrantz@infologigruppen.se>,
	"'freebsd-security@FreeBSD.ORG'" <freebsd-security@FreeBSD.ORG>
Subject: Re: Securelevel 3 ant setting time
References: <4.2.0.58.19990819161554.04790800@localhost> <4.2.0.58.19990820035954.04757b80@localhost>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Brett Glass wrote:
> 
> At 04:14 PM 8/19/99 -0700, Doug wrote:
> 
> >         If you're going to do this anyway, why not just use xntpd? It's
> >more reliable, has better mechanisms to resolve the skew between your
> >various times sources, and will keep your clock within the range of
> >adjustments that are allowable in securelevel 3.
> 
> I looked at the man page for xntpd once, and walked away (well,
> VIRTUALLY walked away) scratching my head. It was totally opaque.

	Yeah, I admit it's pretty dense stuff. However once you get a feel for it
IMO it's one of the more amazing pieces of software on the 'net. Take a
look at http://www.eecis.udel.edu/~ntp/, and especially the list of public
stratum 3 servers. It's generally considered rude to synch a workstation to
a stratum 1 or 2 server, and you won't notice the few milliseconds
difference anyway. Once you have a list of 4 or 5 servers that have good
(and diverse) network topology to your site, put them in a ntp.conf file
like this:

server best.or.closest.site prefer
server second.best.site
server third.best.site
server etc....

driftfile /etc/ntp.drift


	And you're done. Fire up xntpd and it will start synching your clock. In
your /etc/rc.conf enable ntpdate and xntpd and put in the first server on
your list as the flag argument to ntpdate. Overall you will probably find
that the system load is less with xntpd because it does its job more
slowly, and keeps the clock closer in synch. Here are some figures to
contrast with on my P5 150 system that's been up for two weeks:

  UID   PRI NI   VSZ  RSS       TIME   COMMAND
    0    18  0     0    0     10:09.23  (syncer)
    0     2  0    568  400     4:53.42 /sbin/natd -dynamic -n ep0
    0     2 -12  1032  648     3:26.28 xntpd -p /var/run/xntpd.pid
    0     2  0   1472  968     1:43.72 /usr/local/sbin/httpd
65534    99  0    816  488  12386:31.83 /usr/local/distributed.net/rc5des
-quiet

Hope this helps,

Doug


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message