xref: /freebsd/contrib/ntp/ntpd/invoke-ntp.conf.texi (revision f5f40dd63bc7acbb5312b26ac1ea1103c12352a6)
1@node ntp.conf Notes
2@section Notes about ntp.conf
3@pindex ntp.conf
4@cindex Network Time Protocol (NTP) daemon configuration file format
5@ignore
6#
7# EDIT THIS FILE WITH CAUTION  (invoke-ntp.conf.texi)
8#
9# It has been AutoGen-ed  May 25, 2024 at 12:03:56 AM by AutoGen 5.18.16
10# From the definitions    ntp.conf.def
11# and the template file   agtexi-file.tpl
12@end ignore
13
14
15
16The
17@code{ntp.conf}
18configuration file is read at initial startup by the
19@code{ntpd(1ntpdmdoc)}
20daemon in order to specify the synchronization sources,
21modes and other related information.
22Usually, it is installed in the
23@file{/etc}
24directory,
25but could be installed elsewhere
26(see the daemon's
27@code{-c}
28command line option).
29
30The file format is similar to other
31@sc{unix}
32configuration files.
33Comments begin with a
34@quoteleft{}#@quoteright{}
35character and extend to the end of the line;
36blank lines are ignored.
37Configuration commands consist of an initial keyword
38followed by a list of arguments,
39some of which may be optional, separated by whitespace.
40Commands may not be continued over multiple lines.
41Arguments may be host names,
42host addresses written in numeric, dotted-quad form,
43integers, floating point numbers (when specifying times in seconds)
44and text strings.
45
46The rest of this page describes the configuration and control options.
47The
48"Notes on Configuring NTP and Setting up an NTP Subnet"
49page
50(available as part of the HTML documentation
51provided in
52@file{/usr/share/doc/ntp})
53contains an extended discussion of these options.
54In addition to the discussion of general
55@ref{Configuration Options},
56there are sections describing the following supported functionality
57and the options used to control it:
58@itemize @bullet
59@item
60@ref{Authentication Support}
61@item
62@ref{Monitoring Support}
63@item
64@ref{Access Control Support}
65@item
66@ref{Automatic NTP Configuration Options}
67@item
68@ref{Reference Clock Support}
69@item
70@ref{Miscellaneous Options}
71@end itemize
72
73Following these is a section describing
74@ref{Miscellaneous Options}.
75While there is a rich set of options available,
76the only required option is one or more
77@code{pool},
78@code{server},
79@code{peer},
80@code{broadcast}
81or
82@code{manycastclient}
83commands.
84@node Configuration Support
85@subsection Configuration Support
86Following is a description of the configuration commands in
87NTPv4.
88These commands have the same basic functions as in NTPv3 and
89in some cases new functions and new arguments.
90There are two
91classes of commands, configuration commands that configure a
92persistent association with a remote server or peer or reference
93clock, and auxiliary commands that specify environmental variables
94that control various related operations.
95@subsubsection Configuration Commands
96The various modes are determined by the command keyword and the
97type of the required IP address.
98Addresses are classed by type as
99(s) a remote server or peer (IPv4 class A, B and C), (b) the
100broadcast address of a local interface, (m) a multicast address (IPv4
101class D), or (r) a reference clock address (127.127.x.x).
102Note that
103only those options applicable to each command are listed below.
104Use
105of options not listed may not be caught as an error, but may result
106in some weird and even destructive behavior.
107
108If the Basic Socket Interface Extensions for IPv6 (RFC-2553)
109is detected, support for the IPv6 address family is generated
110in addition to the default support of the IPv4 address family.
111In a few cases, including the
112@code{reslist}
113billboard generated
114by
115@code{ntpq(1ntpqmdoc)}
116or
117@code{ntpdc(1ntpdcmdoc)},
118IPv6 addresses are automatically generated.
119IPv6 addresses can be identified by the presence of colons
120@quotedblleft{}:@quotedblright{}
121in the address field.
122IPv6 addresses can be used almost everywhere where
123IPv4 addresses can be used,
124with the exception of reference clock addresses,
125which are always IPv4.
126
127Note that in contexts where a host name is expected, a
128@code{-4}
129qualifier preceding
130the host name forces DNS resolution to the IPv4 namespace,
131while a
132@code{-6}
133qualifier forces DNS resolution to the IPv6 namespace.
134See IPv6 references for the
135equivalent classes for that address family.
136@table @asis
137@item @code{pool} @kbd{address} @code{[@code{burst}]} @code{[@code{iburst}]} @code{[@code{version} @kbd{version}]} @code{[@code{prefer}]} @code{[@code{minpoll} @kbd{minpoll}]} @code{[@code{maxpoll} @kbd{maxpoll}]} @code{[@code{xmtnonce}]}
138@item @code{server} @kbd{address} @code{[@code{key} @kbd{key} @kbd{|} @code{autokey}]} @code{[@code{burst}]} @code{[@code{iburst}]} @code{[@code{version} @kbd{version}]} @code{[@code{prefer}]} @code{[@code{minpoll} @kbd{minpoll}]} @code{[@code{maxpoll} @kbd{maxpoll}]} @code{[@code{true}]} @code{[@code{xmtnonce}]}
139@item @code{peer} @kbd{address} @code{[@code{key} @kbd{key} @kbd{|} @code{autokey}]} @code{[@code{version} @kbd{version}]} @code{[@code{prefer}]} @code{[@code{minpoll} @kbd{minpoll}]} @code{[@code{maxpoll} @kbd{maxpoll}]} @code{[@code{true}]} @code{[@code{xleave}]}
140@item @code{broadcast} @kbd{address} @code{[@code{key} @kbd{key} @kbd{|} @code{autokey}]} @code{[@code{version} @kbd{version}]} @code{[@code{prefer}]} @code{[@code{minpoll} @kbd{minpoll}]} @code{[@code{ttl} @kbd{ttl}]} @code{[@code{xleave}]}
141@item @code{manycastclient} @kbd{address} @code{[@code{key} @kbd{key} @kbd{|} @code{autokey}]} @code{[@code{version} @kbd{version}]} @code{[@code{prefer}]} @code{[@code{minpoll} @kbd{minpoll}]} @code{[@code{maxpoll} @kbd{maxpoll}]} @code{[@code{ttl} @kbd{ttl}]}
142@end table
143
144These five commands specify the time server name or address to
145be used and the mode in which to operate.
146The
147@kbd{address}
148can be
149either a DNS name or an IP address in dotted-quad notation.
150Additional information on association behavior can be found in the
151"Association Management"
152page
153(available as part of the HTML documentation
154provided in
155@file{/usr/share/doc/ntp}).
156@table @asis
157@item @code{pool}
158For type s addresses, this command mobilizes a persistent
159client mode association with a number of remote servers.
160In this mode the local clock can synchronized to the
161remote server, but the remote server can never be synchronized to
162the local clock.
163@item @code{server}
164For type s and r addresses, this command mobilizes a persistent
165client mode association with the specified remote server or local
166radio clock.
167In this mode the local clock can synchronized to the
168remote server, but the remote server can never be synchronized to
169the local clock.
170This command should
171@emph{not}
172be used for type
173b or m addresses.
174@item @code{peer}
175For type s addresses (only), this command mobilizes a
176persistent symmetric-active mode association with the specified
177remote peer.
178In this mode the local clock can be synchronized to
179the remote peer or the remote peer can be synchronized to the local
180clock.
181This is useful in a network of servers where, depending on
182various failure scenarios, either the local or remote peer may be
183the better source of time.
184This command should NOT be used for type
185b, m or r addresses.
186@item @code{broadcast}
187For type b and m addresses (only), this
188command mobilizes a persistent broadcast mode association.
189Multiple
190commands can be used to specify multiple local broadcast interfaces
191(subnets) and/or multiple multicast groups.
192Note that local
193broadcast messages go only to the interface associated with the
194subnet specified, but multicast messages go to all interfaces.
195In broadcast mode the local server sends periodic broadcast
196messages to a client population at the
197@kbd{address}
198specified, which is usually the broadcast address on (one of) the
199local network(s) or a multicast address assigned to NTP.
200The IANA
201has assigned the multicast group address IPv4 224.0.1.1 and
202IPv6 ff05::101 (site local) exclusively to
203NTP, but other nonconflicting addresses can be used to contain the
204messages within administrative boundaries.
205Ordinarily, this
206specification applies only to the local server operating as a
207sender; for operation as a broadcast client, see the
208@code{broadcastclient}
209or
210@code{multicastclient}
211commands
212below.
213@item @code{manycastclient}
214For type m addresses (only), this command mobilizes a
215manycast client mode association for the multicast address
216specified.
217In this case a specific address must be supplied which
218matches the address used on the
219@code{manycastserver}
220command for
221the designated manycast servers.
222The NTP multicast address
223224.0.1.1 assigned by the IANA should NOT be used, unless specific
224means are taken to avoid spraying large areas of the Internet with
225these messages and causing a possibly massive implosion of replies
226at the sender.
227The
228@code{manycastserver}
229command specifies that the local server
230is to operate in client mode with the remote servers that are
231discovered as the result of broadcast/multicast messages.
232The
233client broadcasts a request message to the group address associated
234with the specified
235@kbd{address}
236and specifically enabled
237servers respond to these messages.
238The client selects the servers
239providing the best time and continues as with the
240@code{server}
241command.
242The remaining servers are discarded as if never
243heard.
244@end table
245
246Options:
247@table @asis
248@item @code{autokey}
249All packets sent to and received from the server or peer are to
250include authentication fields encrypted using the autokey scheme
251described in
252@ref{Authentication Options}.
253@item @code{burst}
254when the server is reachable, send a burst of six packets
255instead of the usual one. The packet spacing is 2 s.
256This is designed to improve timekeeping quality with the
257@code{server}
258command and s addresses.
259@item @code{iburst}
260When the server is unreachable, send a burst of eight packets
261instead of the usual one.
262The packet spacing is 2 s.
263This is designed to speed the initial synchronization
264acquisition with the
265@code{server}
266command and s addresses and when
267@code{ntpd(1ntpdmdoc)}
268is started with the
269@code{-q}
270option.
271@item @code{key} @kbd{key}
272All packets sent to and received from the server or peer are to
273include authentication fields encrypted using the specified
274@kbd{key}
275identifier with values from 1 to 65535, inclusive.
276The
277default is to include no encryption field.
278@item @code{minpoll} @kbd{minpoll}
279@item @code{maxpoll} @kbd{maxpoll}
280These options specify the minimum and maximum poll intervals
281for NTP messages, as a power of 2 in seconds
282The maximum poll
283interval defaults to 10 (1,024 s), but can be increased by the
284@code{maxpoll}
285option to an upper limit of 17 (36.4 h).
286The
287minimum poll interval defaults to 6 (64 s), but can be decreased by
288the
289@code{minpoll}
290option to a lower limit of 4 (16 s).
291@item @code{noselect}
292Marks the server as unused, except for display purposes.
293The server is discarded by the selection algroithm.
294@item @code{preempt}
295Says the association can be preempted.
296@item @code{prefer}
297Marks the server as preferred.
298All other things being equal,
299this host will be chosen for synchronization among a set of
300correctly operating hosts.
301See the
302"Mitigation Rules and the prefer Keyword"
303page
304(available as part of the HTML documentation
305provided in
306@file{/usr/share/doc/ntp})
307for further information.
308@item @code{true}
309Marks the server as a truechimer,
310forcing the association to always survive the selection and clustering algorithms.
311This option should almost certainly
312@emph{only}
313be used while testing an association.
314@item @code{ttl} @kbd{ttl}
315This option is used only with broadcast server and manycast
316client modes.
317It specifies the time-to-live
318@kbd{ttl}
319to
320use on broadcast server and multicast server and the maximum
321@kbd{ttl}
322for the expanding ring search with manycast
323client packets.
324Selection of the proper value, which defaults to
325127, is something of a black art and should be coordinated with the
326network administrator.
327@item @code{version} @kbd{version}
328Specifies the version number to be used for outgoing NTP
329packets.
330Versions 1-4 are the choices, with version 4 the
331default.
332@item @code{xleave}
333Valid in
334@code{peer}
335and
336@code{broadcast}
337modes only, this flag enables interleave mode.
338@item @code{xmtnonce}
339Valid only for
340@code{server}
341and
342@code{pool}
343modes, this flag puts a random number in the packet's transmit timestamp.
344
345@end table
346@subsubsection Auxiliary Commands
347@table @asis
348@item @code{broadcastclient}
349This command enables reception of broadcast server messages to
350any local interface (type b) address.
351Upon receiving a message for
352the first time, the broadcast client measures the nominal server
353propagation delay using a brief client/server exchange with the
354server, then enters the broadcast client mode, in which it
355synchronizes to succeeding broadcast messages.
356Note that, in order
357to avoid accidental or malicious disruption in this mode, both the
358server and client should operate using symmetric-key or public-key
359authentication as described in
360@ref{Authentication Options}.
361@item @code{manycastserver} @kbd{address} @kbd{...}
362This command enables reception of manycast client messages to
363the multicast group address(es) (type m) specified.
364At least one
365address is required, but the NTP multicast address 224.0.1.1
366assigned by the IANA should NOT be used, unless specific means are
367taken to limit the span of the reply and avoid a possibly massive
368implosion at the original sender.
369Note that, in order to avoid
370accidental or malicious disruption in this mode, both the server
371and client should operate using symmetric-key or public-key
372authentication as described in
373@ref{Authentication Options}.
374@item @code{multicastclient} @kbd{address} @kbd{...}
375This command enables reception of multicast server messages to
376the multicast group address(es) (type m) specified.
377Upon receiving
378a message for the first time, the multicast client measures the
379nominal server propagation delay using a brief client/server
380exchange with the server, then enters the broadcast client mode, in
381which it synchronizes to succeeding multicast messages.
382Note that,
383in order to avoid accidental or malicious disruption in this mode,
384both the server and client should operate using symmetric-key or
385public-key authentication as described in
386@ref{Authentication Options}.
387@item @code{mdnstries} @kbd{number}
388If we are participating in mDNS,
389after we have synched for the first time
390we attempt to register with the mDNS system.
391If that registration attempt fails,
392we try again at one minute intervals for up to
393@code{mdnstries}
394times.
395After all,
396@code{ntpd}
397may be starting before mDNS.
398The default value for
399@code{mdnstries}
400is 5.
401@end table
402@node Authentication Support
403@subsection Authentication Support
404Authentication support allows the NTP client to verify that the
405server is in fact known and trusted and not an intruder intending
406accidentally or on purpose to masquerade as that server.
407The NTPv3
408specification RFC-1305 defines a scheme which provides
409cryptographic authentication of received NTP packets.
410Originally,
411this was done using the Data Encryption Standard (DES) algorithm
412operating in Cipher Block Chaining (CBC) mode, commonly called
413DES-CBC.
414Subsequently, this was replaced by the RSA Message Digest
4155 (MD5) algorithm using a private key, commonly called keyed-MD5.
416Either algorithm computes a message digest, or one-way hash, which
417can be used to verify the server has the correct private key and
418key identifier.
419
420NTPv4 retains the NTPv3 scheme, properly described as symmetric key
421cryptography and, in addition, provides a new Autokey scheme
422based on public key cryptography.
423Public key cryptography is generally considered more secure
424than symmetric key cryptography, since the security is based
425on a private value which is generated by each server and
426never revealed.
427With Autokey all key distribution and
428management functions involve only public values, which
429considerably simplifies key distribution and storage.
430Public key management is based on X.509 certificates,
431which can be provided by commercial services or
432produced by utility programs in the OpenSSL software library
433or the NTPv4 distribution.
434
435While the algorithms for symmetric key cryptography are
436included in the NTPv4 distribution, public key cryptography
437requires the OpenSSL software library to be installed
438before building the NTP distribution.
439Directions for doing that
440are on the Building and Installing the Distribution page.
441
442Authentication is configured separately for each association
443using the
444@code{key}
445or
446@code{autokey}
447subcommand on the
448@code{peer},
449@code{server},
450@code{broadcast}
451and
452@code{manycastclient}
453configuration commands as described in
454@ref{Configuration Options}
455page.
456The authentication
457options described below specify the locations of the key files,
458if other than default, which symmetric keys are trusted
459and the interval between various operations, if other than default.
460
461Authentication is always enabled,
462although ineffective if not configured as
463described below.
464If a NTP packet arrives
465including a message authentication
466code (MAC), it is accepted only if it
467passes all cryptographic checks.
468The
469checks require correct key ID, key value
470and message digest.
471If the packet has
472been modified in any way or replayed
473by an intruder, it will fail one or more
474of these checks and be discarded.
475Furthermore, the Autokey scheme requires a
476preliminary protocol exchange to obtain
477the server certificate, verify its
478credentials and initialize the protocol
479
480The
481@code{auth}
482flag controls whether new associations or
483remote configuration commands require cryptographic authentication.
484This flag can be set or reset by the
485@code{enable}
486and
487@code{disable}
488commands and also by remote
489configuration commands sent by a
490@code{ntpdc(1ntpdcmdoc)}
491program running on
492another machine.
493If this flag is enabled, which is the default
494case, new broadcast client and symmetric passive associations and
495remote configuration commands must be cryptographically
496authenticated using either symmetric key or public key cryptography.
497If this
498flag is disabled, these operations are effective
499even if not cryptographic
500authenticated.
501It should be understood
502that operating with the
503@code{auth}
504flag disabled invites a significant vulnerability
505where a rogue hacker can
506masquerade as a falseticker and seriously
507disrupt system timekeeping.
508It is
509important to note that this flag has no purpose
510other than to allow or disallow
511a new association in response to new broadcast
512and symmetric active messages
513and remote configuration commands and, in particular,
514the flag has no effect on
515the authentication process itself.
516
517An attractive alternative where multicast support is available
518is manycast mode, in which clients periodically troll
519for servers as described in the
520@ref{Automatic NTP Configuration Options}
521page.
522Either symmetric key or public key
523cryptographic authentication can be used in this mode.
524The principle advantage
525of manycast mode is that potential servers need not be
526configured in advance,
527since the client finds them during regular operation,
528and the configuration
529files for all clients can be identical.
530
531The security model and protocol schemes for
532both symmetric key and public key
533cryptography are summarized below;
534further details are in the briefings, papers
535and reports at the NTP project page linked from
536@code{http://www.ntp.org/}.
537@subsubsection Symmetric-Key Cryptography
538The original RFC-1305 specification allows any one of possibly
53965,535 keys, each distinguished by a 32-bit key identifier, to
540authenticate an association.
541The servers and clients involved must
542agree on the key and key identifier to
543authenticate NTP packets.
544Keys and
545related information are specified in a key
546file, usually called
547@file{ntp.keys},
548which must be distributed and stored using
549secure means beyond the scope of the NTP protocol itself.
550Besides the keys used
551for ordinary NTP associations,
552additional keys can be used as passwords for the
553@code{ntpq(1ntpqmdoc)}
554and
555@code{ntpdc(1ntpdcmdoc)}
556utility programs.
557
558When
559@code{ntpd(1ntpdmdoc)}
560is first started, it reads the key file specified in the
561@code{keys}
562configuration command and installs the keys
563in the key cache.
564However,
565individual keys must be activated with the
566@code{trusted}
567command before use.
568This
569allows, for instance, the installation of possibly
570several batches of keys and
571then activating or deactivating each batch
572remotely using
573@code{ntpdc(1ntpdcmdoc)}.
574This also provides a revocation capability that can be used
575if a key becomes compromised.
576The
577@code{requestkey}
578command selects the key used as the password for the
579@code{ntpdc(1ntpdcmdoc)}
580utility, while the
581@code{controlkey}
582command selects the key used as the password for the
583@code{ntpq(1ntpqmdoc)}
584utility.
585@subsubsection Public Key Cryptography
586NTPv4 supports the original NTPv3 symmetric key scheme
587described in RFC-1305 and in addition the Autokey protocol,
588which is based on public key cryptography.
589The Autokey Version 2 protocol described on the Autokey Protocol
590page verifies packet integrity using MD5 message digests
591and verifies the source with digital signatures and any of several
592digest/signature schemes.
593Optional identity schemes described on the Identity Schemes
594page and based on cryptographic challenge/response algorithms
595are also available.
596Using all of these schemes provides strong security against
597replay with or without modification, spoofing, masquerade
598and most forms of clogging attacks.
599
600The Autokey protocol has several modes of operation
601corresponding to the various NTP modes supported.
602Most modes use a special cookie which can be
603computed independently by the client and server,
604but encrypted in transmission.
605All modes use in addition a variant of the S-KEY scheme,
606in which a pseudo-random key list is generated and used
607in reverse order.
608These schemes are described along with an executive summary,
609current status, briefing slides and reading list on the
610@ref{Autonomous Authentication}
611page.
612
613The specific cryptographic environment used by Autokey servers
614and clients is determined by a set of files
615and soft links generated by the
616@code{ntp-keygen(1ntpkeygenmdoc)}
617program.
618This includes a required host key file,
619required certificate file and optional sign key file,
620leapsecond file and identity scheme files.
621The
622digest/signature scheme is specified in the X.509 certificate
623along with the matching sign key.
624There are several schemes
625available in the OpenSSL software library, each identified
626by a specific string such as
627@code{md5WithRSAEncryption},
628which stands for the MD5 message digest with RSA
629encryption scheme.
630The current NTP distribution supports
631all the schemes in the OpenSSL library, including
632those based on RSA and DSA digital signatures.
633
634NTP secure groups can be used to define cryptographic compartments
635and security hierarchies.
636It is important that every host
637in the group be able to construct a certificate trail to one
638or more trusted hosts in the same group.
639Each group
640host runs the Autokey protocol to obtain the certificates
641for all hosts along the trail to one or more trusted hosts.
642This requires the configuration file in all hosts to be
643engineered so that, even under anticipated failure conditions,
644the NTP subnet will form such that every group host can find
645a trail to at least one trusted host.
646@subsubsection Naming and Addressing
647It is important to note that Autokey does not use DNS to
648resolve addresses, since DNS can't be completely trusted
649until the name servers have synchronized clocks.
650The cryptographic name used by Autokey to bind the host identity
651credentials and cryptographic values must be independent
652of interface, network and any other naming convention.
653The name appears in the host certificate in either or both
654the subject and issuer fields, so protection against
655DNS compromise is essential.
656
657By convention, the name of an Autokey host is the name returned
658by the Unix
659@code{gethostname(2)}
660system call or equivalent in other systems.
661By the system design
662model, there are no provisions to allow alternate names or aliases.
663However, this is not to say that DNS aliases, different names
664for each interface, etc., are constrained in any way.
665
666It is also important to note that Autokey verifies authenticity
667using the host name, network address and public keys,
668all of which are bound together by the protocol specifically
669to deflect masquerade attacks.
670For this reason Autokey
671includes the source and destination IP addresses in message digest
672computations and so the same addresses must be available
673at both the server and client.
674For this reason operation
675with network address translation schemes is not possible.
676This reflects the intended robust security model where government
677and corporate NTP servers are operated outside firewall perimeters.
678@subsubsection Operation
679A specific combination of authentication scheme (none,
680symmetric key, public key) and identity scheme is called
681a cryptotype, although not all combinations are compatible.
682There may be management configurations where the clients,
683servers and peers may not all support the same cryptotypes.
684A secure NTPv4 subnet can be configured in many ways while
685keeping in mind the principles explained above and
686in this section.
687Note however that some cryptotype
688combinations may successfully interoperate with each other,
689but may not represent good security practice.
690
691The cryptotype of an association is determined at the time
692of mobilization, either at configuration time or some time
693later when a message of appropriate cryptotype arrives.
694When mobilized by a
695@code{server}
696or
697@code{peer}
698configuration command and no
699@code{key}
700or
701@code{autokey}
702subcommands are present, the association is not
703authenticated; if the
704@code{key}
705subcommand is present, the association is authenticated
706using the symmetric key ID specified; if the
707@code{autokey}
708subcommand is present, the association is authenticated
709using Autokey.
710
711When multiple identity schemes are supported in the Autokey
712protocol, the first message exchange determines which one is used.
713The client request message contains bits corresponding
714to which schemes it has available.
715The server response message
716contains bits corresponding to which schemes it has available.
717Both server and client match the received bits with their own
718and select a common scheme.
719
720Following the principle that time is a public value,
721a server responds to any client packet that matches
722its cryptotype capabilities.
723Thus, a server receiving
724an unauthenticated packet will respond with an unauthenticated
725packet, while the same server receiving a packet of a cryptotype
726it supports will respond with packets of that cryptotype.
727However, unconfigured broadcast or manycast client
728associations or symmetric passive associations will not be
729mobilized unless the server supports a cryptotype compatible
730with the first packet received.
731By default, unauthenticated associations will not be mobilized
732unless overridden in a decidedly dangerous way.
733
734Some examples may help to reduce confusion.
735Client Alice has no specific cryptotype selected.
736Server Bob has both a symmetric key file and minimal Autokey files.
737Alice's unauthenticated messages arrive at Bob, who replies with
738unauthenticated messages.
739Cathy has a copy of Bob's symmetric
740key file and has selected key ID 4 in messages to Bob.
741Bob verifies the message with his key ID 4.
742If it's the
743same key and the message is verified, Bob sends Cathy a reply
744authenticated with that key.
745If verification fails,
746Bob sends Cathy a thing called a crypto-NAK, which tells her
747something broke.
748She can see the evidence using the
749@code{ntpq(1ntpqmdoc)}
750program.
751
752Denise has rolled her own host key and certificate.
753She also uses one of the identity schemes as Bob.
754She sends the first Autokey message to Bob and they
755both dance the protocol authentication and identity steps.
756If all comes out okay, Denise and Bob continue as described above.
757
758It should be clear from the above that Bob can support
759all the girls at the same time, as long as he has compatible
760authentication and identity credentials.
761Now, Bob can act just like the girls in his own choice of servers;
762he can run multiple configured associations with multiple different
763servers (or the same server, although that might not be useful).
764But, wise security policy might preclude some cryptotype
765combinations; for instance, running an identity scheme
766with one server and no authentication with another might not be wise.
767@subsubsection Key Management
768The cryptographic values used by the Autokey protocol are
769incorporated as a set of files generated by the
770@code{ntp-keygen(1ntpkeygenmdoc)}
771utility program, including symmetric key, host key and
772public certificate files, as well as sign key, identity parameters
773and leapseconds files.
774Alternatively, host and sign keys and
775certificate files can be generated by the OpenSSL utilities
776and certificates can be imported from public certificate
777authorities.
778Note that symmetric keys are necessary for the
779@code{ntpq(1ntpqmdoc)}
780and
781@code{ntpdc(1ntpdcmdoc)}
782utility programs.
783The remaining files are necessary only for the
784Autokey protocol.
785
786Certificates imported from OpenSSL or public certificate
787authorities have certian limitations.
788The certificate should be in ASN.1 syntax, X.509 Version 3
789format and encoded in PEM, which is the same format
790used by OpenSSL.
791The overall length of the certificate encoded
792in ASN.1 must not exceed 1024 bytes.
793The subject distinguished
794name field (CN) is the fully qualified name of the host
795on which it is used; the remaining subject fields are ignored.
796The certificate extension fields must not contain either
797a subject key identifier or a issuer key identifier field;
798however, an extended key usage field for a trusted host must
799contain the value
800@code{trustRoot};.
801Other extension fields are ignored.
802@subsubsection Authentication Commands
803@table @asis
804@item @code{autokey} @code{[@kbd{logsec}]}
805Specifies the interval between regenerations of the session key
806list used with the Autokey protocol.
807Note that the size of the key
808list for each association depends on this interval and the current
809poll interval.
810The default value is 12 (4096 s or about 1.1 hours).
811For poll intervals above the specified interval, a session key list
812with a single entry will be regenerated for every message
813sent.
814@item @code{controlkey} @kbd{key}
815Specifies the key identifier to use with the
816@code{ntpq(1ntpqmdoc)}
817utility, which uses the standard
818protocol defined in RFC-1305.
819The
820@kbd{key}
821argument is
822the key identifier for a trusted key, where the value can be in the
823range 1 to 65,535, inclusive.
824@item @code{crypto} @code{[@code{cert} @kbd{file}]} @code{[@code{leap} @kbd{file}]} @code{[@code{randfile} @kbd{file}]} @code{[@code{host} @kbd{file}]} @code{[@code{gq} @kbd{file}]} @code{[@code{gqpar} @kbd{file}]} @code{[@code{iffpar} @kbd{file}]} @code{[@code{mvpar} @kbd{file}]} @code{[@code{pw} @kbd{password}]}
825This command requires the OpenSSL library.
826It activates public key
827cryptography, selects the message digest and signature
828encryption scheme and loads the required private and public
829values described above.
830If one or more files are left unspecified,
831the default names are used as described above.
832Unless the complete path and name of the file are specified, the
833location of a file is relative to the keys directory specified
834in the
835@code{keysdir}
836command or default
837@file{/usr/local/etc}.
838Following are the subcommands:
839@table @asis
840@item @code{cert} @kbd{file}
841Specifies the location of the required host public certificate file.
842This overrides the link
843@file{ntpkey_cert_}@kbd{hostname}
844in the keys directory.
845@item @code{gqpar} @kbd{file}
846Specifies the location of the optional GQ parameters file.
847This
848overrides the link
849@file{ntpkey_gq_}@kbd{hostname}
850in the keys directory.
851@item @code{host} @kbd{file}
852Specifies the location of the required host key file.
853This overrides
854the link
855@file{ntpkey_key_}@kbd{hostname}
856in the keys directory.
857@item @code{iffpar} @kbd{file}
858Specifies the location of the optional IFF parameters file.
859This overrides the link
860@file{ntpkey_iff_}@kbd{hostname}
861in the keys directory.
862@item @code{leap} @kbd{file}
863Specifies the location of the optional leapsecond file.
864This overrides the link
865@file{ntpkey_leap}
866in the keys directory.
867@item @code{mvpar} @kbd{file}
868Specifies the location of the optional MV parameters file.
869This overrides the link
870@file{ntpkey_mv_}@kbd{hostname}
871in the keys directory.
872@item @code{pw} @kbd{password}
873Specifies the password to decrypt files containing private keys and
874identity parameters.
875This is required only if these files have been
876encrypted.
877@item @code{randfile} @kbd{file}
878Specifies the location of the random seed file used by the OpenSSL
879library.
880The defaults are described in the main text above.
881@end table
882@item @code{keys} @kbd{keyfile}
883Specifies the complete path and location of the MD5 key file
884containing the keys and key identifiers used by
885@code{ntpd(1ntpdmdoc)},
886@code{ntpq(1ntpqmdoc)}
887and
888@code{ntpdc(1ntpdcmdoc)}
889when operating with symmetric key cryptography.
890This is the same operation as the
891@code{-k}
892command line option.
893@item @code{keysdir} @kbd{path}
894This command specifies the default directory path for
895cryptographic keys, parameters and certificates.
896The default is
897@file{/usr/local/etc/}.
898@item @code{requestkey} @kbd{key}
899Specifies the key identifier to use with the
900@code{ntpdc(1ntpdcmdoc)}
901utility program, which uses a
902proprietary protocol specific to this implementation of
903@code{ntpd(1ntpdmdoc)}.
904The
905@kbd{key}
906argument is a key identifier
907for the trusted key, where the value can be in the range 1 to
90865,535, inclusive.
909@item @code{revoke} @kbd{logsec}
910Specifies the interval between re-randomization of certain
911cryptographic values used by the Autokey scheme, as a power of 2 in
912seconds.
913These values need to be updated frequently in order to
914deflect brute-force attacks on the algorithms of the scheme;
915however, updating some values is a relatively expensive operation.
916The default interval is 16 (65,536 s or about 18 hours).
917For poll
918intervals above the specified interval, the values will be updated
919for every message sent.
920@item @code{trustedkey} @kbd{key} @kbd{...}
921Specifies the key identifiers which are trusted for the
922purposes of authenticating peers with symmetric key cryptography,
923as well as keys used by the
924@code{ntpq(1ntpqmdoc)}
925and
926@code{ntpdc(1ntpdcmdoc)}
927programs.
928The authentication procedures require that both the local
929and remote servers share the same key and key identifier for this
930purpose, although different keys can be used with different
931servers.
932The
933@kbd{key}
934arguments are 32-bit unsigned
935integers with values from 1 to 65,535.
936@end table
937@subsubsection Error Codes
938The following error codes are reported via the NTP control
939and monitoring protocol trap mechanism.
940@table @asis
941@item 101
942(bad field format or length)
943The packet has invalid version, length or format.
944@item 102
945(bad timestamp)
946The packet timestamp is the same or older than the most recent received.
947This could be due to a replay or a server clock time step.
948@item 103
949(bad filestamp)
950The packet filestamp is the same or older than the most recent received.
951This could be due to a replay or a key file generation error.
952@item 104
953(bad or missing public key)
954The public key is missing, has incorrect format or is an unsupported type.
955@item 105
956(unsupported digest type)
957The server requires an unsupported digest/signature scheme.
958@item 106
959(mismatched digest types)
960Not used.
961@item 107
962(bad signature length)
963The signature length does not match the current public key.
964@item 108
965(signature not verified)
966The message fails the signature check.
967It could be bogus or signed by a
968different private key.
969@item 109
970(certificate not verified)
971The certificate is invalid or signed with the wrong key.
972@item 110
973(certificate not verified)
974The certificate is not yet valid or has expired or the signature could not
975be verified.
976@item 111
977(bad or missing cookie)
978The cookie is missing, corrupted or bogus.
979@item 112
980(bad or missing leapseconds table)
981The leapseconds table is missing, corrupted or bogus.
982@item 113
983(bad or missing certificate)
984The certificate is missing, corrupted or bogus.
985@item 114
986(bad or missing identity)
987The identity key is missing, corrupt or bogus.
988@end table
989@node Monitoring Support
990@subsection Monitoring Support
991@code{ntpd(1ntpdmdoc)}
992includes a comprehensive monitoring facility suitable
993for continuous, long term recording of server and client
994timekeeping performance.
995See the
996@code{statistics}
997command below
998for a listing and example of each type of statistics currently
999supported.
1000Statistic files are managed using file generation sets
1001and scripts in the
1002@file{./scripts}
1003directory of the source code distribution.
1004Using
1005these facilities and
1006@sc{unix}
1007@code{cron(8)}
1008jobs, the data can be
1009automatically summarized and archived for retrospective analysis.
1010@subsubsection Monitoring Commands
1011@table @asis
1012@item @code{statistics} @kbd{name} @kbd{...}
1013Enables writing of statistics records.
1014Currently, eight kinds of
1015@kbd{name}
1016statistics are supported.
1017@table @asis
1018@item @code{clockstats}
1019Enables recording of clock driver statistics information.
1020Each update
1021received from a clock driver appends a line of the following form to
1022the file generation set named
1023@code{clockstats}:
1024@verbatim
102549213 525.624 127.127.4.1 93 226 00:08:29.606 D
1026@end verbatim
1027
1028The first two fields show the date (Modified Julian Day) and time
1029(seconds and fraction past UTC midnight).
1030The next field shows the
1031clock address in dotted-quad notation.
1032The final field shows the last
1033timecode received from the clock in decoded ASCII format, where
1034meaningful.
1035In some clock drivers a good deal of additional information
1036can be gathered and displayed as well.
1037See information specific to each
1038clock for further details.
1039@item @code{cryptostats}
1040This option requires the OpenSSL cryptographic software library.
1041It
1042enables recording of cryptographic public key protocol information.
1043Each message received by the protocol module appends a line of the
1044following form to the file generation set named
1045@code{cryptostats}:
1046@verbatim
104749213 525.624 127.127.4.1 message
1048@end verbatim
1049
1050The first two fields show the date (Modified Julian Day) and time
1051(seconds and fraction past UTC midnight).
1052The next field shows the peer
1053address in dotted-quad notation, The final message field includes the
1054message type and certain ancillary information.
1055See the
1056@ref{Authentication Options}
1057section for further information.
1058@item @code{loopstats}
1059Enables recording of loop filter statistics information.
1060Each
1061update of the local clock outputs a line of the following form to
1062the file generation set named
1063@code{loopstats}:
1064@verbatim
106550935 75440.031 0.000006019 13.778190 0.000351733 0.0133806
1066@end verbatim
1067
1068The first two fields show the date (Modified Julian Day) and
1069time (seconds and fraction past UTC midnight).
1070The next five fields
1071show time offset (seconds), frequency offset (parts per million -
1072PPM), RMS jitter (seconds), Allan deviation (PPM) and clock
1073discipline time constant.
1074@item @code{peerstats}
1075Enables recording of peer statistics information.
1076This includes
1077statistics records of all peers of a NTP server and of special
1078signals, where present and configured.
1079Each valid update appends a
1080line of the following form to the current element of a file
1081generation set named
1082@code{peerstats}:
1083@verbatim
108448773 10847.650 127.127.4.1 9714 -0.001605376 0.000000000 0.001424877 0.000958674
1085@end verbatim
1086
1087The first two fields show the date (Modified Julian Day) and
1088time (seconds and fraction past UTC midnight).
1089The next two fields
1090show the peer address in dotted-quad notation and status,
1091respectively.
1092The status field is encoded in hex in the format
1093described in Appendix A of the NTP specification RFC 1305.
1094The final four fields show the offset,
1095delay, dispersion and RMS jitter, all in seconds.
1096@item @code{rawstats}
1097Enables recording of raw-timestamp statistics information.
1098This
1099includes statistics records of all peers of a NTP server and of
1100special signals, where present and configured.
1101Each NTP message
1102received from a peer or clock driver appends a line of the
1103following form to the file generation set named
1104@code{rawstats}:
1105@verbatim
110650928 2132.543 128.4.1.1 128.4.1.20 3102453281.584327000 3102453281.58622800031 02453332.540806000 3102453332.541458000
1107@end verbatim
1108
1109The first two fields show the date (Modified Julian Day) and
1110time (seconds and fraction past UTC midnight).
1111The next two fields
1112show the remote peer or clock address followed by the local address
1113in dotted-quad notation.
1114The final four fields show the originate,
1115receive, transmit and final NTP timestamps in order.
1116The timestamp
1117values are as received and before processing by the various data
1118smoothing and mitigation algorithms.
1119@item @code{sysstats}
1120Enables recording of ntpd statistics counters on a periodic basis.
1121Each
1122hour a line of the following form is appended to the file generation
1123set named
1124@code{sysstats}:
1125@verbatim
112650928 2132.543 36000 81965 0 9546 56 71793 512 540 10 147
1127@end verbatim
1128
1129The first two fields show the date (Modified Julian Day) and time
1130(seconds and fraction past UTC midnight).
1131The remaining ten fields show
1132the statistics counter values accumulated since the last generated
1133line.
1134@table @asis
1135@item Time since restart @code{36000}
1136Time in hours since the system was last rebooted.
1137@item Packets received @code{81965}
1138Total number of packets received.
1139@item Packets processed @code{0}
1140Number of packets received in response to previous packets sent
1141@item Current version @code{9546}
1142Number of packets matching the current NTP version.
1143@item Previous version @code{56}
1144Number of packets matching the previous NTP version.
1145@item Bad version @code{71793}
1146Number of packets matching neither NTP version.
1147@item Access denied @code{512}
1148Number of packets denied access for any reason.
1149@item Bad length or format @code{540}
1150Number of packets with invalid length, format or port number.
1151@item Bad authentication @code{10}
1152Number of packets not verified as authentic.
1153@item Rate exceeded @code{147}
1154Number of packets discarded due to rate limitation.
1155@end table
1156@item @code{statsdir} @kbd{directory_path}
1157Indicates the full path of a directory where statistics files
1158should be created (see below).
1159This keyword allows
1160the (otherwise constant)
1161@code{filegen}
1162filename prefix to be modified for file generation sets, which
1163is useful for handling statistics logs.
1164@item @code{filegen} @kbd{name} @code{[@code{file} @kbd{filename}]} @code{[@code{type} @kbd{typename}]} @code{[@code{link} | @code{nolink}]} @code{[@code{enable} | @code{disable}]}
1165Configures setting of generation file set name.
1166Generation
1167file sets provide a means for handling files that are
1168continuously growing during the lifetime of a server.
1169Server statistics are a typical example for such files.
1170Generation file sets provide access to a set of files used
1171to store the actual data.
1172At any time at most one element
1173of the set is being written to.
1174The type given specifies
1175when and how data will be directed to a new element of the set.
1176This way, information stored in elements of a file set
1177that are currently unused are available for administrational
1178operations without the risk of disturbing the operation of ntpd.
1179(Most important: they can be removed to free space for new data
1180produced.)
1181
1182Note that this command can be sent from the
1183@code{ntpdc(1ntpdcmdoc)}
1184program running at a remote location.
1185@table @asis
1186@item @code{name}
1187This is the type of the statistics records, as shown in the
1188@code{statistics}
1189command.
1190@item @code{file} @kbd{filename}
1191This is the file name for the statistics records.
1192Filenames of set
1193members are built from three concatenated elements
1194@code{prefix},
1195@code{filename}
1196and
1197@code{suffix}:
1198@table @asis
1199@item @code{prefix}
1200This is a constant filename path.
1201It is not subject to
1202modifications via the
1203@kbd{filegen}
1204option.
1205It is defined by the
1206server, usually specified as a compile-time constant.
1207It may,
1208however, be configurable for individual file generation sets
1209via other commands.
1210For example, the prefix used with
1211@kbd{loopstats}
1212and
1213@kbd{peerstats}
1214generation can be configured using the
1215@kbd{statsdir}
1216option explained above.
1217@item @code{filename}
1218This string is directly concatenated to the prefix mentioned
1219above (no intervening
1220@quoteleft{}/@quoteright{}).
1221This can be modified using
1222the file argument to the
1223@kbd{filegen}
1224statement.
1225No
1226@file{..}
1227elements are
1228allowed in this component to prevent filenames referring to
1229parts outside the filesystem hierarchy denoted by
1230@kbd{prefix}.
1231@item @code{suffix}
1232This part is reflects individual elements of a file set.
1233It is
1234generated according to the type of a file set.
1235@end table
1236@item @code{type} @kbd{typename}
1237A file generation set is characterized by its type.
1238The following
1239types are supported:
1240@table @asis
1241@item @code{none}
1242The file set is actually a single plain file.
1243@item @code{pid}
1244One element of file set is used per incarnation of a ntpd
1245server.
1246This type does not perform any changes to file set
1247members during runtime, however it provides an easy way of
1248separating files belonging to different
1249@code{ntpd(1ntpdmdoc)}
1250server incarnations.
1251The set member filename is built by appending a
1252@quoteleft{}.@quoteright{}
1253to concatenated
1254@kbd{prefix}
1255and
1256@kbd{filename}
1257strings, and
1258appending the decimal representation of the process ID of the
1259@code{ntpd(1ntpdmdoc)}
1260server process.
1261@item @code{day}
1262One file generation set element is created per day.
1263A day is
1264defined as the period between 00:00 and 24:00 UTC.
1265The file set
1266member suffix consists of a
1267@quoteleft{}.@quoteright{}
1268and a day specification in
1269the form
1270@code{YYYYMMdd}.
1271@code{YYYY}
1272is a 4-digit year number (e.g., 1992).
1273@code{MM}
1274is a two digit month number.
1275@code{dd}
1276is a two digit day number.
1277Thus, all information written at 10 December 1992 would end up
1278in a file named
1279@kbd{prefix}
1280@kbd{filename}.19921210.
1281@item @code{week}
1282Any file set member contains data related to a certain week of
1283a year.
1284The term week is defined by computing day-of-year
1285modulo 7.
1286Elements of such a file generation set are
1287distinguished by appending the following suffix to the file set
1288filename base: A dot, a 4-digit year number, the letter
1289@code{W},
1290and a 2-digit week number.
1291For example, information from January,
129210th 1992 would end up in a file with suffix
1293.No . Ns Ar 1992W1 .
1294@item @code{month}
1295One generation file set element is generated per month.
1296The
1297file name suffix consists of a dot, a 4-digit year number, and
1298a 2-digit month.
1299@item @code{year}
1300One generation file element is generated per year.
1301The filename
1302suffix consists of a dot and a 4 digit year number.
1303@item @code{age}
1304This type of file generation sets changes to a new element of
1305the file set every 24 hours of server operation.
1306The filename
1307suffix consists of a dot, the letter
1308@code{a},
1309and an 8-digit number.
1310This number is taken to be the number of seconds the server is
1311running at the start of the corresponding 24-hour period.
1312Information is only written to a file generation by specifying
1313@code{enable};
1314output is prevented by specifying
1315@code{disable}.
1316@end table
1317@item @code{link} | @code{nolink}
1318It is convenient to be able to access the current element of a file
1319generation set by a fixed name.
1320This feature is enabled by
1321specifying
1322@code{link}
1323and disabled using
1324@code{nolink}.
1325If link is specified, a
1326hard link from the current file set element to a file without
1327suffix is created.
1328When there is already a file with this name and
1329the number of links of this file is one, it is renamed appending a
1330dot, the letter
1331@code{C},
1332and the pid of the
1333@code{ntpd(1ntpdmdoc)}
1334server process.
1335When the
1336number of links is greater than one, the file is unlinked.
1337This
1338allows the current file to be accessed by a constant name.
1339@item @code{enable} @code{|} @code{disable}
1340Enables or disables the recording function.
1341@end table
1342@end table
1343@end table
1344@node Access Control Support
1345@subsection Access Control Support
1346The
1347@code{ntpd(1ntpdmdoc)}
1348daemon implements a general purpose address/mask based restriction
1349list.
1350The list contains address/match entries sorted first
1351by increasing address values and and then by increasing mask values.
1352A match occurs when the bitwise AND of the mask and the packet
1353source address is equal to the bitwise AND of the mask and
1354address in the list.
1355The list is searched in order with the
1356last match found defining the restriction flags associated
1357with the entry.
1358Additional information and examples can be found in the
1359"Notes on Configuring NTP and Setting up a NTP Subnet"
1360page
1361(available as part of the HTML documentation
1362provided in
1363@file{/usr/share/doc/ntp}).
1364
1365The restriction facility was implemented in conformance
1366with the access policies for the original NSFnet backbone
1367time servers.
1368Later the facility was expanded to deflect
1369cryptographic and clogging attacks.
1370While this facility may
1371be useful for keeping unwanted or broken or malicious clients
1372from congesting innocent servers, it should not be considered
1373an alternative to the NTP authentication facilities.
1374Source address based restrictions are easily circumvented
1375by a determined cracker.
1376
1377Clients can be denied service because they are explicitly
1378included in the restrict list created by the
1379@code{restrict}
1380command
1381or implicitly as the result of cryptographic or rate limit
1382violations.
1383Cryptographic violations include certificate
1384or identity verification failure; rate limit violations generally
1385result from defective NTP implementations that send packets
1386at abusive rates.
1387Some violations cause denied service
1388only for the offending packet, others cause denied service
1389for a timed period and others cause the denied service for
1390an indefinite period.
1391When a client or network is denied access
1392for an indefinite period, the only way at present to remove
1393the restrictions is by restarting the server.
1394@subsubsection The Kiss-of-Death Packet
1395Ordinarily, packets denied service are simply dropped with no
1396further action except incrementing statistics counters.
1397Sometimes a
1398more proactive response is needed, such as a server message that
1399explicitly requests the client to stop sending and leave a message
1400for the system operator.
1401A special packet format has been created
1402for this purpose called the "kiss-of-death" (KoD) packet.
1403KoD packets have the leap bits set unsynchronized and stratum set
1404to zero and the reference identifier field set to a four-byte
1405ASCII code.
1406If the
1407@code{noserve}
1408or
1409@code{notrust}
1410flag of the matching restrict list entry is set,
1411the code is "DENY"; if the
1412@code{limited}
1413flag is set and the rate limit
1414is exceeded, the code is "RATE".
1415Finally, if a cryptographic violation occurs, the code is "CRYP".
1416
1417A client receiving a KoD performs a set of sanity checks to
1418minimize security exposure, then updates the stratum and
1419reference identifier peer variables, sets the access
1420denied (TEST4) bit in the peer flash variable and sends
1421a message to the log.
1422As long as the TEST4 bit is set,
1423the client will send no further packets to the server.
1424The only way at present to recover from this condition is
1425to restart the protocol at both the client and server.
1426This
1427happens automatically at the client when the association times out.
1428It will happen at the server only if the server operator cooperates.
1429@subsubsection Access Control Commands
1430@table @asis
1431@item @code{discard} @code{[@code{average} @kbd{avg}]} @code{[@code{minimum} @kbd{min}]} @code{[@code{monitor} @kbd{prob}]}
1432Set the parameters of the
1433@code{limited}
1434facility which protects the server from
1435client abuse.
1436The
1437@code{average}
1438subcommand specifies the minimum average packet
1439spacing in log2 seconds, defaulting to 3 (8s), while the
1440@code{minimum}
1441subcommand specifies the minimum packet spacing
1442in seconds, defaulting to 2.
1443Packets that violate these minima are discarded
1444and a kiss-o'-death packet returned if enabled.
1445The
1446@code{monitor}
1447subcommand indirectly specifies the probability of
1448replacing the oldest entry from the monitor (MRU)
1449list of recent requests used to enforce rate controls,
1450when that list is at its maximum size. The probability
1451of replacing the oldest entry is the age of that entry
1452in seconds divided by the
1453@code{monitor}
1454value, default 3000. For example, if the oldest entry
1455in the MRU list represents a request 300 seconds ago,
1456by default the probability of replacing it with an
1457entry representing the client request being processed
1458now is 10%. Conversely, if the oldest entry is more
1459than 3000 seconds old, the probability is 100%.
1460@item @code{restrict} @kbd{address} @code{[@code{mask} @kbd{mask}]} @code{[@code{ippeerlimit} @kbd{int}]} @code{[@kbd{flag} @kbd{...}]}
1461The
1462@kbd{address}
1463argument expressed in
1464numeric form is the address of a host or network.
1465Alternatively, the
1466@kbd{address}
1467argument can be a valid hostname.  When a hostname
1468is provided, a restriction entry is created for each
1469address the hostname resolves to, and any provided
1470@kbd{mask}
1471is ignored and an individual host mask is
1472used for each entry.
1473The
1474@kbd{mask}
1475argument expressed in numeric form defaults to
1476all bits lit, meaning that the
1477@kbd{address}
1478is treated as the address of an individual host.
1479A default entry with address and mask all zeroes
1480is always included and is always the first entry in the list.
1481Note that text string
1482@code{default},
1483with no mask option, may
1484be used to indicate the default entry.
1485The
1486@code{ippeerlimit}
1487directive limits the number of peer requests for each IP to
1488@kbd{int},
1489where a value of -1 means "unlimited", the current default.
1490A value of 0 means "none".
1491There would usually be at most 1 peering request per IP,
1492but if the remote peering requests are behind a proxy
1493there could well be more than 1 per IP.
1494In the current implementation,
1495@code{flag}
1496always
1497restricts access, i.e., an entry with no flags indicates that free
1498access to the server is to be given.
1499The flags are not orthogonal,
1500in that more restrictive flags will often make less restrictive
1501ones redundant.
1502The flags can generally be classed into two
1503categories, those which restrict time service and those which
1504restrict informational queries and attempts to do run-time
1505reconfiguration of the server.
1506One or more of the following flags
1507may be specified:
1508@table @asis
1509@item @code{ignore}
1510Deny packets of all kinds, including
1511@code{ntpq(1ntpqmdoc)}
1512and
1513@code{ntpdc(1ntpdcmdoc)}
1514queries.
1515@item @code{kod}
1516If this flag is set when a rate violation occurs, a kiss-o'-death
1517(KoD) packet is sometimes sent.
1518KoD packets are rate limited to no more than one per minimum
1519average interpacket spacing, set by
1520@code{discard} @code{average}
1521defaulting to 8s.  Otherwise, no response is sent.
1522@item @code{limited}
1523Deny service if the packet spacing violates the lower limits specified
1524in the
1525@code{discard}
1526command.
1527A history of clients is kept using the
1528monitoring capability of
1529@code{ntpd(1ntpdmdoc)}.
1530Thus, monitoring is always active as
1531long as there is a restriction entry with the
1532@code{limited}
1533flag.
1534@item @code{lowpriotrap}
1535Declare traps set by matching hosts to be low priority.
1536The
1537number of traps a server can maintain is limited (the current limit
1538is 3).
1539Traps are usually assigned on a first come, first served
1540basis, with later trap requestors being denied service.
1541This flag
1542modifies the assignment algorithm by allowing low priority traps to
1543be overridden by later requests for normal priority traps.
1544@item @code{noepeer}
1545Deny ephemeral peer requests,
1546even if they come from an authenticated source.
1547Note that the ability to use a symmetric key for authentication may be restricted to
1548one or more IPs or subnets via the third field of the
1549@file{ntp.keys}
1550file.
1551This restriction is not enabled by default,
1552to maintain backward compatability.
1553Expect
1554@code{noepeer}
1555to become the default in ntp-4.4.
1556@item @code{nomodify}
1557Deny
1558@code{ntpq(1ntpqmdoc)}
1559and
1560@code{ntpdc(1ntpdcmdoc)}
1561queries which attempt to modify the state of the
1562server (i.e., run time reconfiguration).
1563Queries which return
1564information are permitted.
1565@item @code{noquery}
1566Deny
1567@code{ntpq(1ntpqmdoc)}
1568and
1569@code{ntpdc(1ntpdcmdoc)}
1570queries.
1571Time service is not affected.
1572@item @code{nopeer}
1573Deny unauthenticated packets which would result in mobilizing a new association.
1574This includes
1575broadcast and symmetric active packets
1576when a configured association does not exist.
1577It also includes
1578@code{pool}
1579associations, so if you want to use servers from a
1580@code{pool}
1581directive and also want to use
1582@code{nopeer}
1583by default, you'll want a
1584@code{restrict source ...}
1585line as well that does
1586@emph{not}
1587include the
1588@code{nopeer}
1589directive.
1590@item @code{noserve}
1591Deny all packets except
1592@code{ntpq(1ntpqmdoc)}
1593and
1594@code{ntpdc(1ntpdcmdoc)}
1595queries.
1596@item @code{notrap}
1597Decline to provide mode 6 control message trap service to matching
1598hosts.
1599The trap service is a subsystem of the
1600@code{ntpq(1ntpqmdoc)}
1601control message
1602protocol which is intended for use by remote event logging programs.
1603@item @code{notrust}
1604Deny service unless the packet is cryptographically authenticated.
1605@item @code{ntpport}
1606This is actually a match algorithm modifier, rather than a
1607restriction flag.
1608Its presence causes the restriction entry to be
1609matched only if the source port in the packet is the standard NTP
1610UDP port (123).
1611There can be two restriction entries with the same IP address if
1612one specifies
1613@code{ntpport}
1614and the other does not.
1615The
1616@code{ntpport}
1617entry is considered more specific and
1618is sorted later in the list.
1619@item @code{serverresponse fuzz}
1620When reponding to server requests,
1621fuzz the low order bits of the
1622@code{reftime}.
1623@item @code{version}
1624Deny packets that do not match the current NTP version.
1625@end table
1626
1627Default restriction list entries with the flags ignore, interface,
1628ntpport, for each of the local host's interface addresses are
1629inserted into the table at startup to prevent ntpd
1630from attempting to synchronize to itself, such as with
1631@code{manycastclient}
1632when
1633@code{manycast}
1634is also specified with the same multicast address.
1635A default entry is also always present, though if it is
1636otherwise unconfigured; no flags are associated
1637with the default entry (i.e., everything besides your own
1638NTP server is unrestricted).
1639@item @code{delrestrict} @code{[source]} @kbd{address}
1640Remove a previously-set restriction.  This is useful for
1641runtime configuration via
1642@code{ntpq(1ntpqmdoc)}
1643.  If
1644@code{source}
1645is specified, a dynamic restriction created from the
1646@code{restrict} @code{source}
1647template at the time
1648an association was added is removed.  Without
1649@code{source}
1650a static restriction is removed.
1651@end table
1652@node Automatic NTP Configuration Options
1653@subsection Automatic NTP Configuration Options
1654@subsubsection Manycasting
1655Manycasting is a automatic discovery and configuration paradigm
1656new to NTPv4.
1657It is intended as a means for a multicast client
1658to troll the nearby network neighborhood to find cooperating
1659manycast servers, validate them using cryptographic means
1660and evaluate their time values with respect to other servers
1661that might be lurking in the vicinity.
1662The intended result is that each manycast client mobilizes
1663client associations with some number of the "best"
1664of the nearby manycast servers, yet automatically reconfigures
1665to sustain this number of servers should one or another fail.
1666
1667Note that the manycasting paradigm does not coincide
1668with the anycast paradigm described in RFC-1546,
1669which is designed to find a single server from a clique
1670of servers providing the same service.
1671The manycast paradigm is designed to find a plurality
1672of redundant servers satisfying defined optimality criteria.
1673
1674Manycasting can be used with either symmetric key
1675or public key cryptography.
1676The public key infrastructure (PKI)
1677offers the best protection against compromised keys
1678and is generally considered stronger, at least with relatively
1679large key sizes.
1680It is implemented using the Autokey protocol and
1681the OpenSSL cryptographic library available from
1682@code{http://www.openssl.org/}.
1683The library can also be used with other NTPv4 modes
1684as well and is highly recommended, especially for broadcast modes.
1685
1686A persistent manycast client association is configured
1687using the
1688@code{manycastclient}
1689command, which is similar to the
1690@code{server}
1691command but with a multicast (IPv4 class
1692@code{D}
1693or IPv6 prefix
1694@code{FF})
1695group address.
1696The IANA has designated IPv4 address 224.1.1.1
1697and IPv6 address FF05::101 (site local) for NTP.
1698When more servers are needed, it broadcasts manycast
1699client messages to this address at the minimum feasible rate
1700and minimum feasible time-to-live (TTL) hops, depending
1701on how many servers have already been found.
1702There can be as many manycast client associations
1703as different group address, each one serving as a template
1704for a future ephemeral unicast client/server association.
1705
1706Manycast servers configured with the
1707@code{manycastserver}
1708command listen on the specified group address for manycast
1709client messages.
1710Note the distinction between manycast client,
1711which actively broadcasts messages, and manycast server,
1712which passively responds to them.
1713If a manycast server is
1714in scope of the current TTL and is itself synchronized
1715to a valid source and operating at a stratum level equal
1716to or lower than the manycast client, it replies to the
1717manycast client message with an ordinary unicast server message.
1718
1719The manycast client receiving this message mobilizes
1720an ephemeral client/server association according to the
1721matching manycast client template, but only if cryptographically
1722authenticated and the server stratum is less than or equal
1723to the client stratum.
1724Authentication is explicitly required
1725and either symmetric key or public key (Autokey) can be used.
1726Then, the client polls the server at its unicast address
1727in burst mode in order to reliably set the host clock
1728and validate the source.
1729This normally results
1730in a volley of eight client/server at 2-s intervals
1731during which both the synchronization and cryptographic
1732protocols run concurrently.
1733Following the volley,
1734the client runs the NTP intersection and clustering
1735algorithms, which act to discard all but the "best"
1736associations according to stratum and synchronization
1737distance.
1738The surviving associations then continue
1739in ordinary client/server mode.
1740
1741The manycast client polling strategy is designed to reduce
1742as much as possible the volume of manycast client messages
1743and the effects of implosion due to near-simultaneous
1744arrival of manycast server messages.
1745The strategy is determined by the
1746@code{manycastclient},
1747@code{tos}
1748and
1749@code{ttl}
1750configuration commands.
1751The manycast poll interval is
1752normally eight times the system poll interval,
1753which starts out at the
1754@code{minpoll}
1755value specified in the
1756@code{manycastclient},
1757command and, under normal circumstances, increments to the
1758@code{maxpolll}
1759value specified in this command.
1760Initially, the TTL is
1761set at the minimum hops specified by the
1762@code{ttl}
1763command.
1764At each retransmission the TTL is increased until reaching
1765the maximum hops specified by this command or a sufficient
1766number client associations have been found.
1767Further retransmissions use the same TTL.
1768
1769The quality and reliability of the suite of associations
1770discovered by the manycast client is determined by the NTP
1771mitigation algorithms and the
1772@code{minclock}
1773and
1774@code{minsane}
1775values specified in the
1776@code{tos}
1777configuration command.
1778At least
1779@code{minsane}
1780candidate servers must be available and the mitigation
1781algorithms produce at least
1782@code{minclock}
1783survivors in order to synchronize the clock.
1784Byzantine agreement principles require at least four
1785candidates in order to correctly discard a single falseticker.
1786For legacy purposes,
1787@code{minsane}
1788defaults to 1 and
1789@code{minclock}
1790defaults to 3.
1791For manycast service
1792@code{minsane}
1793should be explicitly set to 4, assuming at least that
1794number of servers are available.
1795
1796If at least
1797@code{minclock}
1798servers are found, the manycast poll interval is immediately
1799set to eight times
1800@code{maxpoll}.
1801If less than
1802@code{minclock}
1803servers are found when the TTL has reached the maximum hops,
1804the manycast poll interval is doubled.
1805For each transmission
1806after that, the poll interval is doubled again until
1807reaching the maximum of eight times
1808@code{maxpoll}.
1809Further transmissions use the same poll interval and
1810TTL values.
1811Note that while all this is going on,
1812each client/server association found is operating normally
1813it the system poll interval.
1814
1815Administratively scoped multicast boundaries are normally
1816specified by the network router configuration and,
1817in the case of IPv6, the link/site scope prefix.
1818By default, the increment for TTL hops is 32 starting
1819from 31; however, the
1820@code{ttl}
1821configuration command can be
1822used to modify the values to match the scope rules.
1823
1824It is often useful to narrow the range of acceptable
1825servers which can be found by manycast client associations.
1826Because manycast servers respond only when the client
1827stratum is equal to or greater than the server stratum,
1828primary (stratum 1) servers fill find only primary servers
1829in TTL range, which is probably the most common objective.
1830However, unless configured otherwise, all manycast clients
1831in TTL range will eventually find all primary servers
1832in TTL range, which is probably not the most common
1833objective in large networks.
1834The
1835@code{tos}
1836command can be used to modify this behavior.
1837Servers with stratum below
1838@code{floor}
1839or above
1840@code{ceiling}
1841specified in the
1842@code{tos}
1843command are strongly discouraged during the selection
1844process; however, these servers may be temporally
1845accepted if the number of servers within TTL range is
1846less than
1847@code{minclock}.
1848
1849The above actions occur for each manycast client message,
1850which repeats at the designated poll interval.
1851However, once the ephemeral client association is mobilized,
1852subsequent manycast server replies are discarded,
1853since that would result in a duplicate association.
1854If during a poll interval the number of client associations
1855falls below
1856@code{minclock},
1857all manycast client prototype associations are reset
1858to the initial poll interval and TTL hops and operation
1859resumes from the beginning.
1860It is important to avoid
1861frequent manycast client messages, since each one requires
1862all manycast servers in TTL range to respond.
1863The result could well be an implosion, either minor or major,
1864depending on the number of servers in range.
1865The recommended value for
1866@code{maxpoll}
1867is 12 (4,096 s).
1868
1869It is possible and frequently useful to configure a host
1870as both manycast client and manycast server.
1871A number of hosts configured this way and sharing a common
1872group address will automatically organize themselves
1873in an optimum configuration based on stratum and
1874synchronization distance.
1875For example, consider an NTP
1876subnet of two primary servers and a hundred or more
1877dependent clients.
1878With two exceptions, all servers
1879and clients have identical configuration files including both
1880@code{multicastclient}
1881and
1882@code{multicastserver}
1883commands using, for instance, multicast group address
1884239.1.1.1.
1885The only exception is that each primary server
1886configuration file must include commands for the primary
1887reference source such as a GPS receiver.
1888
1889The remaining configuration files for all secondary
1890servers and clients have the same contents, except for the
1891@code{tos}
1892command, which is specific for each stratum level.
1893For stratum 1 and stratum 2 servers, that command is
1894not necessary.
1895For stratum 3 and above servers the
1896@code{floor}
1897value is set to the intended stratum number.
1898Thus, all stratum 3 configuration files are identical,
1899all stratum 4 files are identical and so forth.
1900
1901Once operations have stabilized in this scenario,
1902the primary servers will find the primary reference source
1903and each other, since they both operate at the same
1904stratum (1), but not with any secondary server or client,
1905since these operate at a higher stratum.
1906The secondary
1907servers will find the servers at the same stratum level.
1908If one of the primary servers loses its GPS receiver,
1909it will continue to operate as a client and other clients
1910will time out the corresponding association and
1911re-associate accordingly.
1912
1913Some administrators prefer to avoid running
1914@code{ntpd(1ntpdmdoc)}
1915continuously and run either
1916@code{sntp(1sntpmdoc)}
1917or
1918@code{ntpd(1ntpdmdoc)}
1919@code{-q}
1920as a cron job.
1921In either case the servers must be
1922configured in advance and the program fails if none are
1923available when the cron job runs.
1924A really slick
1925application of manycast is with
1926@code{ntpd(1ntpdmdoc)}
1927@code{-q}.
1928The program wakes up, scans the local landscape looking
1929for the usual suspects, selects the best from among
1930the rascals, sets the clock and then departs.
1931Servers do not have to be configured in advance and
1932all clients throughout the network can have the same
1933configuration file.
1934@subsubsection Manycast Interactions with Autokey
1935Each time a manycast client sends a client mode packet
1936to a multicast group address, all manycast servers
1937in scope generate a reply including the host name
1938and status word.
1939The manycast clients then run
1940the Autokey protocol, which collects and verifies
1941all certificates involved.
1942Following the burst interval
1943all but three survivors are cast off,
1944but the certificates remain in the local cache.
1945It often happens that several complete signing trails
1946from the client to the primary servers are collected in this way.
1947
1948About once an hour or less often if the poll interval
1949exceeds this, the client regenerates the Autokey key list.
1950This is in general transparent in client/server mode.
1951However, about once per day the server private value
1952used to generate cookies is refreshed along with all
1953manycast client associations.
1954In this case all
1955cryptographic values including certificates is refreshed.
1956If a new certificate has been generated since
1957the last refresh epoch, it will automatically revoke
1958all prior certificates that happen to be in the
1959certificate cache.
1960At the same time, the manycast
1961scheme starts all over from the beginning and
1962the expanding ring shrinks to the minimum and increments
1963from there while collecting all servers in scope.
1964@subsubsection Broadcast Options
1965@table @asis
1966@item @code{tos} @code{[@code{bcpollbstep} @kbd{gate}]}
1967This command provides a way to delay,
1968by the specified number of broadcast poll intervals,
1969believing backward time steps from a broadcast server.
1970Broadcast time networks are expected to be trusted.
1971In the event a broadcast server's time is stepped backwards,
1972there is clear benefit to having the clients notice this change
1973as soon as possible.
1974Attacks such as replay attacks can happen, however,
1975and even though there are a number of protections built in to
1976broadcast mode, attempts to perform a replay attack are possible.
1977This value defaults to 0, but can be changed
1978to any number of poll intervals between 0 and 4.
1979@end table
1980@subsubsection Manycast Options
1981@table @asis
1982@item @code{tos} @code{[@code{ceiling} @kbd{ceiling} | @code{cohort} @code{@{} @code{0} | @code{1} @code{@}} | @code{floor} @kbd{floor} | @code{minclock} @kbd{minclock} | @code{minsane} @kbd{minsane}]}
1983This command affects the clock selection and clustering
1984algorithms.
1985It can be used to select the quality and
1986quantity of peers used to synchronize the system clock
1987and is most useful in manycast mode.
1988The variables operate
1989as follows:
1990@table @asis
1991@item @code{ceiling} @kbd{ceiling}
1992Peers with strata above
1993@code{ceiling}
1994will be discarded if there are at least
1995@code{minclock}
1996peers remaining.
1997This value defaults to 15, but can be changed
1998to any number from 1 to 15.
1999@item @code{cohort} @code{@{0 | 1@}}
2000This is a binary flag which enables (0) or disables (1)
2001manycast server replies to manycast clients with the same
2002stratum level.
2003This is useful to reduce implosions where
2004large numbers of clients with the same stratum level
2005are present.
2006The default is to enable these replies.
2007@item @code{floor} @kbd{floor}
2008Peers with strata below
2009@code{floor}
2010will be discarded if there are at least
2011@code{minclock}
2012peers remaining.
2013This value defaults to 1, but can be changed
2014to any number from 1 to 15.
2015@item @code{minclock} @kbd{minclock}
2016The clustering algorithm repeatedly casts out outlier
2017associations until no more than
2018@code{minclock}
2019associations remain.
2020This value defaults to 3,
2021but can be changed to any number from 1 to the number of
2022configured sources.
2023@item @code{minsane} @kbd{minsane}
2024This is the minimum number of candidates available
2025to the clock selection algorithm in order to produce
2026one or more truechimers for the clustering algorithm.
2027If fewer than this number are available, the clock is
2028undisciplined and allowed to run free.
2029The default is 1
2030for legacy purposes.
2031However, according to principles of
2032Byzantine agreement,
2033@code{minsane}
2034should be at least 4 in order to detect and discard
2035a single falseticker.
2036@end table
2037@item @code{ttl} @kbd{hop} @kbd{...}
2038This command specifies a list of TTL values in increasing
2039order, up to 8 values can be specified.
2040In manycast mode these values are used in turn
2041in an expanding-ring search.
2042The default is eight
2043multiples of 32 starting at 31.
2044@end table
2045@node Reference Clock Support
2046@subsection Reference Clock Support
2047The NTP Version 4 daemon supports some three dozen different radio,
2048satellite and modem reference clocks plus a special pseudo-clock
2049used for backup or when no other clock source is available.
2050Detailed descriptions of individual device drivers and options can
2051be found in the
2052"Reference Clock Drivers"
2053page
2054(available as part of the HTML documentation
2055provided in
2056@file{/usr/share/doc/ntp}).
2057Additional information can be found in the pages linked
2058there, including the
2059"Debugging Hints for Reference Clock Drivers"
2060and
2061"How To Write a Reference Clock Driver"
2062pages
2063(available as part of the HTML documentation
2064provided in
2065@file{/usr/share/doc/ntp}).
2066In addition, support for a PPS
2067signal is available as described in the
2068"Pulse-per-second (PPS) Signal Interfacing"
2069page
2070(available as part of the HTML documentation
2071provided in
2072@file{/usr/share/doc/ntp}).
2073Many
2074drivers support special line discipline/streams modules which can
2075significantly improve the accuracy using the driver.
2076These are
2077described in the
2078"Line Disciplines and Streams Drivers"
2079page
2080(available as part of the HTML documentation
2081provided in
2082@file{/usr/share/doc/ntp}).
2083
2084A reference clock will generally (though not always) be a radio
2085timecode receiver which is synchronized to a source of standard
2086time such as the services offered by the NRC in Canada and NIST and
2087USNO in the US.
2088The interface between the computer and the timecode
2089receiver is device dependent, but is usually a serial port.
2090A
2091device driver specific to each reference clock must be selected and
2092compiled in the distribution; however, most common radio, satellite
2093and modem clocks are included by default.
2094Note that an attempt to
2095configure a reference clock when the driver has not been compiled
2096or the hardware port has not been appropriately configured results
2097in a scalding remark to the system log file, but is otherwise non
2098hazardous.
2099
2100For the purposes of configuration,
2101@code{ntpd(1ntpdmdoc)}
2102treats
2103reference clocks in a manner analogous to normal NTP peers as much
2104as possible.
2105Reference clocks are identified by a syntactically
2106correct but invalid IP address, in order to distinguish them from
2107normal NTP peers.
2108Reference clock addresses are of the form
2109@code{127.127.}@kbd{t}.@kbd{u},
2110where
2111@kbd{t}
2112is an integer
2113denoting the clock type and
2114@kbd{u}
2115indicates the unit
2116number in the range 0-3.
2117While it may seem overkill, it is in fact
2118sometimes useful to configure multiple reference clocks of the same
2119type, in which case the unit numbers must be unique.
2120
2121The
2122@code{server}
2123command is used to configure a reference
2124clock, where the
2125@kbd{address}
2126argument in that command
2127is the clock address.
2128The
2129@code{key},
2130@code{version}
2131and
2132@code{ttl}
2133options are not used for reference clock support.
2134The
2135@code{mode}
2136option is added for reference clock support, as
2137described below.
2138The
2139@code{prefer}
2140option can be useful to
2141persuade the server to cherish a reference clock with somewhat more
2142enthusiasm than other reference clocks or peers.
2143Further
2144information on this option can be found in the
2145"Mitigation Rules and the prefer Keyword"
2146(available as part of the HTML documentation
2147provided in
2148@file{/usr/share/doc/ntp})
2149page.
2150The
2151@code{minpoll}
2152and
2153@code{maxpoll}
2154options have
2155meaning only for selected clock drivers.
2156See the individual clock
2157driver document pages for additional information.
2158
2159The
2160@code{fudge}
2161command is used to provide additional
2162information for individual clock drivers and normally follows
2163immediately after the
2164@code{server}
2165command.
2166The
2167@kbd{address}
2168argument specifies the clock address.
2169The
2170@code{refid}
2171and
2172@code{stratum}
2173options can be used to
2174override the defaults for the device.
2175There are two optional
2176device-dependent time offsets and four flags that can be included
2177in the
2178@code{fudge}
2179command as well.
2180
2181The stratum number of a reference clock is by default zero.
2182Since the
2183@code{ntpd(1ntpdmdoc)}
2184daemon adds one to the stratum of each
2185peer, a primary server ordinarily displays an external stratum of
2186one.
2187In order to provide engineered backups, it is often useful to
2188specify the reference clock stratum as greater than zero.
2189The
2190@code{stratum}
2191option is used for this purpose.
2192Also, in cases
2193involving both a reference clock and a pulse-per-second (PPS)
2194discipline signal, it is useful to specify the reference clock
2195identifier as other than the default, depending on the driver.
2196The
2197@code{refid}
2198option is used for this purpose.
2199Except where noted,
2200these options apply to all clock drivers.
2201@subsubsection Reference Clock Commands
2202@table @asis
2203@item @code{server} @code{127.127.}@kbd{t}.@kbd{u} @code{[@code{prefer}]} @code{[@code{mode} @kbd{int}]} @code{[@code{minpoll} @kbd{int}]} @code{[@code{maxpoll} @kbd{int}]}
2204This command can be used to configure reference clocks in
2205special ways.
2206The options are interpreted as follows:
2207@table @asis
2208@item @code{prefer}
2209Marks the reference clock as preferred.
2210All other things being
2211equal, this host will be chosen for synchronization among a set of
2212correctly operating hosts.
2213See the
2214"Mitigation Rules and the prefer Keyword"
2215page
2216(available as part of the HTML documentation
2217provided in
2218@file{/usr/share/doc/ntp})
2219for further information.
2220@item @code{mode} @kbd{int}
2221Specifies a mode number which is interpreted in a
2222device-specific fashion.
2223For instance, it selects a dialing
2224protocol in the ACTS driver and a device subtype in the
2225parse
2226drivers.
2227@item @code{minpoll} @kbd{int}
2228@item @code{maxpoll} @kbd{int}
2229These options specify the minimum and maximum polling interval
2230for reference clock messages, as a power of 2 in seconds
2231For
2232most directly connected reference clocks, both
2233@code{minpoll}
2234and
2235@code{maxpoll}
2236default to 6 (64 s).
2237For modem reference clocks,
2238@code{minpoll}
2239defaults to 10 (17.1 m) and
2240@code{maxpoll}
2241defaults to 14 (4.5 h).
2242The allowable range is 4 (16 s) to 17 (36.4 h) inclusive.
2243@end table
2244@item @code{fudge} @code{127.127.}@kbd{t}.@kbd{u} @code{[@code{time1} @kbd{sec}]} @code{[@code{time2} @kbd{sec}]} @code{[@code{stratum} @kbd{int}]} @code{[@code{refid} @kbd{string}]} @code{[@code{mode} @kbd{int}]} @code{[@code{flag1} @code{0} @code{|} @code{1}]} @code{[@code{flag2} @code{0} @code{|} @code{1}]} @code{[@code{flag3} @code{0} @code{|} @code{1}]} @code{[@code{flag4} @code{0} @code{|} @code{1}]}
2245This command can be used to configure reference clocks in
2246special ways.
2247It must immediately follow the
2248@code{server}
2249command which configures the driver.
2250Note that the same capability
2251is possible at run time using the
2252@code{ntpdc(1ntpdcmdoc)}
2253program.
2254The options are interpreted as
2255follows:
2256@table @asis
2257@item @code{time1} @kbd{sec}
2258Specifies a constant to be added to the time offset produced by
2259the driver, a fixed-point decimal number in seconds.
2260This is used
2261as a calibration constant to adjust the nominal time offset of a
2262particular clock to agree with an external standard, such as a
2263precision PPS signal.
2264It also provides a way to correct a
2265systematic error or bias due to serial port or operating system
2266latencies, different cable lengths or receiver internal delay.
2267The
2268specified offset is in addition to the propagation delay provided
2269by other means, such as internal DIPswitches.
2270Where a calibration
2271for an individual system and driver is available, an approximate
2272correction is noted in the driver documentation pages.
2273Note: in order to facilitate calibration when more than one
2274radio clock or PPS signal is supported, a special calibration
2275feature is available.
2276It takes the form of an argument to the
2277@code{enable}
2278command described in
2279@ref{Miscellaneous Options}
2280page and operates as described in the
2281"Reference Clock Drivers"
2282page
2283(available as part of the HTML documentation
2284provided in
2285@file{/usr/share/doc/ntp}).
2286@item @code{time2} @kbd{secs}
2287Specifies a fixed-point decimal number in seconds, which is
2288interpreted in a driver-dependent way.
2289See the descriptions of
2290specific drivers in the
2291"Reference Clock Drivers"
2292page
2293(available as part of the HTML documentation
2294provided in
2295@file{/usr/share/doc/ntp} @file{).}
2296@item @code{stratum} @kbd{int}
2297Specifies the stratum number assigned to the driver, an integer
2298between 0 and 15.
2299This number overrides the default stratum number
2300ordinarily assigned by the driver itself, usually zero.
2301@item @code{refid} @kbd{string}
2302Specifies an ASCII string of from one to four characters which
2303defines the reference identifier used by the driver.
2304This string
2305overrides the default identifier ordinarily assigned by the driver
2306itself.
2307@item @code{mode} @kbd{int}
2308Specifies a mode number which is interpreted in a
2309device-specific fashion.
2310For instance, it selects a dialing
2311protocol in the ACTS driver and a device subtype in the
2312parse
2313drivers.
2314@item @code{flag1} @code{0} @code{|} @code{1}
2315@item @code{flag2} @code{0} @code{|} @code{1}
2316@item @code{flag3} @code{0} @code{|} @code{1}
2317@item @code{flag4} @code{0} @code{|} @code{1}
2318These four flags are used for customizing the clock driver.
2319The
2320interpretation of these values, and whether they are used at all,
2321is a function of the particular clock driver.
2322However, by
2323convention
2324@code{flag4}
2325is used to enable recording monitoring
2326data to the
2327@code{clockstats}
2328file configured with the
2329@code{filegen}
2330command.
2331Further information on the
2332@code{filegen}
2333command can be found in
2334@ref{Monitoring Options}.
2335@end table
2336@end table
2337@node Miscellaneous Options
2338@subsection Miscellaneous Options
2339@table @asis
2340@item @code{broadcastdelay} @kbd{seconds}
2341The broadcast and multicast modes require a special calibration
2342to determine the network delay between the local and remote
2343servers.
2344Ordinarily, this is done automatically by the initial
2345protocol exchanges between the client and server.
2346In some cases,
2347the calibration procedure may fail due to network or server access
2348controls, for example.
2349This command specifies the default delay to
2350be used under these circumstances.
2351Typically (for Ethernet), a
2352number between 0.003 and 0.007 seconds is appropriate.
2353The default
2354when this command is not used is 0.004 seconds.
2355@item @code{driftfile} @kbd{driftfile}
2356This command specifies the complete path and name of the file used to
2357record the frequency of the local clock oscillator.
2358This is the same
2359operation as the
2360@code{-f}
2361command line option.
2362If the file exists, it is read at
2363startup in order to set the initial frequency and then updated once per
2364hour with the current frequency computed by the daemon.
2365If the file name is
2366specified, but the file itself does not exist, the starts with an initial
2367frequency of zero and creates the file when writing it for the first time.
2368If this command is not given, the daemon will always start with an initial
2369frequency of zero.
2370
2371The file format consists of a single line containing a single
2372floating point number, which records the frequency offset measured
2373in parts-per-million (PPM).
2374The file is updated by first writing
2375the current drift value into a temporary file and then renaming
2376this file to replace the old version.
2377This implies that
2378@code{ntpd(1ntpdmdoc)}
2379must have write permission for the directory the
2380drift file is located in, and that file system links, symbolic or
2381otherwise, should be avoided.
2382@item @code{dscp} @kbd{value}
2383This option specifies the Differentiated Services Control Point (DSCP) value,
2384a 6-bit code.
2385The default value is 46, signifying Expedited Forwarding.
2386@item @code{enable} @code{[@code{auth} | @code{bclient} | @code{calibrate} | @code{kernel} | @code{mode7} | @code{monitor} | @code{ntp} | @code{stats} | @code{peer_clear_digest_early} | @code{unpeer_crypto_early} | @code{unpeer_crypto_nak_early} | @code{unpeer_digest_early}]}
2387@item @code{disable} @code{[@code{auth} | @code{bclient} | @code{calibrate} | @code{kernel} | @code{mode7} | @code{monitor} | @code{ntp} | @code{stats} | @code{peer_clear_digest_early} | @code{unpeer_crypto_early} | @code{unpeer_crypto_nak_early} | @code{unpeer_digest_early}]}
2388Provides a way to enable or disable various server options.
2389Flags not mentioned are unaffected.
2390Note that all of these flags
2391can be controlled remotely using the
2392@code{ntpdc(1ntpdcmdoc)}
2393utility program.
2394@table @asis
2395@item @code{auth}
2396Enables the server to synchronize with unconfigured peers only if the
2397peer has been correctly authenticated using either public key or
2398private key cryptography.
2399The default for this flag is
2400@code{enable}.
2401@item @code{bclient}
2402Enables the server to listen for a message from a broadcast or
2403multicast server, as in the
2404@code{multicastclient}
2405command with default
2406address.
2407The default for this flag is
2408@code{disable}.
2409@item @code{calibrate}
2410Enables the calibrate feature for reference clocks.
2411The default for
2412this flag is
2413@code{disable}.
2414@item @code{kernel}
2415Enables the kernel time discipline, if available.
2416The default for this
2417flag is
2418@code{enable}
2419if support is available, otherwise
2420@code{disable}.
2421@item @code{mode7}
2422Enables processing of NTP mode 7 implementation-specific requests
2423which are used by the deprecated
2424@code{ntpdc(1ntpdcmdoc)}
2425program.
2426The default for this flag is disable.
2427This flag is excluded from runtime configuration using
2428@code{ntpq(1ntpqmdoc)}.
2429The
2430@code{ntpq(1ntpqmdoc)}
2431program provides the same capabilities as
2432@code{ntpdc(1ntpdcmdoc)}
2433using standard mode 6 requests.
2434@item @code{monitor}
2435Enables the monitoring facility.
2436See the
2437@code{ntpdc(1ntpdcmdoc)}
2438program
2439and the
2440@code{monlist}
2441command or further information.
2442The
2443default for this flag is
2444@code{enable}.
2445@item @code{ntp}
2446Enables time and frequency discipline.
2447In effect, this switch opens and
2448closes the feedback loop, which is useful for testing.
2449The default for
2450this flag is
2451@code{enable}.
2452@item @code{peer_clear_digest_early}
2453By default, if
2454@code{ntpd(1ntpdmdoc)}
2455is using autokey and it
2456receives a crypto-NAK packet that
2457passes the duplicate packet and origin timestamp checks
2458the peer variables are immediately cleared.
2459While this is generally a feature
2460as it allows for quick recovery if a server key has changed,
2461a properly forged and appropriately delivered crypto-NAK packet
2462can be used in a DoS attack.
2463If you have active noticable problems with this type of DoS attack
2464then you should consider
2465disabling this option.
2466You can check your
2467@code{peerstats}
2468file for evidence of any of these attacks.
2469The
2470default for this flag is
2471@code{enable}.
2472@item @code{stats}
2473Enables the statistics facility.
2474See the
2475@ref{Monitoring Options}
2476section for further information.
2477The default for this flag is
2478@code{disable}.
2479@item @code{unpeer_crypto_early}
2480By default, if
2481@code{ntpd(1ntpdmdoc)}
2482receives an autokey packet that fails TEST9,
2483a crypto failure,
2484the association is immediately cleared.
2485This is almost certainly a feature,
2486but if, in spite of the current recommendation of not using autokey,
2487you are
2488.B still
2489using autokey
2490.B and
2491you are seeing this sort of DoS attack
2492disabling this flag will delay
2493tearing down the association until the reachability counter
2494becomes zero.
2495You can check your
2496@code{peerstats}
2497file for evidence of any of these attacks.
2498The
2499default for this flag is
2500@code{enable}.
2501@item @code{unpeer_crypto_nak_early}
2502By default, if
2503@code{ntpd(1ntpdmdoc)}
2504receives a crypto-NAK packet that
2505passes the duplicate packet and origin timestamp checks
2506the association is immediately cleared.
2507While this is generally a feature
2508as it allows for quick recovery if a server key has changed,
2509a properly forged and appropriately delivered crypto-NAK packet
2510can be used in a DoS attack.
2511If you have active noticable problems with this type of DoS attack
2512then you should consider
2513disabling this option.
2514You can check your
2515@code{peerstats}
2516file for evidence of any of these attacks.
2517The
2518default for this flag is
2519@code{enable}.
2520@item @code{unpeer_digest_early}
2521By default, if
2522@code{ntpd(1ntpdmdoc)}
2523receives what should be an authenticated packet
2524that passes other packet sanity checks but
2525contains an invalid digest
2526the association is immediately cleared.
2527While this is generally a feature
2528as it allows for quick recovery,
2529if this type of packet is carefully forged and sent
2530during an appropriate window it can be used for a DoS attack.
2531If you have active noticable problems with this type of DoS attack
2532then you should consider
2533disabling this option.
2534You can check your
2535@code{peerstats}
2536file for evidence of any of these attacks.
2537The
2538default for this flag is
2539@code{enable}.
2540@end table
2541@item @code{includefile} @kbd{includefile}
2542This command allows additional configuration commands
2543to be included from a separate file.
2544Include files may
2545be nested to a depth of five; upon reaching the end of any
2546include file, command processing resumes in the previous
2547configuration file.
2548This option is useful for sites that run
2549@code{ntpd(1ntpdmdoc)}
2550on multiple hosts, with (mostly) common options (e.g., a
2551restriction list).
2552@item @code{interface} @code{[@code{listen} | @code{ignore} | @code{drop}]} @code{[@code{all} | @code{ipv4} | @code{ipv6} | @code{wildcard} @kbd{name} | @kbd{address} @code{[@code{/} @kbd{prefixlen}]}]}
2553The
2554@code{interface}
2555directive controls which network addresses
2556@code{ntpd(1ntpdmdoc)}
2557opens, and whether input is dropped without processing.
2558The first parameter determines the action for addresses
2559which match the second parameter.
2560The second parameter specifies a class of addresses,
2561or a specific interface name,
2562or an address.
2563In the address case,
2564@kbd{prefixlen}
2565determines how many bits must match for this rule to apply.
2566@code{ignore}
2567prevents opening matching addresses,
2568@code{drop}
2569causes
2570@code{ntpd(1ntpdmdoc)}
2571to open the address and drop all received packets without examination.
2572Multiple
2573@code{interface}
2574directives can be used.
2575The last rule which matches a particular address determines the action for it.
2576@code{interface}
2577directives are disabled if any
2578@code{-I},
2579@code{--interface},
2580@code{-L},
2581or
2582@code{--novirtualips}
2583command-line options are specified in the configuration file,
2584all available network addresses are opened.
2585The
2586@code{nic}
2587directive is an alias for
2588@code{interface}.
2589@item @code{leapfile} @kbd{leapfile}
2590This command loads the IERS leapseconds file and initializes the
2591leapsecond values for the next leapsecond event, leapfile expiration
2592time, and TAI offset.
2593The file can be obtained directly from the IERS at
2594@code{https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list}
2595or
2596@code{ftp://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list}.
2597The
2598@code{leapfile}
2599is scanned when
2600@code{ntpd(1ntpdmdoc)}
2601processes the
2602@code{leapfile} @code{directive} @code{or} @code{when}
2603@code{ntpd} @code{detects} @code{that} @code{the}
2604@kbd{leapfile}
2605has changed.
2606@code{ntpd}
2607checks once a day to see if the
2608@kbd{leapfile}
2609has changed.
2610The
2611@code{update-leap(1update_leapmdoc)}
2612script can be run to see if the
2613@kbd{leapfile}
2614should be updated.
2615@item @code{leapsmearinterval} @kbd{seconds}
2616This EXPERIMENTAL option is only available if
2617@code{ntpd(1ntpdmdoc)}
2618was built with the
2619@code{--enable-leap-smear}
2620option to the
2621@code{configure}
2622script.
2623It specifies the interval over which a leap second correction will be applied.
2624Recommended values for this option are between
26257200 (2 hours) and 86400 (24 hours).
2626.Sy DO NOT USE THIS OPTION ON PUBLIC-ACCESS SERVERS!
2627See http://bugs.ntp.org/2855 for more information.
2628@item @code{logconfig} @kbd{configkeyword}
2629This command controls the amount and type of output written to
2630the system
2631@code{syslog(3)}
2632facility or the alternate
2633@code{logfile}
2634log file.
2635By default, all output is turned on.
2636All
2637@kbd{configkeyword}
2638keywords can be prefixed with
2639@quoteleft{}=@quoteright{},
2640@quoteleft{}+@quoteright{}
2641and
2642@quoteleft{}-@quoteright{},
2643where
2644@quoteleft{}=@quoteright{}
2645sets the
2646@code{syslog(3)}
2647priority mask,
2648@quoteleft{}+@quoteright{}
2649adds and
2650@quoteleft{}-@quoteright{}
2651removes
2652messages.
2653@code{syslog(3)}
2654messages can be controlled in four
2655classes
2656(@code{clock}, @code{peer}, @code{sys} and @code{sync}).
2657Within these classes four types of messages can be
2658controlled: informational messages
2659(@code{info}),
2660event messages
2661(@code{events}),
2662statistics messages
2663(@code{statistics})
2664and
2665status messages
2666(@code{status}).
2667
2668Configuration keywords are formed by concatenating the message class with
2669the event class.
2670The
2671@code{all}
2672prefix can be used instead of a message class.
2673A
2674message class may also be followed by the
2675@code{all}
2676keyword to enable/disable all
2677messages of the respective message class.
2678Thus, a minimal log configuration
2679could look like this:
2680@verbatim
2681logconfig =syncstatus +sysevents
2682@end verbatim
2683
2684This would just list the synchronizations state of
2685@code{ntpd(1ntpdmdoc)}
2686and the major system events.
2687For a simple reference server, the
2688following minimum message configuration could be useful:
2689@verbatim
2690logconfig =syncall +clockall
2691@end verbatim
2692
2693This configuration will list all clock information and
2694synchronization information.
2695All other events and messages about
2696peers, system events and so on is suppressed.
2697@item @code{logfile} @kbd{logfile}
2698This command specifies the location of an alternate log file to
2699be used instead of the default system
2700@code{syslog(3)}
2701facility.
2702This is the same operation as the
2703@code{-l}
2704command line option.
2705@item @code{mru} @code{[@code{maxdepth} @kbd{count} | @code{maxmem} @kbd{kilobytes} | @code{mindepth} @kbd{count} | @code{maxage} @kbd{seconds} | @code{initialloc} @kbd{count} | @code{initmem} @kbd{kilobytes} | @code{incalloc} @kbd{count} | @code{incmem} @kbd{kilobytes}]}
2706Controls size limite of the monitoring facility's Most Recently Used
2707(MRU) list
2708of client addresses, which is also used by the
2709rate control facility.
2710@table @asis
2711@item @code{maxdepth} @kbd{count}
2712@item @code{maxmem} @kbd{kilobytes}
2713Equivalent upper limits on the size of the MRU list, in terms of entries or kilobytes.
2714The acutal limit will be up to
2715@code{incalloc}
2716entries or
2717@code{incmem}
2718kilobytes larger.
2719As with all of the
2720@code{mru}
2721options offered in units of entries or kilobytes, if both
2722@code{maxdepth}
2723and
2724@code{maxmem} @code{are} @code{used,} @code{the} @code{last} @code{one} @code{used} @code{controls.}
2725The default is 1024 kilobytes.
2726@item @code{mindepth} @kbd{count}
2727Lower limit on the MRU list size.
2728When the MRU list has fewer than
2729@code{mindepth}
2730entries, existing entries are never removed to make room for newer ones,
2731regardless of their age.
2732The default is 600 entries.
2733@item @code{maxage} @kbd{seconds}
2734Once the MRU list has
2735@code{mindepth}
2736entries and an additional client is to ba added to the list,
2737if the oldest entry was updated more than
2738@code{maxage}
2739seconds ago, that entry is removed and its storage is reused.
2740If the oldest entry was updated more recently the MRU list is grown,
2741subject to
2742@code{maxdepth} @code{/} @code{moxmem}.
2743The default is 64 seconds.
2744@item @code{initalloc} @kbd{count}
2745@item @code{initmem} @kbd{kilobytes}
2746Initial memory allocation at the time the monitoringfacility is first enabled,
2747in terms of the number of entries or kilobytes.
2748The default is 4 kilobytes.
2749@item @code{incalloc} @kbd{count}
2750@item @code{incmem} @kbd{kilobytes}
2751Size of additional memory allocations when growing the MRU list, in entries or kilobytes.
2752The default is 4 kilobytes.
2753@end table
2754@item @code{nonvolatile} @kbd{threshold}
2755Specify the
2756@kbd{threshold}
2757delta in seconds before an hourly change to the
2758@code{driftfile}
2759(frequency file) will be written, with a default value of 1e-7 (0.1 PPM).
2760The frequency file is inspected each hour.
2761If the difference between the current frequency and the last value written
2762exceeds the threshold, the file is written and the
2763@code{threshold}
2764becomes the new threshold value.
2765If the threshold is not exceeeded, it is reduced by half.
2766This is intended to reduce the number of file writes
2767for embedded systems with nonvolatile memory.
2768@item @code{phone} @kbd{dial} @kbd{...}
2769This command is used in conjunction with
2770the ACTS modem driver (type 18)
2771or the JJY driver (type 40, mode 100 - 180).
2772For the ACTS modem driver (type 18), the arguments consist of
2773a maximum of 10 telephone numbers used to dial USNO, NIST, or European
2774time service.
2775For the JJY driver (type 40 mode 100 - 180), the argument is
2776one telephone number used to dial the telephone JJY service.
2777The Hayes command ATDT is normally prepended to the number.
2778The number can contain other modem control codes as well.
2779@item @code{pollskewlist} @code{[@kbd{poll} @kbd{early} @kbd{late}]} @kbd{...} @code{[@code{default} @kbd{early} @kbd{late}]}
2780Enable skewing of our poll requests to our servers.
2781@kbd{poll}
2782is a number between 3 and 17 inclusive, identifying a specific poll interval.
2783A poll interval is 2^n seconds in duration,
2784so a poll value of 3 corresponds to 8 seconds
2785and
2786a poll interval of 17 corresponds to
2787131,072 seconds, or about a day and a half.
2788The next two numbers must be between 0 and one-half of the poll interval,
2789inclusive.
2790Ar early
2791specifies how early the poll may start,
2792while
2793Ar late
2794specifies how late the poll may be delayed.
2795With no arguments, internally specified default values are chosen.
2796@item @code{reset} @code{[@code{allpeers}]} @code{[@code{auth}]} @code{[@code{ctl}]} @code{[@code{io}]} @code{[@code{mem}]} @code{[@code{sys}]} @code{[@code{timer}]}
2797Reset one or more groups of counters maintained by
2798@code{ntpd}
2799and exposed by
2800@code{ntpq}
2801and
2802@code{ntpdc}.
2803@item @code{rlimit} @code{[@code{memlock} @kbd{Nmegabytes} | @code{stacksize} @kbd{N4kPages} @code{filenum} @kbd{Nfiledescriptors}]}
2804@table @asis
2805@item @code{memlock} @kbd{Nmegabytes}
2806Specify the number of megabytes of memory that should be
2807allocated and locked.
2808Probably only available under Linux, this option may be useful
2809when dropping root (the
2810@code{-i}
2811option).
2812The default is 32 megabytes on non-Linux machines, and -1 under Linux.
2813-1 means "do not lock the process into memory".
28140 means "lock whatever memory the process wants into memory".
2815@item @code{stacksize} @kbd{N4kPages}
2816Specifies the maximum size of the process stack on systems with the
2817@code{mlockall()}
2818function.
2819Defaults to 50 4k pages (200 4k pages in OpenBSD).
2820@item @code{filenum} @kbd{Nfiledescriptors}
2821Specifies the maximum number of file descriptors ntpd may have open at once.
2822Defaults to the system default.
2823@end table
2824@item @code{saveconfigdir} @kbd{directory_path}
2825Specify the directory in which to write configuration snapshots
2826requested with
2827.Cm ntpq 's
2828@code{saveconfig}
2829command.
2830If
2831@code{saveconfigdir}
2832does not appear in the configuration file,
2833@code{saveconfig}
2834requests are rejected by
2835@code{ntpd}.
2836@item @code{saveconfig} @kbd{filename}
2837Write the current configuration, including any runtime
2838modifications given with
2839@code{:config}
2840or
2841@code{config-from-file}
2842to the
2843@code{ntpd}
2844host's
2845@kbd{filename}
2846in the
2847@code{saveconfigdir}.
2848This command will be rejected unless the
2849@code{saveconfigdir}
2850directive appears in
2851.Cm ntpd 's
2852configuration file.
2853@kbd{filename}
2854can use
2855@code{strftime(3)}
2856format directives to substitute the current date and time,
2857for example,
2858@code{saveconfig\ ntp-%Y%m%d-%H%M%S.conf}.
2859The filename used is stored in the system variable
2860@code{savedconfig}.
2861Authentication is required.
2862@item @code{setvar} @kbd{variable} @code{[@code{default}]}
2863This command adds an additional system variable.
2864These
2865variables can be used to distribute additional information such as
2866the access policy.
2867If the variable of the form
2868@code{name}@code{=}@kbd{value}
2869is followed by the
2870@code{default}
2871keyword, the
2872variable will be listed as part of the default system variables
2873(@code{rv} command)).
2874These additional variables serve
2875informational purposes only.
2876They are not related to the protocol
2877other that they can be listed.
2878The known protocol variables will
2879always override any variables defined via the
2880@code{setvar}
2881mechanism.
2882There are three special variables that contain the names
2883of all variable of the same group.
2884The
2885@code{sys_var_list}
2886holds
2887the names of all system variables.
2888The
2889@code{peer_var_list}
2890holds
2891the names of all peer variables and the
2892@code{clock_var_list}
2893holds the names of the reference clock variables.
2894@item @code{sysinfo}
2895Display operational summary.
2896@item @code{sysstats}
2897Show statistics counters maintained in the protocol module.
2898@item @code{tinker} @code{[@code{allan} @kbd{allan} | @code{dispersion} @kbd{dispersion} | @code{freq} @kbd{freq} | @code{huffpuff} @kbd{huffpuff} | @code{panic} @kbd{panic} | @code{step} @kbd{step} | @code{stepback} @kbd{stepback} | @code{stepfwd} @kbd{stepfwd} | @code{stepout} @kbd{stepout}]}
2899This command can be used to alter several system variables in
2900very exceptional circumstances.
2901It should occur in the
2902configuration file before any other configuration options.
2903The
2904default values of these variables have been carefully optimized for
2905a wide range of network speeds and reliability expectations.
2906In
2907general, they interact in intricate ways that are hard to predict
2908and some combinations can result in some very nasty behavior.
2909Very
2910rarely is it necessary to change the default values; but, some
2911folks cannot resist twisting the knobs anyway and this command is
2912for them.
2913Emphasis added: twisters are on their own and can expect
2914no help from the support group.
2915
2916The variables operate as follows:
2917@table @asis
2918@item @code{allan} @kbd{allan}
2919The argument becomes the new value for the minimum Allan
2920intercept, which is a parameter of the PLL/FLL clock discipline
2921algorithm.
2922The value in log2 seconds defaults to 7 (1024 s), which is also the lower
2923limit.
2924@item @code{dispersion} @kbd{dispersion}
2925The argument becomes the new value for the dispersion increase rate,
2926normally .000015 s/s.
2927@item @code{freq} @kbd{freq}
2928The argument becomes the initial value of the frequency offset in
2929parts-per-million.
2930This overrides the value in the frequency file, if
2931present, and avoids the initial training state if it is not.
2932@item @code{huffpuff} @kbd{huffpuff}
2933The argument becomes the new value for the experimental
2934huff-n'-puff filter span, which determines the most recent interval
2935the algorithm will search for a minimum delay.
2936The lower limit is
2937900 s (15 m), but a more reasonable value is 7200 (2 hours).
2938There
2939is no default, since the filter is not enabled unless this command
2940is given.
2941@item @code{panic} @kbd{panic}
2942The argument is the panic threshold, normally 1000 s.
2943If set to zero,
2944the panic sanity check is disabled and a clock offset of any value will
2945be accepted.
2946@item @code{step} @kbd{step}
2947The argument is the step threshold, which by default is 0.128 s.
2948It can
2949be set to any positive number in seconds.
2950If set to zero, step
2951adjustments will never occur.
2952Note: The kernel time discipline is
2953disabled if the step threshold is set to zero or greater than the
2954default.
2955@item @code{stepback} @kbd{stepback}
2956The argument is the step threshold for the backward direction,
2957which by default is 0.128 s.
2958It can
2959be set to any positive number in seconds.
2960If both the forward and backward step thresholds are set to zero, step
2961adjustments will never occur.
2962Note: The kernel time discipline is
2963disabled if
2964each direction of step threshold are either
2965set to zero or greater than .5 second.
2966@item @code{stepfwd} @kbd{stepfwd}
2967As for stepback, but for the forward direction.
2968@item @code{stepout} @kbd{stepout}
2969The argument is the stepout timeout, which by default is 900 s.
2970It can
2971be set to any positive number in seconds.
2972If set to zero, the stepout
2973pulses will not be suppressed.
2974@end table
2975@item @code{writevar} @kbd{assocID\ name} @kbd{=} @kbd{value} @kbd{[,...]}
2976Write (create or update) the specified variables.
2977If the
2978@code{assocID}
2979is zero, the variablea re from the
2980system variables
2981name space, otherwise they are from the
2982peer variables
2983name space.
2984The
2985@code{assocID}
2986is required, as the same name can occur in both name spaces.
2987@item @code{trap} @kbd{host_address} @code{[@code{port} @kbd{port_number}]} @code{[@code{interface} @kbd{interface_address}]}
2988This command configures a trap receiver at the given host
2989address and port number for sending messages with the specified
2990local interface address.
2991If the port number is unspecified, a value
2992of 18447 is used.
2993If the interface address is not specified, the
2994message is sent with a source address of the local interface the
2995message is sent through.
2996Note that on a multihomed host the
2997interface used may vary from time to time with routing changes.
2998@item @code{ttl} @kbd{hop} @kbd{...}
2999This command specifies a list of TTL values in increasing order.
3000Up to 8 values can be specified.
3001In
3002@code{manycast}
3003mode these values are used in-turn in an expanding-ring search.
3004The default is eight multiples of 32 starting at 31.
3005
3006The trap receiver will generally log event messages and other
3007information from the server in a log file.
3008While such monitor
3009programs may also request their own trap dynamically, configuring a
3010trap receiver will ensure that no messages are lost when the server
3011is started.
3012@item @code{hop} @kbd{...}
3013This command specifies a list of TTL values in increasing order, up to 8
3014values can be specified.
3015In manycast mode these values are used in turn in
3016an expanding-ring search.
3017The default is eight multiples of 32 starting at
301831.
3019@end table
3020
3021This section was generated by @strong{AutoGen},
3022using the @code{agtexi-cmd} template and the option descriptions for the @code{ntp.conf} program.
3023This software is released under the NTP license, <http://ntp.org/license>.
3024
3025@menu
3026* ntp.conf Files::                  Files
3027* ntp.conf See Also::               See Also
3028* ntp.conf Bugs::                   Bugs
3029* ntp.conf Notes::                  Notes
3030@end menu
3031
3032@node ntp.conf Files
3033@subsection ntp.conf Files
3034@table @asis
3035@item @file{/etc/ntp.conf}
3036the default name of the configuration file
3037@item @file{ntp.keys}
3038private MD5 keys
3039@item @file{ntpkey}
3040RSA private key
3041@item @file{ntpkey_}@kbd{host}
3042RSA public key
3043@item @file{ntp_dh}
3044Diffie-Hellman agreement parameters
3045@end table
3046@node ntp.conf See Also
3047@subsection ntp.conf See Also
3048@code{ntpd(1ntpdmdoc)},
3049@code{ntpdc(1ntpdcmdoc)},
3050@code{ntpq(1ntpqmdoc)}
3051
3052In addition to the manual pages provided,
3053comprehensive documentation is available on the world wide web
3054at
3055@code{http://www.ntp.org/}.
3056A snapshot of this documentation is available in HTML format in
3057@file{/usr/share/doc/ntp}.
3058@*
3059
3060@*
3061David L. Mills, @emph{Network Time Protocol (Version 4)}, RFC5905
3062@node ntp.conf Bugs
3063@subsection ntp.conf Bugs
3064The syntax checking is not picky; some combinations of
3065ridiculous and even hilarious options and modes may not be
3066detected.
3067
3068The
3069@file{ntpkey_}@kbd{host}
3070files are really digital
3071certificates.
3072These should be obtained via secure directory
3073services when they become universally available.
3074@node ntp.conf Notes
3075@subsection ntp.conf Notes
3076This document was derived from FreeBSD.
3077