Date: Tue, 23 Nov 2004 18:38:32 -0500 From: Harlan Stenn <Harlan.Stenn@pfcs.com> To: Evren Yurtesen <yurtesen@ispro.net.tr> Cc: freebsd-stable@freebsd.org Subject: Re: ntpd v4.2 problem Message-ID: <28955.1101253112@dog.pfcs.com> In-Reply-To: Evren Yurtesen's (yurtesen@ispro.net.tr) message dated Tue, 23 Nov 2004 16:25:29. <41A3D4F9.7090001@ispro.net.tr>
next in thread | previous in thread | raw e-mail | index | archive | help
> The problem in the manual is different. You do not have any access > control in your server, your server is worldwide open to other people > changing your runtime configuration etc. (as it seems from your conf file) Wrong - ntpd will never allow changes to itself without explicitly allowing it (via a private key file, and mutually-agreed key numbersi and passwords). > From ntp handbook page! > ---- > If you only want to allow machines within your own network to > synchronize their clocks with your server, but ensure they are not > allowed to configure the server or used as peers to synchronize against, add That line may be technically true, but it is alarmist and wrong. > restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap See http://ntp.isc.org/Support/ConfRestrict for info about notrust. Dave Mimlls changed the behavior of notrust between the 4.1 and 4.2 releases of ntp. In 4.1, notrust means "do not trust this host/subnet for time". In 4.2, notrust means "require crypto auth before believing this host/subnet for time". nomodify will block changes even with the correct key/password. But you have to have the correct key and password first. > But if you use notrust in this line no clients are able to connect. I am > not sure why. That is why I asked about an ntpd pro having a look. We'd appreciate more folks adding more info to ntp.isc.org. H
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?28955.1101253112>