From owner-freebsd-stable@FreeBSD.ORG Tue Nov 23 23:38:56 2004 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A562616A4CE for ; Tue, 23 Nov 2004 23:38:56 +0000 (GMT) Received: from mg5.xecu.net (mg5.xecu.net [216.127.136.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 50B4A43D1F for ; Tue, 23 Nov 2004 23:38:56 +0000 (GMT) (envelope-from Harlan.Stenn@pfcs.com) Received: from localhost (unknown [127.0.0.1]) by mg5.xecu.net (Postfix) with ESMTP id 7232D42A7CB for ; Tue, 23 Nov 2004 18:38:51 -0500 (EST) Received: from mg5.xecu.net ([127.0.0.1]) by localhost (mg5.xecu.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 38455-01 for ; Tue, 23 Nov 2004 18:38:50 -0500 (EST) Received: from pcnbs.pfcs.com (harlan.xecu.net [216.127.150.112]) by mg5.xecu.net (Postfix) with ESMTP id C93D342A7BB for ; Tue, 23 Nov 2004 18:38:48 -0500 (EST) Received: from dog.pfcs.com (dog.pfcs.com [192.52.69.47]) by pcnbs.pfcs.com (Postfix) with ESMTP id 32A6C2361; Tue, 23 Nov 2004 18:38:43 -0500 (EST) Received: from localhost [127.0.0.1] (HELO dog.pfcs.com) by dog.pfcs.com (8.13.1/8.13.1) via ESMTP id ; Tue, 23 Nov 2004 18:38:32 -0500 (EST) To: Evren Yurtesen In-Reply-To: Evren Yurtesen's (yurtesen@ispro.net.tr) message dated Tue, 23 Nov 2004 16:25:29. <41A3D4F9.7090001@ispro.net.tr> X-Face: "csXK}xnnsH\h_ce`T#|pM]tG,6Xu.{3Rb\]&XJgVyTS'w{E+|-(}n:c(Cc* $cbtusxDP6T)Hr'k&zrwq0.3&~bAI~YJco[r.mE+K|(q]F=ZNXug:s6tyOk{VTqARy0#axm6BWti9C d User-Agent: EMH/1.10.0 SEMI/1.13.7 (Awazu) FLIM/1.13.2 (Kasanui) XEmacs/21.1 (patch 14) (Cuyahoga Valley) (i386--freebsd) MIME-Version: 1.0 (generated by SEMI 1.13.7 - "Awazu") Content-Type: text/plain; charset=US-ASCII Date: Tue, 23 Nov 2004 18:38:32 -0500 Message-ID: <28955.1101253112@dog.pfcs.com> From: Harlan Stenn X-Virus-Scanned: by amavisd-new at xecu.net cc: freebsd-stable@freebsd.org Subject: Re: ntpd v4.2 problem X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Nov 2004 23:38:56 -0000 > The problem in the manual is different. You do not have any access > control in your server, your server is worldwide open to other people > changing your runtime configuration etc. (as it seems from your conf file) Wrong - ntpd will never allow changes to itself without explicitly allowing it (via a private key file, and mutually-agreed key numbersi and passwords). > From ntp handbook page! > ---- > If you only want to allow machines within your own network to > synchronize their clocks with your server, but ensure they are not > allowed to configure the server or used as peers to synchronize against, add That line may be technically true, but it is alarmist and wrong. > restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap See http://ntp.isc.org/Support/ConfRestrict for info about notrust. Dave Mimlls changed the behavior of notrust between the 4.1 and 4.2 releases of ntp. In 4.1, notrust means "do not trust this host/subnet for time". In 4.2, notrust means "require crypto auth before believing this host/subnet for time". nomodify will block changes even with the correct key/password. But you have to have the correct key and password first. > But if you use notrust in this line no clients are able to connect. I am > not sure why. That is why I asked about an ntpd pro having a look. We'd appreciate more folks adding more info to ntp.isc.org. H