Lines Matching +full:power +full:- +full:management +full:- +full:ic +full:- +full:for +full:- +full:system
1 /* -*- Mode: Text -*- */
7 // We want the synopsis to be "/etc/ntp.conf" but we need the prog-name
8 // to be ntp.conf - the latter is also how autogen produces the output
10 prog-name = "ntp.conf";
11 file-path = "/etc/ntp.conf";
12 prog-title = "Network Time Protocol daemon (ntpd) configuration format";
15 explain = <<- _END_EXPLAIN
18 doc-section = {
19 ds-type = 'DESCRIPTION';
20 ds-format = 'mdoc';
21 ds-text = <<- _END_PROG_MDOC_DESCRIP
48 host addresses written in numeric, dotted-quad form,
64 .Bl -bullet -offset indent
83 .Ic pool ,
84 .Ic server ,
85 .Ic peer ,
86 .Ic broadcast
88 .Ic manycastclient
113 If the Basic Socket Interface Extensions for IPv6 (RFC-2553)
114 is detected, support for the IPv6 address family is generated
139 See IPv6 references for the
140 equivalent classes for that address family.
141 .Bl -tag -width indent
142 .It Xo Ic pool Ar address
151 .It Xo Ic server Ar address
162 .It Xo Ic peer Ar address
171 .It Xo Ic broadcast Ar address
179 .It Xo Ic manycastclient Ar address
194 either a DNS name or an IP address in dotted-quad notation.
196 .Qq Association Management
201 .Bl -tag -width indent
202 .It Ic pool
203 For type s addresses, this command mobilizes a persistent
208 .It Ic server
209 For type s and r addresses, this command mobilizes a persistent
217 be used for type
219 .It Ic peer
220 For type s addresses (only), this command mobilizes a
221 persistent symmetric-active mode association with the specified
229 This command should NOT be used for type
231 .It Ic broadcast
232 For type b and m addresses (only), this
252 sender; for operation as a broadcast client, see the
253 .Ic broadcastclient
255 .Ic multicastclient
258 .It Ic manycastclient
259 For type m addresses (only), this command mobilizes a
260 manycast client mode association for the multicast address
264 .Ic manycastserver
265 command for
273 .Ic manycastserver
285 .Ic server
292 .Bl -tag -width indent
302 .Ic server
310 .Ic server
326 for NTP messages, as a power of 2 in seconds
337 Marks the server as unused, except for display purposes.
344 this host will be chosen for synchronization among a set of
352 for further information.
362 It specifies the time-to-live
367 for the expanding ring search with manycast
373 Specifies the version number to be used for outgoing NTP
375 Versions 1-4 are the choices, with version 4 the
384 Valid only for
392 .Bl -tag -width indent
393 .It Ic broadcastclient
396 Upon receiving a message for
403 server and client should operate using symmetric-key or public-key
406 .It Ic manycastserver Ar address ...
416 and client should operate using symmetric-key or public-key
419 .It Ic multicastclient Ar address ...
423 a message for the first time, the multicast client measures the
429 both the server and client should operate using symmetric-key or
430 public-key authentication as described in
432 .It Ic mdnstries Ar number
434 after we have synched for the first time
435 we attempt to register with the mDNS system.
437 we try again at one minute intervals for up to
438 .Ic mdnstries
441 .Ic ntpd
443 The default value for
444 .Ic mdnstries
452 specification RFC-1305 defines a scheme which provides
457 DES-CBC.
459 5 (MD5) algorithm using a private key, commonly called keyed-MD5.
460 Either algorithm computes a message digest, or one-way hash, which
472 management functions involve only public values, which
474 Public key management is based on X.509 certificates,
479 While the algorithms for symmetric key cryptography are
483 Directions for doing that
486 Authentication is configured separately for each association
492 .Ic peer ,
493 .Ic server ,
494 .Ic broadcast
496 .Ic manycastclient
529 .Ic enable
531 .Ic disable
547 .Ic auth
551 disrupt system timekeeping.
563 for servers as described in the
573 files for all clients can be identical.
575 The security model and protocol schemes for
581 .Ss Symmetric-Key Cryptography
582 The original RFC-1305 specification allows any one of possibly
583 65,535 keys, each distinguished by a 32-bit key identifier, to
595 for ordinary NTP associations,
596 additional keys can be used as passwords for the
605 .Ic keys
610 .Ic trusted
613 allows, for instance, the installation of possibly
621 .Ic requestkey
622 command selects the key used as the password for the
625 .Ic controlkey
626 command selects the key used as the password for the
631 described in RFC-1305 and in addition the Autokey protocol,
644 .\" The cryptographic means necessary for all Autokey operations
659 All modes use in addition a variant of the S-KEY scheme,
660 in which a pseudo-random key list is generated and used
670 .Xr ntp-keygen 1ntpkeygenmdoc
682 which stands for the MD5 message digest with RSA
695 for all hosts along the trail to one or more trusted hosts.
714 system call or equivalent in other systems.
715 By the system design
718 for each interface, etc., are constrained in any way.
724 For this reason Autokey
728 For this reason operation
736 There may be management configurations where the clients,
749 .Ic server
751 .Ic peer
753 .Ic key
755 .Ic autokey
758 .Ic key
761 .Ic autokey
800 Bob sends Cathy a thing called a crypto-NAK, which tells her
819 combinations; for instance, running an identity scheme
821 .Ss Key Management
824 .Xr ntp-keygen 1ntpkeygenmdoc
832 Note that symmetric keys are necessary for the
837 The remaining files are necessary only for the
852 however, an extended key usage field for a trusted host must
857 .Bl -tag -width indent
858 .It Ic autokey Op Ar logsec
862 list for each association depends on this interval and the current
865 For poll intervals above the specified interval, a session key list
866 with a single entry will be regenerated for every message
868 .It Ic controlkey Ar key
872 protocol defined in RFC-1305.
876 the key identifier for a trusted key, where the value can be in the
878 .It Xo Ic crypto
899 .Ic keysdir
903 .Bl -tag -width indent
946 .It Ic keys Ar keyfile
957 .It Ic keysdir Ar path
958 This command specifies the default directory path for
962 .It Ic requestkey Ar key
971 for the trusted key, where the value can be in the range 1 to
973 .It Ic revoke Ar logsec
974 Specifies the interval between re-randomization of certain
975 cryptographic values used by the Autokey scheme, as a power of 2 in
978 deflect brute-force attacks on the algorithms of the scheme;
981 For poll
983 for every message sent.
984 .It Ic trustedkey Ar key ...
985 Specifies the key identifiers which are trusted for the
993 and remote servers share the same key and key identifier for this
998 arguments are 32-bit unsigned
1004 .Bl -tag -width indent
1056 for continuous, long term recording of server and client
1059 .Ic statistics
1061 for a listing and example of each type of statistics currently
1072 automatically summarized and archived for retrospective analysis.
1074 .Bl -tag -width indent
1075 .It Ic statistics Ar name ...
1080 .Bl -tag -width indent
1087 .Bd -literal
1094 clock address in dotted-quad notation.
1101 clock for further details.
1109 .Bd -literal
1116 address in dotted-quad notation, The final message field includes the
1120 section for further information.
1127 .Bd -literal
1134 show time offset (seconds), frequency offset (parts per million -
1146 .Bd -literal
1147 48773 10847.650 127.127.4.1 9714 -0.001605376 0.000000000 0.001424877 0.000958674
1153 show the peer address in dotted-quad notation and status,
1160 Enables recording of raw-timestamp statistics information.
1168 .Bd -literal
1176 in dotted-quad notation.
1188 .Bd -literal
1197 .Bl -tag -width indent
1199 Time in hours since the system was last rebooted.
1211 Number of packets denied access for any reason.
1225 filename prefix to be modified for file generation sets, which
1226 is useful for handling statistics logs.
1235 file sets provide a means for handling files that are
1237 Server statistics are a typical example for such files.
1245 that are currently unused are available for administrational
1247 (Most important: they can be removed to free space for new data
1253 .Bl -tag -width indent
1259 This is the file name for the statistics records.
1266 .Bl -tag -width indent
1274 server, usually specified as a compile-time constant.
1276 however, be configurable for individual file generation sets
1278 For example, the prefix used with
1308 .Bl -tag -width indent
1340 is a 4-digit year number (e.g., 1992).
1352 The term week is defined by computing day-of-year
1356 filename base: A dot, a 4-digit year number, the letter
1358 and a 2-digit week number.
1359 For example, information from January,
1365 file name suffix consists of a dot, a 4-digit year number, and
1366 a 2-digit month.
1377 and an 8-digit number.
1379 running at the start of the corresponding 24-hour period.
1433 with the access policies for the original NSFnet backbone
1438 be useful for keeping unwanted or broken or malicious clients
1446 .Ic restrict
1455 only for the offending packet, others cause denied service
1456 for a timed period and others cause the denied service for
1459 for an indefinite period, the only way at present to remove
1461 .Ss The Kiss-of-Death Packet
1467 for the system operator.
1469 for this purpose called the "kiss-of-death" (KoD) packet.
1471 to zero and the reference identifier field set to a four-byte
1497 .Bl -tag -width indent
1498 .It Xo Ic discard
1515 and a kiss-o'-death packet returned if enabled.
1517 .Ic monitor
1524 .Ic monitor
1525 value, default 3000. For example, if the oldest entry
1531 .It Xo Ic restrict
1544 is provided, a restriction entry is created for each
1548 used for each entry.
1563 directive limits the number of peer requests for each IP to
1565 where a value of -1 means "unlimited", the current default.
1580 restrict informational queries and attempts to do run-time
1584 .Bl -tag -width indent
1592 If this flag is set when a rate violation occurs, a kiss-o'-death
1601 .Ic discard
1619 be overridden by later requests for normal priority traps.
1623 Note that the ability to use a symmetric key for authentication may be restricted to
1631 to become the default in ntp-4.4.
1678 protocol which is intended for use by remote event logging programs.
1695 .It Ic "serverresponse fuzz"
1704 ntpport, for each of the local host's interface addresses are
1715 .It Xo Ic delrestrict
1719 Remove a previously-set restriction. This is useful for
1735 It is intended as a means for a multicast client
1746 with the anycast paradigm described in RFC-1546,
1762 as well and is highly recommended, especially for broadcast modes.
1766 .Ic manycastclient
1768 .Ic server
1775 and IPv6 address FF05::101 (site local) for NTP.
1778 and minimum feasible time-to-live (TTL) hops, depending
1782 for a future ephemeral unicast client/server association.
1785 .Ic manycastserver
1786 command listen on the specified group address for manycast
1808 in a volley of eight client/server at 2-s intervals
1821 and the effects of implosion due to near-simultaneous
1824 .Ic manycastclient ,
1825 .Ic tos
1827 .Ic ttl
1830 normally eight times the system poll interval,
1834 .Ic manycastclient ,
1840 .Ic ttl
1854 .Ic tos
1864 For legacy purposes,
1869 For manycast service
1883 For each transmission
1891 it the system poll interval.
1896 By default, the increment for TTL hops is 32 starting
1898 .Ic ttl
1913 .Ic tos
1920 .Ic tos
1927 The above actions occur for each manycast client message,
1943 The recommended value for
1953 For example, consider an NTP
1958 .Ic multicastclient
1960 .Ic multicastserver
1961 commands using, for instance, multicast group address
1964 configuration file must include commands for the primary
1967 The remaining configuration files for all secondary
1968 servers and clients have the same contents, except for the
1969 .Ic tos
1970 command, which is specific for each stratum level.
1971 For stratum 1 and stratum 2 servers, that command is
1973 For stratum 3 and above servers the
1989 re-associate accordingly.
2007 for the usual suspects, selects the best from among
2043 .Bl -tag -width indent
2044 .It Xo Ic tos
2063 .Bl -tag -width indent
2064 .It Xo Ic tos
2076 quantity of peers used to synchronize the system clock
2080 .Bl -tag -width indent
2116 one or more truechimers for the clustering algorithm.
2120 for legacy purposes.
2131 in an expanding-ring search.
2137 satellite and modem reference clocks plus a special pseudo-clock
2138 used for backup or when no other clock source is available.
2148 .Qq Debugging Hints for Reference Clock Drivers
2155 In addition, support for a PPS
2157 .Qq Pulse-per-second (PPS) Signal Interfacing
2186 in a scalding remark to the system log file, but is otherwise non
2189 For the purposes of configuration,
2207 number in the range 0-3.
2213 .Ic server
2224 options are not used for reference clock support.
2227 option is added for reference clock support, as
2246 meaning only for selected clock drivers.
2248 driver document pages for additional information.
2251 .Ic fudge
2253 information for individual clock drivers and normally follows
2255 .Ic server
2265 override the defaults for the device.
2267 device-dependent time offsets and four flags that can be included
2269 .Ic fudge
2282 option is used for this purpose.
2284 involving both a reference clock and a pulse-per-second (PPS)
2289 option is used for this purpose.
2293 .Bl -tag -width indent
2294 .It Xo Ic server
2306 .Bl -tag -width indent
2310 equal, this host will be chosen for synchronization among a set of
2318 for further information.
2321 device-specific fashion.
2322 For instance, it selects a dialing
2329 for reference clock messages, as a power of 2 in seconds
2330 For
2336 For modem reference clocks,
2343 .It Xo Ic fudge
2360 .Ic server
2368 .Bl -tag -width indent
2371 the driver, a fixed-point decimal number in seconds.
2377 systematic error or bias due to serial port or operating system
2383 for an individual system and driver is available, an approximate
2389 .Ic enable
2399 Specifies a fixed-point decimal number in seconds, which is
2400 interpreted in a driver-dependent way.
2421 device-specific fashion.
2422 For instance, it selects a dialing
2430 These four flags are used for customizing the clock driver.
2441 .Ic filegen
2444 .Ic filegen
2450 .Bl -tag -width indent
2451 .It Ic broadcastdelay Ar seconds
2459 controls, for example.
2462 Typically (for Ethernet), a
2466 .It Ic driftfile Ar driftfile
2478 frequency of zero and creates the file when writing it for the first time.
2484 in parts-per-million (PPM).
2490 must have write permission for the directory the
2491 drift file is located in, and that file system links, symbolic or
2493 .It Ic dscp Ar value
2495 a 6-bit code.
2497 .It Xo Ic enable
2507 .It Xo Ic disable
2523 .Bl -tag -width indent
2528 The default for this flag is
2529 .Ic enable .
2531 Enables the server to listen for a message from a broadcast or
2533 .Ic multicastclient
2536 The default for this flag is
2537 .Ic disable .
2539 Enables the calibrate feature for reference clocks.
2540 The default for
2542 .Ic disable .
2545 The default for this
2547 .Ic enable
2549 .Ic disable .
2551 Enables processing of NTP mode 7 implementation-specific requests
2555 The default for this flag is disable.
2569 .Ic monlist
2572 default for this flag is
2573 .Ic enable .
2577 closes the feedback loop, which is useful for testing.
2578 The default for
2580 .Ic enable .
2585 receives a crypto-NAK packet that
2589 as it allows for quick recovery if a server key has changed,
2590 a properly forged and appropriately delivered crypto-NAK packet
2597 file for evidence of any of these attacks.
2599 default for this flag is
2600 .Ic enable .
2605 section for further information.
2606 The default for this flag is
2607 .Ic disable .
2626 file for evidence of any of these attacks.
2628 default for this flag is
2629 .Ic enable .
2633 receives a crypto-NAK packet that
2637 as it allows for quick recovery if a server key has changed,
2638 a properly forged and appropriately delivered crypto-NAK packet
2645 file for evidence of any of these attacks.
2647 default for this flag is
2648 .Ic enable .
2657 as it allows for quick recovery,
2659 during an appropriate window it can be used for a DoS attack.
2665 file for evidence of any of these attacks.
2667 default for this flag is
2668 .Ic enable .
2670 .It Ic includefile Ar includefile
2677 This option is useful for sites that run
2681 .It Xo Ic interface
2697 The first parameter determines the action for addresses
2704 determines how many bits must match for this rule to apply.
2714 The last rule which matches a particular address determines the action for it.
2718 .Fl -interface ,
2721 .Fl -novirtualips
2722 command-line options are specified in the configuration file,
2726 directive is an alias for
2728 .It Ic leapfile Ar leapfile
2730 leapsecond values for the next leapsecond event, leapfile expiration
2733 .Li https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list
2735 .Li ftp://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list .
2750 .Xr update-leap 1update_leapmdoc
2754 .It Ic leapsmearinterval Ar seconds
2758 .Cm --enable-leap-smear
2763 Recommended values for this option are between
2765 .Sy DO NOT USE THIS OPTION ON PUBLIC-ACCESS SERVERS!
2766 See http://bugs.ntp.org/2855 for more information.
2767 .It Ic logconfig Ar configkeyword
2769 the system
2772 .Ic logfile
2781 .Ql - ,
2789 .Ql -
2833 .Bd -literal
2839 and the major system events.
2840 For a simple reference server, the
2842 .Bd -literal
2849 peers, system events and so on is suppressed.
2850 .It Ic logfile Ar logfile
2852 be used instead of the default system
2858 .It Xo Ic mru
2870 .Bl -tag -width indent
2871 .It Ic maxdepth Ar count
2872 .It Ic maxmem Ar kilobytes
2890 entries, existing entries are never removed to make room for newer ones,
2914 .It Ic nonvolatile Ar threshold
2919 (frequency file) will be written, with a default value of 1e-7 (0.1 PPM).
2927 for embedded systems with nonvolatile memory.
2928 .It Ic phone Ar dial ...
2931 or the JJY driver (type 40, mode 100 - 180).
2932 For the ACTS modem driver (type 18), the arguments consist of
2935 For the JJY driver (type 40 mode 100 - 180), the argument is
2958 The next two numbers must be between 0 and one-half of the poll interval,
2966 .It Xo Ic reset
2968 .Ic allpeers
2971 .Ic auth
2974 .Ic ctl
2977 .Ic io
2980 .Ic mem
2983 .Ic sys
2986 .Ic timer
2995 .It Xo Ic rlimit
3002 .Bl -tag -width indent
3010 The default is 32 megabytes on non-Linux machines, and -1 under Linux.
3011 -1 means "do not lock the process into memory".
3020 Defaults to the system default.
3022 .It Ic saveconfigdir Ar directory_path
3034 .It Ic saveconfig Ar filename
3039 .Cm config-from-file
3055 for example,
3056 .Cm saveconfig\ ntp-%Y%m%d-%H%M%S.conf .
3057 The filename used is stored in the system variable
3060 .It Ic setvar Ar variable Op Cm default
3061 This command adds an additional system variable.
3072 variable will be listed as part of the default system variables
3075 .Ic rv
3084 .Ic setvar
3091 the names of all system variables.
3102 .It Xo Ic tinker
3115 This command can be used to alter several system variables in
3120 default values of these variables have been carefully optimized for
3128 for them.
3133 .Bl -tag -width indent
3135 The argument becomes the new value for the minimum Allan
3141 The argument becomes the new value for the dispersion increase rate,
3145 parts-per-million.
3149 The argument becomes the new value for the experimental
3150 huff-n'-puff filter span, which determines the most recent interval
3151 the algorithm will search for a minimum delay.
3172 The argument is the step threshold for the backward direction,
3183 As for stepback, but for the forward direction.
3196 system variables
3203 .It Xo Ic trap Ar host_address
3208 address and port number for sending messages with the specified
3222 mode these values are used in-turn in an expanding-ring search.
3235 an expanding-ring search.
3242 doc-section = {
3243 ds-type = 'FILES';
3244 ds-format = 'mdoc';
3245 ds-text = <<- _END_MDOC_FILES
3246 .Bl -tag -width /etc/ntp.drift -compact
3256 Diffie-Hellman agreement parameters
3261 doc-section = {
3262 ds-type = 'SEE ALSO';
3263 ds-format = 'mdoc';
3264 ds-text = <<- _END_MDOC_SEE_ALSO
3283 doc-section = {
3284 ds-type = 'BUGS';
3285 ds-format = 'mdoc';
3286 ds-text = <<- _END_MDOC_BUGS
3300 doc-section = {
3301 ds-type = 'NOTES';
3302 ds-format = 'mdoc';
3303 ds-text = <<- _END_MDOC_NOTES