xref: /freebsd/contrib/ntp/ntpd/ntp.conf.html (revision 2938ecc85c29202824e83d65af5c3a4fb7b3e5fb)
1<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
2<html>
3<!-- Created by GNU Texinfo 6.5, http://www.gnu.org/software/texinfo/ -->
4<head>
5<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
6<title>NTP Configuration File User&rsquo;s Manual</title>
7
8<meta name="description" content="NTP Configuration File User&rsquo;s Manual">
9<meta name="keywords" content="NTP Configuration File User&rsquo;s Manual">
10<meta name="resource-type" content="document">
11<meta name="distribution" content="global">
12<meta name="Generator" content="makeinfo">
13<link href="#Top" rel="start" title="Top">
14<link href="dir.html#Top" rel="up" title="(dir)">
15<style type="text/css">
16<!--
17a.summary-letter {text-decoration: none}
18blockquote.indentedblock {margin-right: 0em}
19blockquote.smallindentedblock {margin-right: 0em; font-size: smaller}
20blockquote.smallquotation {font-size: smaller}
21div.display {margin-left: 3.2em}
22div.example {margin-left: 3.2em}
23div.lisp {margin-left: 3.2em}
24div.smalldisplay {margin-left: 3.2em}
25div.smallexample {margin-left: 3.2em}
26div.smalllisp {margin-left: 3.2em}
27kbd {font-style: oblique}
28pre.display {font-family: inherit}
29pre.format {font-family: inherit}
30pre.menu-comment {font-family: serif}
31pre.menu-preformatted {font-family: serif}
32pre.smalldisplay {font-family: inherit; font-size: smaller}
33pre.smallexample {font-size: smaller}
34pre.smallformat {font-family: inherit; font-size: smaller}
35pre.smalllisp {font-size: smaller}
36span.nolinebreak {white-space: nowrap}
37span.roman {font-family: initial; font-weight: normal}
38span.sansserif {font-family: sans-serif; font-weight: normal}
39ul.no-bullet {list-style: none}
40-->
41</style>
42
43
44</head>
45
46<body lang="en">
47<h1 class="settitle" align="center">NTP Configuration File User&rsquo;s Manual</h1>
48
49
50
51
52
53<a name="Top"></a>
54<div class="header">
55<p>
56Next: <a href="#ntp_002econf-Description" accesskey="n" rel="next">ntp.conf Description</a>, Previous: <a href="dir.html#Top" accesskey="p" rel="prev">(dir)</a>, Up: <a href="dir.html#Top" accesskey="u" rel="up">(dir)</a> &nbsp; </p>
57</div>
58<a name="NTP_0027s-Configuration-File-User-Manual"></a>
59<h1 class="top">NTP&rsquo;s Configuration File User Manual</h1>
60
61<p>This document describes the configuration file for the NTP Project&rsquo;s
62<code>ntpd</code> program.
63</p>
64<p>This document applies to version 4.2.8p15 of <code>ntp.conf</code>.
65</p>
66<a name="SEC_Overview"></a>
67<h2 class="shortcontents-heading">Short Table of Contents</h2>
68
69<div class="shortcontents">
70<ul class="no-bullet">
71<li><a name="stoc-Description" href="#toc-Description">1 Description</a></li>
72</ul>
73</div>
74
75
76<table class="menu" border="0" cellspacing="0">
77<tr><td align="left" valign="top">&bull; <a href="#ntp_002econf-Description" accesskey="1">ntp.conf Description</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
78</td></tr>
79<tr><td align="left" valign="top">&bull; <a href="#ntp_002econf-Notes" accesskey="2">ntp.conf Notes</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
80</td></tr>
81</table>
82
83<hr>
84<a name="ntp_002econf-Description"></a>
85<div class="header">
86<p>
87Previous: <a href="#Top" accesskey="p" rel="prev">Top</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; </p>
88</div>
89<a name="Description"></a>
90<h2 class="chapter">1 Description</h2>
91
92<p>The behavior of  <code>ntpd</code> can be changed by a configuration file,
93by default <code>ntp.conf</code>.
94</p>
95<table class="menu" border="0" cellspacing="0">
96<tr><td align="left" valign="top">&bull; <a href="#ntp_002econf-Notes" accesskey="1">ntp.conf Notes</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
97</td></tr>
98</table>
99
100<hr>
101<a name="ntp_002econf-Notes"></a>
102<div class="header">
103<p>
104Previous: <a href="#ntp_002econf-Bugs" accesskey="p" rel="prev">ntp.conf Bugs</a>, Up: <a href="#ntp_002econf-Description" accesskey="u" rel="up">ntp.conf Description</a> &nbsp; </p>
105</div>
106<a name="Notes-about-ntp_002econf"></a>
107<h3 class="section">1.1 Notes about ntp.conf</h3>
108<a name="index-ntp_002econf"></a>
109<a name="index-Network-Time-Protocol-_0028NTP_0029-daemon-configuration-file-format"></a>
110
111
112
113<p>The
114<code>ntp.conf</code>
115configuration file is read at initial startup by the
116<code>ntpd(1ntpdmdoc)</code>
117daemon in order to specify the synchronization sources,
118modes and other related information.
119Usually, it is installed in the
120<samp>/etc</samp>
121directory,
122but could be installed elsewhere
123(see the daemon&rsquo;s
124<code>-c</code>
125command line option).
126</p>
127<p>The file format is similar to other
128<small>UNIX</small>
129configuration files.
130Comments begin with a
131&lsquo;#&rsquo;
132character and extend to the end of the line;
133blank lines are ignored.
134Configuration commands consist of an initial keyword
135followed by a list of arguments,
136some of which may be optional, separated by whitespace.
137Commands may not be continued over multiple lines.
138Arguments may be host names,
139host addresses written in numeric, dotted-quad form,
140integers, floating point numbers (when specifying times in seconds)
141and text strings.
142</p>
143<p>The rest of this page describes the configuration and control options.
144The
145&quot;Notes on Configuring NTP and Setting up an NTP Subnet&quot;
146page
147(available as part of the HTML documentation
148provided in
149<samp>/usr/share/doc/ntp</samp>)
150contains an extended discussion of these options.
151In addition to the discussion of general
152&lsquo;Configuration Options&rsquo;,
153there are sections describing the following supported functionality
154and the options used to control it:
155</p><ul>
156<li> <a href="#Authentication-Support">Authentication Support</a>
157</li><li> <a href="#Monitoring-Support">Monitoring Support</a>
158</li><li> <a href="#Access-Control-Support">Access Control Support</a>
159</li><li> <a href="#Automatic-NTP-Configuration-Options">Automatic NTP Configuration Options</a>
160</li><li> <a href="#Reference-Clock-Support">Reference Clock Support</a>
161</li><li> <a href="#Miscellaneous-Options">Miscellaneous Options</a>
162</li></ul>
163
164<p>Following these is a section describing
165<a href="#Miscellaneous-Options">Miscellaneous Options</a>.
166While there is a rich set of options available,
167the only required option is one or more
168<code>pool</code>,
169<code>server</code>,
170<code>peer</code>,
171<code>broadcast</code>
172or
173<code>manycastclient</code>
174commands.
175</p><table class="menu" border="0" cellspacing="0">
176<tr><td align="left" valign="top">&bull; <a href="#Configuration-Support" accesskey="1">Configuration Support</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
177</td></tr>
178<tr><td align="left" valign="top">&bull; <a href="#Authentication-Support" accesskey="2">Authentication Support</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
179</td></tr>
180<tr><td align="left" valign="top">&bull; <a href="#Monitoring-Support" accesskey="3">Monitoring Support</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
181</td></tr>
182<tr><td align="left" valign="top">&bull; <a href="#Access-Control-Support" accesskey="4">Access Control Support</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
183</td></tr>
184<tr><td align="left" valign="top">&bull; <a href="#Automatic-NTP-Configuration-Options" accesskey="5">Automatic NTP Configuration Options</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
185</td></tr>
186<tr><td align="left" valign="top">&bull; <a href="#Reference-Clock-Support" accesskey="6">Reference Clock Support</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
187</td></tr>
188<tr><td align="left" valign="top">&bull; <a href="#Miscellaneous-Options" accesskey="7">Miscellaneous Options</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
189</td></tr>
190<tr><td align="left" valign="top">&bull; <a href="#ntp_002econf-Files" accesskey="8">ntp.conf Files</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
191</td></tr>
192<tr><td align="left" valign="top">&bull; <a href="#ntp_002econf-See-Also" accesskey="9">ntp.conf See Also</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
193</td></tr>
194<tr><td align="left" valign="top">&bull; <a href="#ntp_002econf-Bugs">ntp.conf Bugs</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
195</td></tr>
196<tr><td align="left" valign="top">&bull; :</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
197</td></tr>
198</table>
199
200<hr>
201<a name="Configuration-Support"></a>
202<div class="header">
203<p>
204Next: <a href="#Authentication-Support" accesskey="n" rel="next">Authentication Support</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> &nbsp; </p>
205</div>
206<a name="Configuration-Support-1"></a>
207<h4 class="subsection">1.1.1 Configuration Support</h4>
208<p>Following is a description of the configuration commands in
209NTPv4.
210These commands have the same basic functions as in NTPv3 and
211in some cases new functions and new arguments.
212There are two
213classes of commands, configuration commands that configure a
214persistent association with a remote server or peer or reference
215clock, and auxiliary commands that specify environmental variables
216that control various related operations.
217</p><a name="Configuration-Commands"></a>
218<h4 class="subsubsection">1.1.1.1 Configuration Commands</h4>
219<p>The various modes are determined by the command keyword and the
220type of the required IP address.
221Addresses are classed by type as
222(s) a remote server or peer (IPv4 class A, B and C), (b) the
223broadcast address of a local interface, (m) a multicast address (IPv4
224class D), or (r) a reference clock address (127.127.x.x).
225Note that
226only those options applicable to each command are listed below.
227Use
228of options not listed may not be caught as an error, but may result
229in some weird and even destructive behavior.
230</p>
231<p>If the Basic Socket Interface Extensions for IPv6 (RFC-2553)
232is detected, support for the IPv6 address family is generated
233in addition to the default support of the IPv4 address family.
234In a few cases, including the
235<code>reslist</code>
236billboard generated
237by
238<code>ntpq(1ntpqmdoc)</code>
239or
240<code>ntpdc(1ntpdcmdoc)</code>,
241IPv6 addresses are automatically generated.
242IPv6 addresses can be identified by the presence of colons
243&ldquo;:&rdquo;
244in the address field.
245IPv6 addresses can be used almost everywhere where
246IPv4 addresses can be used,
247with the exception of reference clock addresses,
248which are always IPv4.
249</p>
250<p>Note that in contexts where a host name is expected, a
251<code>-4</code>
252qualifier preceding
253the host name forces DNS resolution to the IPv4 namespace,
254while a
255<code>-6</code>
256qualifier forces DNS resolution to the IPv6 namespace.
257See IPv6 references for the
258equivalent classes for that address family.
259</p><dl compact="compact">
260<dt><code>pool</code> <kbd>address</kbd> <code>[<code>burst</code>]</code> <code>[<code>iburst</code>]</code> <code>[<code>version</code> <kbd>version</kbd>]</code> <code>[<code>prefer</code>]</code> <code>[<code>minpoll</code> <kbd>minpoll</kbd>]</code> <code>[<code>maxpoll</code> <kbd>maxpoll</kbd>]</code> <code>[<code>xmtnonce</code>]</code></dt>
261<dt><code>server</code> <kbd>address</kbd> <code>[<code>key</code> <kbd>key</kbd> <kbd>|</kbd> <code>autokey</code>]</code> <code>[<code>burst</code>]</code> <code>[<code>iburst</code>]</code> <code>[<code>version</code> <kbd>version</kbd>]</code> <code>[<code>prefer</code>]</code> <code>[<code>minpoll</code> <kbd>minpoll</kbd>]</code> <code>[<code>maxpoll</code> <kbd>maxpoll</kbd>]</code> <code>[<code>true</code>]</code> <code>[<code>xmtnonce</code>]</code></dt>
262<dt><code>peer</code> <kbd>address</kbd> <code>[<code>key</code> <kbd>key</kbd> <kbd>|</kbd> <code>autokey</code>]</code> <code>[<code>version</code> <kbd>version</kbd>]</code> <code>[<code>prefer</code>]</code> <code>[<code>minpoll</code> <kbd>minpoll</kbd>]</code> <code>[<code>maxpoll</code> <kbd>maxpoll</kbd>]</code> <code>[<code>true</code>]</code> <code>[<code>xleave</code>]</code></dt>
263<dt><code>broadcast</code> <kbd>address</kbd> <code>[<code>key</code> <kbd>key</kbd> <kbd>|</kbd> <code>autokey</code>]</code> <code>[<code>version</code> <kbd>version</kbd>]</code> <code>[<code>prefer</code>]</code> <code>[<code>minpoll</code> <kbd>minpoll</kbd>]</code> <code>[<code>ttl</code> <kbd>ttl</kbd>]</code> <code>[<code>xleave</code>]</code></dt>
264<dt><code>manycastclient</code> <kbd>address</kbd> <code>[<code>key</code> <kbd>key</kbd> <kbd>|</kbd> <code>autokey</code>]</code> <code>[<code>version</code> <kbd>version</kbd>]</code> <code>[<code>prefer</code>]</code> <code>[<code>minpoll</code> <kbd>minpoll</kbd>]</code> <code>[<code>maxpoll</code> <kbd>maxpoll</kbd>]</code> <code>[<code>ttl</code> <kbd>ttl</kbd>]</code></dt>
265</dl>
266
267<p>These five commands specify the time server name or address to
268be used and the mode in which to operate.
269The
270<kbd>address</kbd>
271can be
272either a DNS name or an IP address in dotted-quad notation.
273Additional information on association behavior can be found in the
274&quot;Association Management&quot;
275page
276(available as part of the HTML documentation
277provided in
278<samp>/usr/share/doc/ntp</samp>).
279</p><dl compact="compact">
280<dt><code>pool</code></dt>
281<dd><p>For type s addresses, this command mobilizes a persistent
282client mode association with a number of remote servers.
283In this mode the local clock can synchronized to the
284remote server, but the remote server can never be synchronized to
285the local clock.
286</p></dd>
287<dt><code>server</code></dt>
288<dd><p>For type s and r addresses, this command mobilizes a persistent
289client mode association with the specified remote server or local
290radio clock.
291In this mode the local clock can synchronized to the
292remote server, but the remote server can never be synchronized to
293the local clock.
294This command should
295<em>not</em>
296be used for type
297b or m addresses.
298</p></dd>
299<dt><code>peer</code></dt>
300<dd><p>For type s addresses (only), this command mobilizes a
301persistent symmetric-active mode association with the specified
302remote peer.
303In this mode the local clock can be synchronized to
304the remote peer or the remote peer can be synchronized to the local
305clock.
306This is useful in a network of servers where, depending on
307various failure scenarios, either the local or remote peer may be
308the better source of time.
309This command should NOT be used for type
310b, m or r addresses.
311</p></dd>
312<dt><code>broadcast</code></dt>
313<dd><p>For type b and m addresses (only), this
314command mobilizes a persistent broadcast mode association.
315Multiple
316commands can be used to specify multiple local broadcast interfaces
317(subnets) and/or multiple multicast groups.
318Note that local
319broadcast messages go only to the interface associated with the
320subnet specified, but multicast messages go to all interfaces.
321In broadcast mode the local server sends periodic broadcast
322messages to a client population at the
323<kbd>address</kbd>
324specified, which is usually the broadcast address on (one of) the
325local network(s) or a multicast address assigned to NTP.
326The IANA
327has assigned the multicast group address IPv4 224.0.1.1 and
328IPv6 ff05::101 (site local) exclusively to
329NTP, but other nonconflicting addresses can be used to contain the
330messages within administrative boundaries.
331Ordinarily, this
332specification applies only to the local server operating as a
333sender; for operation as a broadcast client, see the
334<code>broadcastclient</code>
335or
336<code>multicastclient</code>
337commands
338below.
339</p></dd>
340<dt><code>manycastclient</code></dt>
341<dd><p>For type m addresses (only), this command mobilizes a
342manycast client mode association for the multicast address
343specified.
344In this case a specific address must be supplied which
345matches the address used on the
346<code>manycastserver</code>
347command for
348the designated manycast servers.
349The NTP multicast address
350224.0.1.1 assigned by the IANA should NOT be used, unless specific
351means are taken to avoid spraying large areas of the Internet with
352these messages and causing a possibly massive implosion of replies
353at the sender.
354The
355<code>manycastserver</code>
356command specifies that the local server
357is to operate in client mode with the remote servers that are
358discovered as the result of broadcast/multicast messages.
359The
360client broadcasts a request message to the group address associated
361with the specified
362<kbd>address</kbd>
363and specifically enabled
364servers respond to these messages.
365The client selects the servers
366providing the best time and continues as with the
367<code>server</code>
368command.
369The remaining servers are discarded as if never
370heard.
371</p></dd>
372</dl>
373
374<p>Options:
375</p><dl compact="compact">
376<dt><code>autokey</code></dt>
377<dd><p>All packets sent to and received from the server or peer are to
378include authentication fields encrypted using the autokey scheme
379described in
380&lsquo;Authentication Options&rsquo;.
381</p></dd>
382<dt><code>burst</code></dt>
383<dd><p>when the server is reachable, send a burst of eight packets
384instead of the usual one.
385The packet spacing is normally 2 s;
386however, the spacing between the first and second packets
387can be changed with the
388<code>calldelay</code>
389command to allow
390additional time for a modem or ISDN call to complete.
391This is designed to improve timekeeping quality
392with the
393<code>server</code>
394command and s addresses.
395</p></dd>
396<dt><code>iburst</code></dt>
397<dd><p>When the server is unreachable, send a burst of eight packets
398instead of the usual one.
399The packet spacing is normally 2 s;
400however, the spacing between the first two packets can be
401changed with the
402<code>calldelay</code>
403command to allow
404additional time for a modem or ISDN call to complete.
405This is designed to speed the initial synchronization
406acquisition with the
407<code>server</code>
408command and s addresses and when
409<code>ntpd(1ntpdmdoc)</code>
410is started with the
411<code>-q</code>
412option.
413</p></dd>
414<dt><code>key</code> <kbd>key</kbd></dt>
415<dd><p>All packets sent to and received from the server or peer are to
416include authentication fields encrypted using the specified
417<kbd>key</kbd>
418identifier with values from 1 to 65535, inclusive.
419The
420default is to include no encryption field.
421</p></dd>
422<dt><code>minpoll</code> <kbd>minpoll</kbd></dt>
423<dt><code>maxpoll</code> <kbd>maxpoll</kbd></dt>
424<dd><p>These options specify the minimum and maximum poll intervals
425for NTP messages, as a power of 2 in seconds
426The maximum poll
427interval defaults to 10 (1,024 s), but can be increased by the
428<code>maxpoll</code>
429option to an upper limit of 17 (36.4 h).
430The
431minimum poll interval defaults to 6 (64 s), but can be decreased by
432the
433<code>minpoll</code>
434option to a lower limit of 4 (16 s).
435</p></dd>
436<dt><code>noselect</code></dt>
437<dd><p>Marks the server as unused, except for display purposes.
438The server is discarded by the selection algroithm.
439</p></dd>
440<dt><code>preempt</code></dt>
441<dd><p>Says the association can be preempted.
442</p></dd>
443<dt><code>prefer</code></dt>
444<dd><p>Marks the server as preferred.
445All other things being equal,
446this host will be chosen for synchronization among a set of
447correctly operating hosts.
448See the
449&quot;Mitigation Rules and the prefer Keyword&quot;
450page
451(available as part of the HTML documentation
452provided in
453<samp>/usr/share/doc/ntp</samp>)
454for further information.
455</p></dd>
456<dt><code>true</code></dt>
457<dd><p>Marks the server as a truechimer,
458forcing the association to always survive the selection and clustering algorithms.
459This option should almost certainly
460<em>only</em>
461be used while testing an association.
462</p></dd>
463<dt><code>ttl</code> <kbd>ttl</kbd></dt>
464<dd><p>This option is used only with broadcast server and manycast
465client modes.
466It specifies the time-to-live
467<kbd>ttl</kbd>
468to
469use on broadcast server and multicast server and the maximum
470<kbd>ttl</kbd>
471for the expanding ring search with manycast
472client packets.
473Selection of the proper value, which defaults to
474127, is something of a black art and should be coordinated with the
475network administrator.
476</p></dd>
477<dt><code>version</code> <kbd>version</kbd></dt>
478<dd><p>Specifies the version number to be used for outgoing NTP
479packets.
480Versions 1-4 are the choices, with version 4 the
481default.
482</p></dd>
483<dt><code>xleave</code></dt>
484<dd><p>Valid in
485<code>peer</code>
486and
487<code>broadcast</code>
488modes only, this flag enables interleave mode.
489</p></dd>
490<dt><code>xmtnonce</code></dt>
491<dd><p>Valid only for
492<code>server</code>
493and
494<code>pool</code>
495modes, this flag puts a random number in the packet&rsquo;s transmit timestamp.
496</p>
497</dd>
498</dl>
499<a name="Auxiliary-Commands"></a>
500<h4 class="subsubsection">1.1.1.2 Auxiliary Commands</h4>
501<dl compact="compact">
502<dt><code>broadcastclient</code></dt>
503<dd><p>This command enables reception of broadcast server messages to
504any local interface (type b) address.
505Upon receiving a message for
506the first time, the broadcast client measures the nominal server
507propagation delay using a brief client/server exchange with the
508server, then enters the broadcast client mode, in which it
509synchronizes to succeeding broadcast messages.
510Note that, in order
511to avoid accidental or malicious disruption in this mode, both the
512server and client should operate using symmetric-key or public-key
513authentication as described in
514&lsquo;Authentication Options&rsquo;.
515</p></dd>
516<dt><code>manycastserver</code> <kbd>address</kbd> <kbd>...</kbd></dt>
517<dd><p>This command enables reception of manycast client messages to
518the multicast group address(es) (type m) specified.
519At least one
520address is required, but the NTP multicast address 224.0.1.1
521assigned by the IANA should NOT be used, unless specific means are
522taken to limit the span of the reply and avoid a possibly massive
523implosion at the original sender.
524Note that, in order to avoid
525accidental or malicious disruption in this mode, both the server
526and client should operate using symmetric-key or public-key
527authentication as described in
528&lsquo;Authentication Options&rsquo;.
529</p></dd>
530<dt><code>multicastclient</code> <kbd>address</kbd> <kbd>...</kbd></dt>
531<dd><p>This command enables reception of multicast server messages to
532the multicast group address(es) (type m) specified.
533Upon receiving
534a message for the first time, the multicast client measures the
535nominal server propagation delay using a brief client/server
536exchange with the server, then enters the broadcast client mode, in
537which it synchronizes to succeeding multicast messages.
538Note that,
539in order to avoid accidental or malicious disruption in this mode,
540both the server and client should operate using symmetric-key or
541public-key authentication as described in
542&lsquo;Authentication Options&rsquo;.
543</p></dd>
544<dt><code>mdnstries</code> <kbd>number</kbd></dt>
545<dd><p>If we are participating in mDNS,
546after we have synched for the first time
547we attempt to register with the mDNS system.
548If that registration attempt fails,
549we try again at one minute intervals for up to
550<code>mdnstries</code>
551times.
552After all,
553<code>ntpd</code>
554may be starting before mDNS.
555The default value for
556<code>mdnstries</code>
557is 5.
558</p></dd>
559</dl>
560<hr>
561<a name="Authentication-Support"></a>
562<div class="header">
563<p>
564Next: <a href="#Monitoring-Support" accesskey="n" rel="next">Monitoring Support</a>, Previous: <a href="#Configuration-Support" accesskey="p" rel="prev">Configuration Support</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> &nbsp; </p>
565</div>
566<a name="Authentication-Support-1"></a>
567<h4 class="subsection">1.1.2 Authentication Support</h4>
568<p>Authentication support allows the NTP client to verify that the
569server is in fact known and trusted and not an intruder intending
570accidentally or on purpose to masquerade as that server.
571The NTPv3
572specification RFC-1305 defines a scheme which provides
573cryptographic authentication of received NTP packets.
574Originally,
575this was done using the Data Encryption Standard (DES) algorithm
576operating in Cipher Block Chaining (CBC) mode, commonly called
577DES-CBC.
578Subsequently, this was replaced by the RSA Message Digest
5795 (MD5) algorithm using a private key, commonly called keyed-MD5.
580Either algorithm computes a message digest, or one-way hash, which
581can be used to verify the server has the correct private key and
582key identifier.
583</p>
584<p>NTPv4 retains the NTPv3 scheme, properly described as symmetric key
585cryptography and, in addition, provides a new Autokey scheme
586based on public key cryptography.
587Public key cryptography is generally considered more secure
588than symmetric key cryptography, since the security is based
589on a private value which is generated by each server and
590never revealed.
591With Autokey all key distribution and
592management functions involve only public values, which
593considerably simplifies key distribution and storage.
594Public key management is based on X.509 certificates,
595which can be provided by commercial services or
596produced by utility programs in the OpenSSL software library
597or the NTPv4 distribution.
598</p>
599<p>While the algorithms for symmetric key cryptography are
600included in the NTPv4 distribution, public key cryptography
601requires the OpenSSL software library to be installed
602before building the NTP distribution.
603Directions for doing that
604are on the Building and Installing the Distribution page.
605</p>
606<p>Authentication is configured separately for each association
607using the
608<code>key</code>
609or
610<code>autokey</code>
611subcommand on the
612<code>peer</code>,
613<code>server</code>,
614<code>broadcast</code>
615and
616<code>manycastclient</code>
617configuration commands as described in
618&lsquo;Configuration Options&rsquo;
619page.
620The authentication
621options described below specify the locations of the key files,
622if other than default, which symmetric keys are trusted
623and the interval between various operations, if other than default.
624</p>
625<p>Authentication is always enabled,
626although ineffective if not configured as
627described below.
628If a NTP packet arrives
629including a message authentication
630code (MAC), it is accepted only if it
631passes all cryptographic checks.
632The
633checks require correct key ID, key value
634and message digest.
635If the packet has
636been modified in any way or replayed
637by an intruder, it will fail one or more
638of these checks and be discarded.
639Furthermore, the Autokey scheme requires a
640preliminary protocol exchange to obtain
641the server certificate, verify its
642credentials and initialize the protocol
643</p>
644<p>The
645<code>auth</code>
646flag controls whether new associations or
647remote configuration commands require cryptographic authentication.
648This flag can be set or reset by the
649<code>enable</code>
650and
651<code>disable</code>
652commands and also by remote
653configuration commands sent by a
654<code>ntpdc(1ntpdcmdoc)</code>
655program running on
656another machine.
657If this flag is enabled, which is the default
658case, new broadcast client and symmetric passive associations and
659remote configuration commands must be cryptographically
660authenticated using either symmetric key or public key cryptography.
661If this
662flag is disabled, these operations are effective
663even if not cryptographic
664authenticated.
665It should be understood
666that operating with the
667<code>auth</code>
668flag disabled invites a significant vulnerability
669where a rogue hacker can
670masquerade as a falseticker and seriously
671disrupt system timekeeping.
672It is
673important to note that this flag has no purpose
674other than to allow or disallow
675a new association in response to new broadcast
676and symmetric active messages
677and remote configuration commands and, in particular,
678the flag has no effect on
679the authentication process itself.
680</p>
681<p>An attractive alternative where multicast support is available
682is manycast mode, in which clients periodically troll
683for servers as described in the
684<a href="#Automatic-NTP-Configuration-Options">Automatic NTP Configuration Options</a>
685page.
686Either symmetric key or public key
687cryptographic authentication can be used in this mode.
688The principle advantage
689of manycast mode is that potential servers need not be
690configured in advance,
691since the client finds them during regular operation,
692and the configuration
693files for all clients can be identical.
694</p>
695<p>The security model and protocol schemes for
696both symmetric key and public key
697cryptography are summarized below;
698further details are in the briefings, papers
699and reports at the NTP project page linked from
700<code>http://www.ntp.org/</code>.
701</p><a name="Symmetric_002dKey-Cryptography"></a>
702<h4 class="subsubsection">1.1.2.1 Symmetric-Key Cryptography</h4>
703<p>The original RFC-1305 specification allows any one of possibly
70465,535 keys, each distinguished by a 32-bit key identifier, to
705authenticate an association.
706The servers and clients involved must
707agree on the key and key identifier to
708authenticate NTP packets.
709Keys and
710related information are specified in a key
711file, usually called
712<samp>ntp.keys</samp>,
713which must be distributed and stored using
714secure means beyond the scope of the NTP protocol itself.
715Besides the keys used
716for ordinary NTP associations,
717additional keys can be used as passwords for the
718<code>ntpq(1ntpqmdoc)</code>
719and
720<code>ntpdc(1ntpdcmdoc)</code>
721utility programs.
722</p>
723<p>When
724<code>ntpd(1ntpdmdoc)</code>
725is first started, it reads the key file specified in the
726<code>keys</code>
727configuration command and installs the keys
728in the key cache.
729However,
730individual keys must be activated with the
731<code>trusted</code>
732command before use.
733This
734allows, for instance, the installation of possibly
735several batches of keys and
736then activating or deactivating each batch
737remotely using
738<code>ntpdc(1ntpdcmdoc)</code>.
739This also provides a revocation capability that can be used
740if a key becomes compromised.
741The
742<code>requestkey</code>
743command selects the key used as the password for the
744<code>ntpdc(1ntpdcmdoc)</code>
745utility, while the
746<code>controlkey</code>
747command selects the key used as the password for the
748<code>ntpq(1ntpqmdoc)</code>
749utility.
750</p><a name="Public-Key-Cryptography"></a>
751<h4 class="subsubsection">1.1.2.2 Public Key Cryptography</h4>
752<p>NTPv4 supports the original NTPv3 symmetric key scheme
753described in RFC-1305 and in addition the Autokey protocol,
754which is based on public key cryptography.
755The Autokey Version 2 protocol described on the Autokey Protocol
756page verifies packet integrity using MD5 message digests
757and verifies the source with digital signatures and any of several
758digest/signature schemes.
759Optional identity schemes described on the Identity Schemes
760page and based on cryptographic challenge/response algorithms
761are also available.
762Using all of these schemes provides strong security against
763replay with or without modification, spoofing, masquerade
764and most forms of clogging attacks.
765</p>
766<p>The Autokey protocol has several modes of operation
767corresponding to the various NTP modes supported.
768Most modes use a special cookie which can be
769computed independently by the client and server,
770but encrypted in transmission.
771All modes use in addition a variant of the S-KEY scheme,
772in which a pseudo-random key list is generated and used
773in reverse order.
774These schemes are described along with an executive summary,
775current status, briefing slides and reading list on the
776&lsquo;Autonomous Authentication&rsquo;
777page.
778</p>
779<p>The specific cryptographic environment used by Autokey servers
780and clients is determined by a set of files
781and soft links generated by the
782<code>ntp-keygen(1ntpkeygenmdoc)</code>
783program.
784This includes a required host key file,
785required certificate file and optional sign key file,
786leapsecond file and identity scheme files.
787The
788digest/signature scheme is specified in the X.509 certificate
789along with the matching sign key.
790There are several schemes
791available in the OpenSSL software library, each identified
792by a specific string such as
793<code>md5WithRSAEncryption</code>,
794which stands for the MD5 message digest with RSA
795encryption scheme.
796The current NTP distribution supports
797all the schemes in the OpenSSL library, including
798those based on RSA and DSA digital signatures.
799</p>
800<p>NTP secure groups can be used to define cryptographic compartments
801and security hierarchies.
802It is important that every host
803in the group be able to construct a certificate trail to one
804or more trusted hosts in the same group.
805Each group
806host runs the Autokey protocol to obtain the certificates
807for all hosts along the trail to one or more trusted hosts.
808This requires the configuration file in all hosts to be
809engineered so that, even under anticipated failure conditions,
810the NTP subnet will form such that every group host can find
811a trail to at least one trusted host.
812</p><a name="Naming-and-Addressing"></a>
813<h4 class="subsubsection">1.1.2.3 Naming and Addressing</h4>
814<p>It is important to note that Autokey does not use DNS to
815resolve addresses, since DNS can&rsquo;t be completely trusted
816until the name servers have synchronized clocks.
817The cryptographic name used by Autokey to bind the host identity
818credentials and cryptographic values must be independent
819of interface, network and any other naming convention.
820The name appears in the host certificate in either or both
821the subject and issuer fields, so protection against
822DNS compromise is essential.
823</p>
824<p>By convention, the name of an Autokey host is the name returned
825by the Unix
826<code>gethostname(2)</code>
827system call or equivalent in other systems.
828By the system design
829model, there are no provisions to allow alternate names or aliases.
830However, this is not to say that DNS aliases, different names
831for each interface, etc., are constrained in any way.
832</p>
833<p>It is also important to note that Autokey verifies authenticity
834using the host name, network address and public keys,
835all of which are bound together by the protocol specifically
836to deflect masquerade attacks.
837For this reason Autokey
838includes the source and destination IP addresses in message digest
839computations and so the same addresses must be available
840at both the server and client.
841For this reason operation
842with network address translation schemes is not possible.
843This reflects the intended robust security model where government
844and corporate NTP servers are operated outside firewall perimeters.
845</p><a name="Operation"></a>
846<h4 class="subsubsection">1.1.2.4 Operation</h4>
847<p>A specific combination of authentication scheme (none,
848symmetric key, public key) and identity scheme is called
849a cryptotype, although not all combinations are compatible.
850There may be management configurations where the clients,
851servers and peers may not all support the same cryptotypes.
852A secure NTPv4 subnet can be configured in many ways while
853keeping in mind the principles explained above and
854in this section.
855Note however that some cryptotype
856combinations may successfully interoperate with each other,
857but may not represent good security practice.
858</p>
859<p>The cryptotype of an association is determined at the time
860of mobilization, either at configuration time or some time
861later when a message of appropriate cryptotype arrives.
862When mobilized by a
863<code>server</code>
864or
865<code>peer</code>
866configuration command and no
867<code>key</code>
868or
869<code>autokey</code>
870subcommands are present, the association is not
871authenticated; if the
872<code>key</code>
873subcommand is present, the association is authenticated
874using the symmetric key ID specified; if the
875<code>autokey</code>
876subcommand is present, the association is authenticated
877using Autokey.
878</p>
879<p>When multiple identity schemes are supported in the Autokey
880protocol, the first message exchange determines which one is used.
881The client request message contains bits corresponding
882to which schemes it has available.
883The server response message
884contains bits corresponding to which schemes it has available.
885Both server and client match the received bits with their own
886and select a common scheme.
887</p>
888<p>Following the principle that time is a public value,
889a server responds to any client packet that matches
890its cryptotype capabilities.
891Thus, a server receiving
892an unauthenticated packet will respond with an unauthenticated
893packet, while the same server receiving a packet of a cryptotype
894it supports will respond with packets of that cryptotype.
895However, unconfigured broadcast or manycast client
896associations or symmetric passive associations will not be
897mobilized unless the server supports a cryptotype compatible
898with the first packet received.
899By default, unauthenticated associations will not be mobilized
900unless overridden in a decidedly dangerous way.
901</p>
902<p>Some examples may help to reduce confusion.
903Client Alice has no specific cryptotype selected.
904Server Bob has both a symmetric key file and minimal Autokey files.
905Alice&rsquo;s unauthenticated messages arrive at Bob, who replies with
906unauthenticated messages.
907Cathy has a copy of Bob&rsquo;s symmetric
908key file and has selected key ID 4 in messages to Bob.
909Bob verifies the message with his key ID 4.
910If it&rsquo;s the
911same key and the message is verified, Bob sends Cathy a reply
912authenticated with that key.
913If verification fails,
914Bob sends Cathy a thing called a crypto-NAK, which tells her
915something broke.
916She can see the evidence using the
917<code>ntpq(1ntpqmdoc)</code>
918program.
919</p>
920<p>Denise has rolled her own host key and certificate.
921She also uses one of the identity schemes as Bob.
922She sends the first Autokey message to Bob and they
923both dance the protocol authentication and identity steps.
924If all comes out okay, Denise and Bob continue as described above.
925</p>
926<p>It should be clear from the above that Bob can support
927all the girls at the same time, as long as he has compatible
928authentication and identity credentials.
929Now, Bob can act just like the girls in his own choice of servers;
930he can run multiple configured associations with multiple different
931servers (or the same server, although that might not be useful).
932But, wise security policy might preclude some cryptotype
933combinations; for instance, running an identity scheme
934with one server and no authentication with another might not be wise.
935</p><a name="Key-Management"></a>
936<h4 class="subsubsection">1.1.2.5 Key Management</h4>
937<p>The cryptographic values used by the Autokey protocol are
938incorporated as a set of files generated by the
939<code>ntp-keygen(1ntpkeygenmdoc)</code>
940utility program, including symmetric key, host key and
941public certificate files, as well as sign key, identity parameters
942and leapseconds files.
943Alternatively, host and sign keys and
944certificate files can be generated by the OpenSSL utilities
945and certificates can be imported from public certificate
946authorities.
947Note that symmetric keys are necessary for the
948<code>ntpq(1ntpqmdoc)</code>
949and
950<code>ntpdc(1ntpdcmdoc)</code>
951utility programs.
952The remaining files are necessary only for the
953Autokey protocol.
954</p>
955<p>Certificates imported from OpenSSL or public certificate
956authorities have certian limitations.
957The certificate should be in ASN.1 syntax, X.509 Version 3
958format and encoded in PEM, which is the same format
959used by OpenSSL.
960The overall length of the certificate encoded
961in ASN.1 must not exceed 1024 bytes.
962The subject distinguished
963name field (CN) is the fully qualified name of the host
964on which it is used; the remaining subject fields are ignored.
965The certificate extension fields must not contain either
966a subject key identifier or a issuer key identifier field;
967however, an extended key usage field for a trusted host must
968contain the value
969<code>trustRoot</code>;.
970Other extension fields are ignored.
971</p><a name="Authentication-Commands"></a>
972<h4 class="subsubsection">1.1.2.6 Authentication Commands</h4>
973<dl compact="compact">
974<dt><code>autokey</code> <code>[<kbd>logsec</kbd>]</code></dt>
975<dd><p>Specifies the interval between regenerations of the session key
976list used with the Autokey protocol.
977Note that the size of the key
978list for each association depends on this interval and the current
979poll interval.
980The default value is 12 (4096 s or about 1.1 hours).
981For poll intervals above the specified interval, a session key list
982with a single entry will be regenerated for every message
983sent.
984</p></dd>
985<dt><code>controlkey</code> <kbd>key</kbd></dt>
986<dd><p>Specifies the key identifier to use with the
987<code>ntpq(1ntpqmdoc)</code>
988utility, which uses the standard
989protocol defined in RFC-1305.
990The
991<kbd>key</kbd>
992argument is
993the key identifier for a trusted key, where the value can be in the
994range 1 to 65,535, inclusive.
995</p></dd>
996<dt><code>crypto</code> <code>[<code>cert</code> <kbd>file</kbd>]</code> <code>[<code>leap</code> <kbd>file</kbd>]</code> <code>[<code>randfile</code> <kbd>file</kbd>]</code> <code>[<code>host</code> <kbd>file</kbd>]</code> <code>[<code>sign</code> <kbd>file</kbd>]</code> <code>[<code>gq</code> <kbd>file</kbd>]</code> <code>[<code>gqpar</code> <kbd>file</kbd>]</code> <code>[<code>iffpar</code> <kbd>file</kbd>]</code> <code>[<code>mvpar</code> <kbd>file</kbd>]</code> <code>[<code>pw</code> <kbd>password</kbd>]</code></dt>
997<dd><p>This command requires the OpenSSL library.
998It activates public key
999cryptography, selects the message digest and signature
1000encryption scheme and loads the required private and public
1001values described above.
1002If one or more files are left unspecified,
1003the default names are used as described above.
1004Unless the complete path and name of the file are specified, the
1005location of a file is relative to the keys directory specified
1006in the
1007<code>keysdir</code>
1008command or default
1009<samp>/usr/local/etc</samp>.
1010Following are the subcommands:
1011</p><dl compact="compact">
1012<dt><code>cert</code> <kbd>file</kbd></dt>
1013<dd><p>Specifies the location of the required host public certificate file.
1014This overrides the link
1015<samp>ntpkey_cert_</samp><kbd>hostname</kbd>
1016in the keys directory.
1017</p></dd>
1018<dt><code>gqpar</code> <kbd>file</kbd></dt>
1019<dd><p>Specifies the location of the optional GQ parameters file.
1020This
1021overrides the link
1022<samp>ntpkey_gq_</samp><kbd>hostname</kbd>
1023in the keys directory.
1024</p></dd>
1025<dt><code>host</code> <kbd>file</kbd></dt>
1026<dd><p>Specifies the location of the required host key file.
1027This overrides
1028the link
1029<samp>ntpkey_key_</samp><kbd>hostname</kbd>
1030in the keys directory.
1031</p></dd>
1032<dt><code>iffpar</code> <kbd>file</kbd></dt>
1033<dd><p>Specifies the location of the optional IFF parameters file.
1034This overrides the link
1035<samp>ntpkey_iff_</samp><kbd>hostname</kbd>
1036in the keys directory.
1037</p></dd>
1038<dt><code>leap</code> <kbd>file</kbd></dt>
1039<dd><p>Specifies the location of the optional leapsecond file.
1040This overrides the link
1041<samp>ntpkey_leap</samp>
1042in the keys directory.
1043</p></dd>
1044<dt><code>mvpar</code> <kbd>file</kbd></dt>
1045<dd><p>Specifies the location of the optional MV parameters file.
1046This overrides the link
1047<samp>ntpkey_mv_</samp><kbd>hostname</kbd>
1048in the keys directory.
1049</p></dd>
1050<dt><code>pw</code> <kbd>password</kbd></dt>
1051<dd><p>Specifies the password to decrypt files containing private keys and
1052identity parameters.
1053This is required only if these files have been
1054encrypted.
1055</p></dd>
1056<dt><code>randfile</code> <kbd>file</kbd></dt>
1057<dd><p>Specifies the location of the random seed file used by the OpenSSL
1058library.
1059The defaults are described in the main text above.
1060</p></dd>
1061<dt><code>sign</code> <kbd>file</kbd></dt>
1062<dd><p>Specifies the location of the optional sign key file.
1063This overrides
1064the link
1065<samp>ntpkey_sign_</samp><kbd>hostname</kbd>
1066in the keys directory.
1067If this file is
1068not found, the host key is also the sign key.
1069</p></dd>
1070</dl>
1071</dd>
1072<dt><code>keys</code> <kbd>keyfile</kbd></dt>
1073<dd><p>Specifies the complete path and location of the MD5 key file
1074containing the keys and key identifiers used by
1075<code>ntpd(1ntpdmdoc)</code>,
1076<code>ntpq(1ntpqmdoc)</code>
1077and
1078<code>ntpdc(1ntpdcmdoc)</code>
1079when operating with symmetric key cryptography.
1080This is the same operation as the
1081<code>-k</code>
1082command line option.
1083</p></dd>
1084<dt><code>keysdir</code> <kbd>path</kbd></dt>
1085<dd><p>This command specifies the default directory path for
1086cryptographic keys, parameters and certificates.
1087The default is
1088<samp>/usr/local/etc/</samp>.
1089</p></dd>
1090<dt><code>requestkey</code> <kbd>key</kbd></dt>
1091<dd><p>Specifies the key identifier to use with the
1092<code>ntpdc(1ntpdcmdoc)</code>
1093utility program, which uses a
1094proprietary protocol specific to this implementation of
1095<code>ntpd(1ntpdmdoc)</code>.
1096The
1097<kbd>key</kbd>
1098argument is a key identifier
1099for the trusted key, where the value can be in the range 1 to
110065,535, inclusive.
1101</p></dd>
1102<dt><code>revoke</code> <kbd>logsec</kbd></dt>
1103<dd><p>Specifies the interval between re-randomization of certain
1104cryptographic values used by the Autokey scheme, as a power of 2 in
1105seconds.
1106These values need to be updated frequently in order to
1107deflect brute-force attacks on the algorithms of the scheme;
1108however, updating some values is a relatively expensive operation.
1109The default interval is 16 (65,536 s or about 18 hours).
1110For poll
1111intervals above the specified interval, the values will be updated
1112for every message sent.
1113</p></dd>
1114<dt><code>trustedkey</code> <kbd>key</kbd> <kbd>...</kbd></dt>
1115<dd><p>Specifies the key identifiers which are trusted for the
1116purposes of authenticating peers with symmetric key cryptography,
1117as well as keys used by the
1118<code>ntpq(1ntpqmdoc)</code>
1119and
1120<code>ntpdc(1ntpdcmdoc)</code>
1121programs.
1122The authentication procedures require that both the local
1123and remote servers share the same key and key identifier for this
1124purpose, although different keys can be used with different
1125servers.
1126The
1127<kbd>key</kbd>
1128arguments are 32-bit unsigned
1129integers with values from 1 to 65,535.
1130</p></dd>
1131</dl>
1132<a name="Error-Codes"></a>
1133<h4 class="subsubsection">1.1.2.7 Error Codes</h4>
1134<p>The following error codes are reported via the NTP control
1135and monitoring protocol trap mechanism.
1136</p><dl compact="compact">
1137<dt>101</dt>
1138<dd><p>(bad field format or length)
1139The packet has invalid version, length or format.
1140</p></dd>
1141<dt>102</dt>
1142<dd><p>(bad timestamp)
1143The packet timestamp is the same or older than the most recent received.
1144This could be due to a replay or a server clock time step.
1145</p></dd>
1146<dt>103</dt>
1147<dd><p>(bad filestamp)
1148The packet filestamp is the same or older than the most recent received.
1149This could be due to a replay or a key file generation error.
1150</p></dd>
1151<dt>104</dt>
1152<dd><p>(bad or missing public key)
1153The public key is missing, has incorrect format or is an unsupported type.
1154</p></dd>
1155<dt>105</dt>
1156<dd><p>(unsupported digest type)
1157The server requires an unsupported digest/signature scheme.
1158</p></dd>
1159<dt>106</dt>
1160<dd><p>(mismatched digest types)
1161Not used.
1162</p></dd>
1163<dt>107</dt>
1164<dd><p>(bad signature length)
1165The signature length does not match the current public key.
1166</p></dd>
1167<dt>108</dt>
1168<dd><p>(signature not verified)
1169The message fails the signature check.
1170It could be bogus or signed by a
1171different private key.
1172</p></dd>
1173<dt>109</dt>
1174<dd><p>(certificate not verified)
1175The certificate is invalid or signed with the wrong key.
1176</p></dd>
1177<dt>110</dt>
1178<dd><p>(certificate not verified)
1179The certificate is not yet valid or has expired or the signature could not
1180be verified.
1181</p></dd>
1182<dt>111</dt>
1183<dd><p>(bad or missing cookie)
1184The cookie is missing, corrupted or bogus.
1185</p></dd>
1186<dt>112</dt>
1187<dd><p>(bad or missing leapseconds table)
1188The leapseconds table is missing, corrupted or bogus.
1189</p></dd>
1190<dt>113</dt>
1191<dd><p>(bad or missing certificate)
1192The certificate is missing, corrupted or bogus.
1193</p></dd>
1194<dt>114</dt>
1195<dd><p>(bad or missing identity)
1196The identity key is missing, corrupt or bogus.
1197</p></dd>
1198</dl>
1199<hr>
1200<a name="Monitoring-Support"></a>
1201<div class="header">
1202<p>
1203Next: <a href="#Access-Control-Support" accesskey="n" rel="next">Access Control Support</a>, Previous: <a href="#Authentication-Support" accesskey="p" rel="prev">Authentication Support</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> &nbsp; </p>
1204</div>
1205<a name="Monitoring-Support-1"></a>
1206<h4 class="subsection">1.1.3 Monitoring Support</h4>
1207<p><code>ntpd(1ntpdmdoc)</code>
1208includes a comprehensive monitoring facility suitable
1209for continuous, long term recording of server and client
1210timekeeping performance.
1211See the
1212<code>statistics</code>
1213command below
1214for a listing and example of each type of statistics currently
1215supported.
1216Statistic files are managed using file generation sets
1217and scripts in the
1218<samp>./scripts</samp>
1219directory of the source code distribution.
1220Using
1221these facilities and
1222<small>UNIX</small>
1223<code>cron(8)</code>
1224jobs, the data can be
1225automatically summarized and archived for retrospective analysis.
1226</p><a name="Monitoring-Commands"></a>
1227<h4 class="subsubsection">1.1.3.1 Monitoring Commands</h4>
1228<dl compact="compact">
1229<dt><code>statistics</code> <kbd>name</kbd> <kbd>...</kbd></dt>
1230<dd><p>Enables writing of statistics records.
1231Currently, eight kinds of
1232<kbd>name</kbd>
1233statistics are supported.
1234</p><dl compact="compact">
1235<dt><code>clockstats</code></dt>
1236<dd><p>Enables recording of clock driver statistics information.
1237Each update
1238received from a clock driver appends a line of the following form to
1239the file generation set named
1240<code>clockstats</code>:
1241</p><pre class="verbatim">49213 525.624 127.127.4.1 93 226 00:08:29.606 D
1242</pre>
1243<p>The first two fields show the date (Modified Julian Day) and time
1244(seconds and fraction past UTC midnight).
1245The next field shows the
1246clock address in dotted-quad notation.
1247The final field shows the last
1248timecode received from the clock in decoded ASCII format, where
1249meaningful.
1250In some clock drivers a good deal of additional information
1251can be gathered and displayed as well.
1252See information specific to each
1253clock for further details.
1254</p></dd>
1255<dt><code>cryptostats</code></dt>
1256<dd><p>This option requires the OpenSSL cryptographic software library.
1257It
1258enables recording of cryptographic public key protocol information.
1259Each message received by the protocol module appends a line of the
1260following form to the file generation set named
1261<code>cryptostats</code>:
1262</p><pre class="verbatim">49213 525.624 127.127.4.1 message
1263</pre>
1264<p>The first two fields show the date (Modified Julian Day) and time
1265(seconds and fraction past UTC midnight).
1266The next field shows the peer
1267address in dotted-quad notation, The final message field includes the
1268message type and certain ancillary information.
1269See the
1270&lsquo;Authentication Options&rsquo;
1271section for further information.
1272</p></dd>
1273<dt><code>loopstats</code></dt>
1274<dd><p>Enables recording of loop filter statistics information.
1275Each
1276update of the local clock outputs a line of the following form to
1277the file generation set named
1278<code>loopstats</code>:
1279</p><pre class="verbatim">50935 75440.031 0.000006019 13.778190 0.000351733 0.0133806
1280</pre>
1281<p>The first two fields show the date (Modified Julian Day) and
1282time (seconds and fraction past UTC midnight).
1283The next five fields
1284show time offset (seconds), frequency offset (parts per million -
1285PPM), RMS jitter (seconds), Allan deviation (PPM) and clock
1286discipline time constant.
1287</p></dd>
1288<dt><code>peerstats</code></dt>
1289<dd><p>Enables recording of peer statistics information.
1290This includes
1291statistics records of all peers of a NTP server and of special
1292signals, where present and configured.
1293Each valid update appends a
1294line of the following form to the current element of a file
1295generation set named
1296<code>peerstats</code>:
1297</p><pre class="verbatim">48773 10847.650 127.127.4.1 9714 -0.001605376 0.000000000 0.001424877 0.000958674
1298</pre>
1299<p>The first two fields show the date (Modified Julian Day) and
1300time (seconds and fraction past UTC midnight).
1301The next two fields
1302show the peer address in dotted-quad notation and status,
1303respectively.
1304The status field is encoded in hex in the format
1305described in Appendix A of the NTP specification RFC 1305.
1306The final four fields show the offset,
1307delay, dispersion and RMS jitter, all in seconds.
1308</p></dd>
1309<dt><code>rawstats</code></dt>
1310<dd><p>Enables recording of raw-timestamp statistics information.
1311This
1312includes statistics records of all peers of a NTP server and of
1313special signals, where present and configured.
1314Each NTP message
1315received from a peer or clock driver appends a line of the
1316following form to the file generation set named
1317<code>rawstats</code>:
1318</p><pre class="verbatim">50928 2132.543 128.4.1.1 128.4.1.20 3102453281.584327000 3102453281.58622800031 02453332.540806000 3102453332.541458000
1319</pre>
1320<p>The first two fields show the date (Modified Julian Day) and
1321time (seconds and fraction past UTC midnight).
1322The next two fields
1323show the remote peer or clock address followed by the local address
1324in dotted-quad notation.
1325The final four fields show the originate,
1326receive, transmit and final NTP timestamps in order.
1327The timestamp
1328values are as received and before processing by the various data
1329smoothing and mitigation algorithms.
1330</p></dd>
1331<dt><code>sysstats</code></dt>
1332<dd><p>Enables recording of ntpd statistics counters on a periodic basis.
1333Each
1334hour a line of the following form is appended to the file generation
1335set named
1336<code>sysstats</code>:
1337</p><pre class="verbatim">50928 2132.543 36000 81965 0 9546 56 71793 512 540 10 147
1338</pre>
1339<p>The first two fields show the date (Modified Julian Day) and time
1340(seconds and fraction past UTC midnight).
1341The remaining ten fields show
1342the statistics counter values accumulated since the last generated
1343line.
1344</p><dl compact="compact">
1345<dt>Time since restart <code>36000</code></dt>
1346<dd><p>Time in hours since the system was last rebooted.
1347</p></dd>
1348<dt>Packets received <code>81965</code></dt>
1349<dd><p>Total number of packets received.
1350</p></dd>
1351<dt>Packets processed <code>0</code></dt>
1352<dd><p>Number of packets received in response to previous packets sent
1353</p></dd>
1354<dt>Current version <code>9546</code></dt>
1355<dd><p>Number of packets matching the current NTP version.
1356</p></dd>
1357<dt>Previous version <code>56</code></dt>
1358<dd><p>Number of packets matching the previous NTP version.
1359</p></dd>
1360<dt>Bad version <code>71793</code></dt>
1361<dd><p>Number of packets matching neither NTP version.
1362</p></dd>
1363<dt>Access denied <code>512</code></dt>
1364<dd><p>Number of packets denied access for any reason.
1365</p></dd>
1366<dt>Bad length or format <code>540</code></dt>
1367<dd><p>Number of packets with invalid length, format or port number.
1368</p></dd>
1369<dt>Bad authentication <code>10</code></dt>
1370<dd><p>Number of packets not verified as authentic.
1371</p></dd>
1372<dt>Rate exceeded <code>147</code></dt>
1373<dd><p>Number of packets discarded due to rate limitation.
1374</p></dd>
1375</dl>
1376</dd>
1377<dt><code>statsdir</code> <kbd>directory_path</kbd></dt>
1378<dd><p>Indicates the full path of a directory where statistics files
1379should be created (see below).
1380This keyword allows
1381the (otherwise constant)
1382<code>filegen</code>
1383filename prefix to be modified for file generation sets, which
1384is useful for handling statistics logs.
1385</p></dd>
1386<dt><code>filegen</code> <kbd>name</kbd> <code>[<code>file</code> <kbd>filename</kbd>]</code> <code>[<code>type</code> <kbd>typename</kbd>]</code> <code>[<code>link</code> | <code>nolink</code>]</code> <code>[<code>enable</code> | <code>disable</code>]</code></dt>
1387<dd><p>Configures setting of generation file set name.
1388Generation
1389file sets provide a means for handling files that are
1390continuously growing during the lifetime of a server.
1391Server statistics are a typical example for such files.
1392Generation file sets provide access to a set of files used
1393to store the actual data.
1394At any time at most one element
1395of the set is being written to.
1396The type given specifies
1397when and how data will be directed to a new element of the set.
1398This way, information stored in elements of a file set
1399that are currently unused are available for administrational
1400operations without the risk of disturbing the operation of ntpd.
1401(Most important: they can be removed to free space for new data
1402produced.)
1403</p>
1404<p>Note that this command can be sent from the
1405<code>ntpdc(1ntpdcmdoc)</code>
1406program running at a remote location.
1407</p><dl compact="compact">
1408<dt><code>name</code></dt>
1409<dd><p>This is the type of the statistics records, as shown in the
1410<code>statistics</code>
1411command.
1412</p></dd>
1413<dt><code>file</code> <kbd>filename</kbd></dt>
1414<dd><p>This is the file name for the statistics records.
1415Filenames of set
1416members are built from three concatenated elements
1417<code>prefix</code>,
1418<code>filename</code>
1419and
1420<code>suffix</code>:
1421</p><dl compact="compact">
1422<dt><code>prefix</code></dt>
1423<dd><p>This is a constant filename path.
1424It is not subject to
1425modifications via the
1426<kbd>filegen</kbd>
1427option.
1428It is defined by the
1429server, usually specified as a compile-time constant.
1430It may,
1431however, be configurable for individual file generation sets
1432via other commands.
1433For example, the prefix used with
1434<kbd>loopstats</kbd>
1435and
1436<kbd>peerstats</kbd>
1437generation can be configured using the
1438<kbd>statsdir</kbd>
1439option explained above.
1440</p></dd>
1441<dt><code>filename</code></dt>
1442<dd><p>This string is directly concatenated to the prefix mentioned
1443above (no intervening
1444&lsquo;/&rsquo;).
1445This can be modified using
1446the file argument to the
1447<kbd>filegen</kbd>
1448statement.
1449No
1450<samp>..</samp>
1451elements are
1452allowed in this component to prevent filenames referring to
1453parts outside the filesystem hierarchy denoted by
1454<kbd>prefix</kbd>.
1455</p></dd>
1456<dt><code>suffix</code></dt>
1457<dd><p>This part is reflects individual elements of a file set.
1458It is
1459generated according to the type of a file set.
1460</p></dd>
1461</dl>
1462</dd>
1463<dt><code>type</code> <kbd>typename</kbd></dt>
1464<dd><p>A file generation set is characterized by its type.
1465The following
1466types are supported:
1467</p><dl compact="compact">
1468<dt><code>none</code></dt>
1469<dd><p>The file set is actually a single plain file.
1470</p></dd>
1471<dt><code>pid</code></dt>
1472<dd><p>One element of file set is used per incarnation of a ntpd
1473server.
1474This type does not perform any changes to file set
1475members during runtime, however it provides an easy way of
1476separating files belonging to different
1477<code>ntpd(1ntpdmdoc)</code>
1478server incarnations.
1479The set member filename is built by appending a
1480&lsquo;.&rsquo;
1481to concatenated
1482<kbd>prefix</kbd>
1483and
1484<kbd>filename</kbd>
1485strings, and
1486appending the decimal representation of the process ID of the
1487<code>ntpd(1ntpdmdoc)</code>
1488server process.
1489</p></dd>
1490<dt><code>day</code></dt>
1491<dd><p>One file generation set element is created per day.
1492A day is
1493defined as the period between 00:00 and 24:00 UTC.
1494The file set
1495member suffix consists of a
1496&lsquo;.&rsquo;
1497and a day specification in
1498the form
1499<code>YYYYMMdd</code>.
1500<code>YYYY</code>
1501is a 4-digit year number (e.g., 1992).
1502<code>MM</code>
1503is a two digit month number.
1504<code>dd</code>
1505is a two digit day number.
1506Thus, all information written at 10 December 1992 would end up
1507in a file named
1508<kbd>prefix</kbd>
1509<kbd>filename</kbd>.19921210.
1510</p></dd>
1511<dt><code>week</code></dt>
1512<dd><p>Any file set member contains data related to a certain week of
1513a year.
1514The term week is defined by computing day-of-year
1515modulo 7.
1516Elements of such a file generation set are
1517distinguished by appending the following suffix to the file set
1518filename base: A dot, a 4-digit year number, the letter
1519<code>W</code>,
1520and a 2-digit week number.
1521For example, information from January,
152210th 1992 would end up in a file with suffix
1523.No . Ns Ar 1992W1 .
1524</p></dd>
1525<dt><code>month</code></dt>
1526<dd><p>One generation file set element is generated per month.
1527The
1528file name suffix consists of a dot, a 4-digit year number, and
1529a 2-digit month.
1530</p></dd>
1531<dt><code>year</code></dt>
1532<dd><p>One generation file element is generated per year.
1533The filename
1534suffix consists of a dot and a 4 digit year number.
1535</p></dd>
1536<dt><code>age</code></dt>
1537<dd><p>This type of file generation sets changes to a new element of
1538the file set every 24 hours of server operation.
1539The filename
1540suffix consists of a dot, the letter
1541<code>a</code>,
1542and an 8-digit number.
1543This number is taken to be the number of seconds the server is
1544running at the start of the corresponding 24-hour period.
1545Information is only written to a file generation by specifying
1546<code>enable</code>;
1547output is prevented by specifying
1548<code>disable</code>.
1549</p></dd>
1550</dl>
1551</dd>
1552<dt><code>link</code> | <code>nolink</code></dt>
1553<dd><p>It is convenient to be able to access the current element of a file
1554generation set by a fixed name.
1555This feature is enabled by
1556specifying
1557<code>link</code>
1558and disabled using
1559<code>nolink</code>.
1560If link is specified, a
1561hard link from the current file set element to a file without
1562suffix is created.
1563When there is already a file with this name and
1564the number of links of this file is one, it is renamed appending a
1565dot, the letter
1566<code>C</code>,
1567and the pid of the
1568<code>ntpd(1ntpdmdoc)</code>
1569server process.
1570When the
1571number of links is greater than one, the file is unlinked.
1572This
1573allows the current file to be accessed by a constant name.
1574</p></dd>
1575<dt><code>enable</code> <code>|</code> <code>disable</code></dt>
1576<dd><p>Enables or disables the recording function.
1577</p></dd>
1578</dl>
1579</dd>
1580</dl>
1581</dd>
1582</dl>
1583<hr>
1584<a name="Access-Control-Support"></a>
1585<div class="header">
1586<p>
1587Next: <a href="#Automatic-NTP-Configuration-Options" accesskey="n" rel="next">Automatic NTP Configuration Options</a>, Previous: <a href="#Monitoring-Support" accesskey="p" rel="prev">Monitoring Support</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> &nbsp; </p>
1588</div>
1589<a name="Access-Control-Support-1"></a>
1590<h4 class="subsection">1.1.4 Access Control Support</h4>
1591<p>The
1592<code>ntpd(1ntpdmdoc)</code>
1593daemon implements a general purpose address/mask based restriction
1594list.
1595The list contains address/match entries sorted first
1596by increasing address values and and then by increasing mask values.
1597A match occurs when the bitwise AND of the mask and the packet
1598source address is equal to the bitwise AND of the mask and
1599address in the list.
1600The list is searched in order with the
1601last match found defining the restriction flags associated
1602with the entry.
1603Additional information and examples can be found in the
1604&quot;Notes on Configuring NTP and Setting up a NTP Subnet&quot;
1605page
1606(available as part of the HTML documentation
1607provided in
1608<samp>/usr/share/doc/ntp</samp>).
1609</p>
1610<p>The restriction facility was implemented in conformance
1611with the access policies for the original NSFnet backbone
1612time servers.
1613Later the facility was expanded to deflect
1614cryptographic and clogging attacks.
1615While this facility may
1616be useful for keeping unwanted or broken or malicious clients
1617from congesting innocent servers, it should not be considered
1618an alternative to the NTP authentication facilities.
1619Source address based restrictions are easily circumvented
1620by a determined cracker.
1621</p>
1622<p>Clients can be denied service because they are explicitly
1623included in the restrict list created by the
1624<code>restrict</code>
1625command
1626or implicitly as the result of cryptographic or rate limit
1627violations.
1628Cryptographic violations include certificate
1629or identity verification failure; rate limit violations generally
1630result from defective NTP implementations that send packets
1631at abusive rates.
1632Some violations cause denied service
1633only for the offending packet, others cause denied service
1634for a timed period and others cause the denied service for
1635an indefinite period.
1636When a client or network is denied access
1637for an indefinite period, the only way at present to remove
1638the restrictions is by restarting the server.
1639</p><a name="The-Kiss_002dof_002dDeath-Packet"></a>
1640<h4 class="subsubsection">1.1.4.1 The Kiss-of-Death Packet</h4>
1641<p>Ordinarily, packets denied service are simply dropped with no
1642further action except incrementing statistics counters.
1643Sometimes a
1644more proactive response is needed, such as a server message that
1645explicitly requests the client to stop sending and leave a message
1646for the system operator.
1647A special packet format has been created
1648for this purpose called the &quot;kiss-of-death&quot; (KoD) packet.
1649KoD packets have the leap bits set unsynchronized and stratum set
1650to zero and the reference identifier field set to a four-byte
1651ASCII code.
1652If the
1653<code>noserve</code>
1654or
1655<code>notrust</code>
1656flag of the matching restrict list entry is set,
1657the code is &quot;DENY&quot;; if the
1658<code>limited</code>
1659flag is set and the rate limit
1660is exceeded, the code is &quot;RATE&quot;.
1661Finally, if a cryptographic violation occurs, the code is &quot;CRYP&quot;.
1662</p>
1663<p>A client receiving a KoD performs a set of sanity checks to
1664minimize security exposure, then updates the stratum and
1665reference identifier peer variables, sets the access
1666denied (TEST4) bit in the peer flash variable and sends
1667a message to the log.
1668As long as the TEST4 bit is set,
1669the client will send no further packets to the server.
1670The only way at present to recover from this condition is
1671to restart the protocol at both the client and server.
1672This
1673happens automatically at the client when the association times out.
1674It will happen at the server only if the server operator cooperates.
1675</p><a name="Access-Control-Commands"></a>
1676<h4 class="subsubsection">1.1.4.2 Access Control Commands</h4>
1677<dl compact="compact">
1678<dt><code>discard</code> <code>[<code>average</code> <kbd>avg</kbd>]</code> <code>[<code>minimum</code> <kbd>min</kbd>]</code> <code>[<code>monitor</code> <kbd>prob</kbd>]</code></dt>
1679<dd><p>Set the parameters of the
1680<code>limited</code>
1681facility which protects the server from
1682client abuse.
1683The
1684<code>average</code>
1685subcommand specifies the minimum average packet
1686spacing, while the
1687<code>minimum</code>
1688subcommand specifies the minimum packet spacing.
1689Packets that violate these minima are discarded
1690and a kiss-o&rsquo;-death packet returned if enabled.
1691The default
1692minimum average and minimum are 5 and 2, respectively.
1693The
1694<code>monitor</code>
1695subcommand specifies the probability of discard
1696for packets that overflow the rate-control window.
1697</p></dd>
1698<dt><code>restrict</code> <code>address</code> <code>[<code>mask</code> <kbd>mask</kbd>]</code> <code>[<code>ippeerlimit</code> <kbd>int</kbd>]</code> <code>[<kbd>flag</kbd> <kbd>...</kbd>]</code></dt>
1699<dd><p>The
1700<kbd>address</kbd>
1701argument expressed in
1702dotted-quad form is the address of a host or network.
1703Alternatively, the
1704<kbd>address</kbd>
1705argument can be a valid host DNS name.
1706The
1707<kbd>mask</kbd>
1708argument expressed in dotted-quad form defaults to
1709<code>255.255.255.255</code>,
1710meaning that the
1711<kbd>address</kbd>
1712is treated as the address of an individual host.
1713A default entry (address
1714<code>0.0.0.0</code>,
1715mask
1716<code>0.0.0.0</code>)
1717is always included and is always the first entry in the list.
1718Note that text string
1719<code>default</code>,
1720with no mask option, may
1721be used to indicate the default entry.
1722The
1723<code>ippeerlimit</code>
1724directive limits the number of peer requests for each IP to
1725<kbd>int</kbd>,
1726where a value of -1 means &quot;unlimited&quot;, the current default.
1727A value of 0 means &quot;none&quot;.
1728There would usually be at most 1 peering request per IP,
1729but if the remote peering requests are behind a proxy
1730there could well be more than 1 per IP.
1731In the current implementation,
1732<code>flag</code>
1733always
1734restricts access, i.e., an entry with no flags indicates that free
1735access to the server is to be given.
1736The flags are not orthogonal,
1737in that more restrictive flags will often make less restrictive
1738ones redundant.
1739The flags can generally be classed into two
1740categories, those which restrict time service and those which
1741restrict informational queries and attempts to do run-time
1742reconfiguration of the server.
1743One or more of the following flags
1744may be specified:
1745</p><dl compact="compact">
1746<dt><code>ignore</code></dt>
1747<dd><p>Deny packets of all kinds, including
1748<code>ntpq(1ntpqmdoc)</code>
1749and
1750<code>ntpdc(1ntpdcmdoc)</code>
1751queries.
1752</p></dd>
1753<dt><code>kod</code></dt>
1754<dd><p>If this flag is set when an access violation occurs, a kiss-o&rsquo;-death
1755(KoD) packet is sent.
1756KoD packets are rate limited to no more than one
1757per second.
1758If another KoD packet occurs within one second after the
1759last one, the packet is dropped.
1760</p></dd>
1761<dt><code>limited</code></dt>
1762<dd><p>Deny service if the packet spacing violates the lower limits specified
1763in the
1764<code>discard</code>
1765command.
1766A history of clients is kept using the
1767monitoring capability of
1768<code>ntpd(1ntpdmdoc)</code>.
1769Thus, monitoring is always active as
1770long as there is a restriction entry with the
1771<code>limited</code>
1772flag.
1773</p></dd>
1774<dt><code>lowpriotrap</code></dt>
1775<dd><p>Declare traps set by matching hosts to be low priority.
1776The
1777number of traps a server can maintain is limited (the current limit
1778is 3).
1779Traps are usually assigned on a first come, first served
1780basis, with later trap requestors being denied service.
1781This flag
1782modifies the assignment algorithm by allowing low priority traps to
1783be overridden by later requests for normal priority traps.
1784</p></dd>
1785<dt><code>noepeer</code></dt>
1786<dd><p>Deny ephemeral peer requests,
1787even if they come from an authenticated source.
1788Note that the ability to use a symmetric key for authentication may be restricted to
1789one or more IPs or subnets via the third field of the
1790<samp>ntp.keys</samp>
1791file.
1792This restriction is not enabled by default,
1793to maintain backward compatability.
1794Expect
1795<code>noepeer</code>
1796to become the default in ntp-4.4.
1797</p></dd>
1798<dt><code>nomodify</code></dt>
1799<dd><p>Deny
1800<code>ntpq(1ntpqmdoc)</code>
1801and
1802<code>ntpdc(1ntpdcmdoc)</code>
1803queries which attempt to modify the state of the
1804server (i.e., run time reconfiguration).
1805Queries which return
1806information are permitted.
1807</p></dd>
1808<dt><code>noquery</code></dt>
1809<dd><p>Deny
1810<code>ntpq(1ntpqmdoc)</code>
1811and
1812<code>ntpdc(1ntpdcmdoc)</code>
1813queries.
1814Time service is not affected.
1815</p></dd>
1816<dt><code>nopeer</code></dt>
1817<dd><p>Deny unauthenticated packets which would result in mobilizing a new association.
1818This includes
1819broadcast and symmetric active packets
1820when a configured association does not exist.
1821It also includes
1822<code>pool</code>
1823associations, so if you want to use servers from a
1824<code>pool</code>
1825directive and also want to use
1826<code>nopeer</code>
1827by default, you&rsquo;ll want a
1828<code>restrict source ...</code>
1829line as well that does
1830<em>not</em>
1831include the
1832<code>nopeer</code>
1833directive.
1834</p></dd>
1835<dt><code>noserve</code></dt>
1836<dd><p>Deny all packets except
1837<code>ntpq(1ntpqmdoc)</code>
1838and
1839<code>ntpdc(1ntpdcmdoc)</code>
1840queries.
1841</p></dd>
1842<dt><code>notrap</code></dt>
1843<dd><p>Decline to provide mode 6 control message trap service to matching
1844hosts.
1845The trap service is a subsystem of the
1846<code>ntpq(1ntpqmdoc)</code>
1847control message
1848protocol which is intended for use by remote event logging programs.
1849</p></dd>
1850<dt><code>notrust</code></dt>
1851<dd><p>Deny service unless the packet is cryptographically authenticated.
1852</p></dd>
1853<dt><code>ntpport</code></dt>
1854<dd><p>This is actually a match algorithm modifier, rather than a
1855restriction flag.
1856Its presence causes the restriction entry to be
1857matched only if the source port in the packet is the standard NTP
1858UDP port (123).
1859Both
1860<code>ntpport</code>
1861and
1862<code>non-ntpport</code>
1863may
1864be specified.
1865The
1866<code>ntpport</code>
1867is considered more specific and
1868is sorted later in the list.
1869</p></dd>
1870<dt><code>serverresponse fuzz</code></dt>
1871<dd><p>When reponding to server requests,
1872fuzz the low order bits of the
1873<code>reftime</code>.
1874</p></dd>
1875<dt><code>version</code></dt>
1876<dd><p>Deny packets that do not match the current NTP version.
1877</p></dd>
1878</dl>
1879
1880<p>Default restriction list entries with the flags ignore, interface,
1881ntpport, for each of the local host&rsquo;s interface addresses are
1882inserted into the table at startup to prevent the server
1883from attempting to synchronize to its own time.
1884A default entry is also always present, though if it is
1885otherwise unconfigured; no flags are associated
1886with the default entry (i.e., everything besides your own
1887NTP server is unrestricted).
1888</p></dd>
1889</dl>
1890<hr>
1891<a name="Automatic-NTP-Configuration-Options"></a>
1892<div class="header">
1893<p>
1894Next: <a href="#Reference-Clock-Support" accesskey="n" rel="next">Reference Clock Support</a>, Previous: <a href="#Access-Control-Support" accesskey="p" rel="prev">Access Control Support</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> &nbsp; </p>
1895</div>
1896<a name="Automatic-NTP-Configuration-Options-1"></a>
1897<h4 class="subsection">1.1.5 Automatic NTP Configuration Options</h4>
1898<a name="Manycasting"></a>
1899<h4 class="subsubsection">1.1.5.1 Manycasting</h4>
1900<p>Manycasting is a automatic discovery and configuration paradigm
1901new to NTPv4.
1902It is intended as a means for a multicast client
1903to troll the nearby network neighborhood to find cooperating
1904manycast servers, validate them using cryptographic means
1905and evaluate their time values with respect to other servers
1906that might be lurking in the vicinity.
1907The intended result is that each manycast client mobilizes
1908client associations with some number of the &quot;best&quot;
1909of the nearby manycast servers, yet automatically reconfigures
1910to sustain this number of servers should one or another fail.
1911</p>
1912<p>Note that the manycasting paradigm does not coincide
1913with the anycast paradigm described in RFC-1546,
1914which is designed to find a single server from a clique
1915of servers providing the same service.
1916The manycast paradigm is designed to find a plurality
1917of redundant servers satisfying defined optimality criteria.
1918</p>
1919<p>Manycasting can be used with either symmetric key
1920or public key cryptography.
1921The public key infrastructure (PKI)
1922offers the best protection against compromised keys
1923and is generally considered stronger, at least with relatively
1924large key sizes.
1925It is implemented using the Autokey protocol and
1926the OpenSSL cryptographic library available from
1927<code>http://www.openssl.org/</code>.
1928The library can also be used with other NTPv4 modes
1929as well and is highly recommended, especially for broadcast modes.
1930</p>
1931<p>A persistent manycast client association is configured
1932using the
1933<code>manycastclient</code>
1934command, which is similar to the
1935<code>server</code>
1936command but with a multicast (IPv4 class
1937<code>D</code>
1938or IPv6 prefix
1939<code>FF</code>)
1940group address.
1941The IANA has designated IPv4 address 224.1.1.1
1942and IPv6 address FF05::101 (site local) for NTP.
1943When more servers are needed, it broadcasts manycast
1944client messages to this address at the minimum feasible rate
1945and minimum feasible time-to-live (TTL) hops, depending
1946on how many servers have already been found.
1947There can be as many manycast client associations
1948as different group address, each one serving as a template
1949for a future ephemeral unicast client/server association.
1950</p>
1951<p>Manycast servers configured with the
1952<code>manycastserver</code>
1953command listen on the specified group address for manycast
1954client messages.
1955Note the distinction between manycast client,
1956which actively broadcasts messages, and manycast server,
1957which passively responds to them.
1958If a manycast server is
1959in scope of the current TTL and is itself synchronized
1960to a valid source and operating at a stratum level equal
1961to or lower than the manycast client, it replies to the
1962manycast client message with an ordinary unicast server message.
1963</p>
1964<p>The manycast client receiving this message mobilizes
1965an ephemeral client/server association according to the
1966matching manycast client template, but only if cryptographically
1967authenticated and the server stratum is less than or equal
1968to the client stratum.
1969Authentication is explicitly required
1970and either symmetric key or public key (Autokey) can be used.
1971Then, the client polls the server at its unicast address
1972in burst mode in order to reliably set the host clock
1973and validate the source.
1974This normally results
1975in a volley of eight client/server at 2-s intervals
1976during which both the synchronization and cryptographic
1977protocols run concurrently.
1978Following the volley,
1979the client runs the NTP intersection and clustering
1980algorithms, which act to discard all but the &quot;best&quot;
1981associations according to stratum and synchronization
1982distance.
1983The surviving associations then continue
1984in ordinary client/server mode.
1985</p>
1986<p>The manycast client polling strategy is designed to reduce
1987as much as possible the volume of manycast client messages
1988and the effects of implosion due to near-simultaneous
1989arrival of manycast server messages.
1990The strategy is determined by the
1991<code>manycastclient</code>,
1992<code>tos</code>
1993and
1994<code>ttl</code>
1995configuration commands.
1996The manycast poll interval is
1997normally eight times the system poll interval,
1998which starts out at the
1999<code>minpoll</code>
2000value specified in the
2001<code>manycastclient</code>,
2002command and, under normal circumstances, increments to the
2003<code>maxpolll</code>
2004value specified in this command.
2005Initially, the TTL is
2006set at the minimum hops specified by the
2007<code>ttl</code>
2008command.
2009At each retransmission the TTL is increased until reaching
2010the maximum hops specified by this command or a sufficient
2011number client associations have been found.
2012Further retransmissions use the same TTL.
2013</p>
2014<p>The quality and reliability of the suite of associations
2015discovered by the manycast client is determined by the NTP
2016mitigation algorithms and the
2017<code>minclock</code>
2018and
2019<code>minsane</code>
2020values specified in the
2021<code>tos</code>
2022configuration command.
2023At least
2024<code>minsane</code>
2025candidate servers must be available and the mitigation
2026algorithms produce at least
2027<code>minclock</code>
2028survivors in order to synchronize the clock.
2029Byzantine agreement principles require at least four
2030candidates in order to correctly discard a single falseticker.
2031For legacy purposes,
2032<code>minsane</code>
2033defaults to 1 and
2034<code>minclock</code>
2035defaults to 3.
2036For manycast service
2037<code>minsane</code>
2038should be explicitly set to 4, assuming at least that
2039number of servers are available.
2040</p>
2041<p>If at least
2042<code>minclock</code>
2043servers are found, the manycast poll interval is immediately
2044set to eight times
2045<code>maxpoll</code>.
2046If less than
2047<code>minclock</code>
2048servers are found when the TTL has reached the maximum hops,
2049the manycast poll interval is doubled.
2050For each transmission
2051after that, the poll interval is doubled again until
2052reaching the maximum of eight times
2053<code>maxpoll</code>.
2054Further transmissions use the same poll interval and
2055TTL values.
2056Note that while all this is going on,
2057each client/server association found is operating normally
2058it the system poll interval.
2059</p>
2060<p>Administratively scoped multicast boundaries are normally
2061specified by the network router configuration and,
2062in the case of IPv6, the link/site scope prefix.
2063By default, the increment for TTL hops is 32 starting
2064from 31; however, the
2065<code>ttl</code>
2066configuration command can be
2067used to modify the values to match the scope rules.
2068</p>
2069<p>It is often useful to narrow the range of acceptable
2070servers which can be found by manycast client associations.
2071Because manycast servers respond only when the client
2072stratum is equal to or greater than the server stratum,
2073primary (stratum 1) servers fill find only primary servers
2074in TTL range, which is probably the most common objective.
2075However, unless configured otherwise, all manycast clients
2076in TTL range will eventually find all primary servers
2077in TTL range, which is probably not the most common
2078objective in large networks.
2079The
2080<code>tos</code>
2081command can be used to modify this behavior.
2082Servers with stratum below
2083<code>floor</code>
2084or above
2085<code>ceiling</code>
2086specified in the
2087<code>tos</code>
2088command are strongly discouraged during the selection
2089process; however, these servers may be temporally
2090accepted if the number of servers within TTL range is
2091less than
2092<code>minclock</code>.
2093</p>
2094<p>The above actions occur for each manycast client message,
2095which repeats at the designated poll interval.
2096However, once the ephemeral client association is mobilized,
2097subsequent manycast server replies are discarded,
2098since that would result in a duplicate association.
2099If during a poll interval the number of client associations
2100falls below
2101<code>minclock</code>,
2102all manycast client prototype associations are reset
2103to the initial poll interval and TTL hops and operation
2104resumes from the beginning.
2105It is important to avoid
2106frequent manycast client messages, since each one requires
2107all manycast servers in TTL range to respond.
2108The result could well be an implosion, either minor or major,
2109depending on the number of servers in range.
2110The recommended value for
2111<code>maxpoll</code>
2112is 12 (4,096 s).
2113</p>
2114<p>It is possible and frequently useful to configure a host
2115as both manycast client and manycast server.
2116A number of hosts configured this way and sharing a common
2117group address will automatically organize themselves
2118in an optimum configuration based on stratum and
2119synchronization distance.
2120For example, consider an NTP
2121subnet of two primary servers and a hundred or more
2122dependent clients.
2123With two exceptions, all servers
2124and clients have identical configuration files including both
2125<code>multicastclient</code>
2126and
2127<code>multicastserver</code>
2128commands using, for instance, multicast group address
2129239.1.1.1.
2130The only exception is that each primary server
2131configuration file must include commands for the primary
2132reference source such as a GPS receiver.
2133</p>
2134<p>The remaining configuration files for all secondary
2135servers and clients have the same contents, except for the
2136<code>tos</code>
2137command, which is specific for each stratum level.
2138For stratum 1 and stratum 2 servers, that command is
2139not necessary.
2140For stratum 3 and above servers the
2141<code>floor</code>
2142value is set to the intended stratum number.
2143Thus, all stratum 3 configuration files are identical,
2144all stratum 4 files are identical and so forth.
2145</p>
2146<p>Once operations have stabilized in this scenario,
2147the primary servers will find the primary reference source
2148and each other, since they both operate at the same
2149stratum (1), but not with any secondary server or client,
2150since these operate at a higher stratum.
2151The secondary
2152servers will find the servers at the same stratum level.
2153If one of the primary servers loses its GPS receiver,
2154it will continue to operate as a client and other clients
2155will time out the corresponding association and
2156re-associate accordingly.
2157</p>
2158<p>Some administrators prefer to avoid running
2159<code>ntpd(1ntpdmdoc)</code>
2160continuously and run either
2161<code>sntp(1sntpmdoc)</code>
2162or
2163<code>ntpd(1ntpdmdoc)</code>
2164<code>-q</code>
2165as a cron job.
2166In either case the servers must be
2167configured in advance and the program fails if none are
2168available when the cron job runs.
2169A really slick
2170application of manycast is with
2171<code>ntpd(1ntpdmdoc)</code>
2172<code>-q</code>.
2173The program wakes up, scans the local landscape looking
2174for the usual suspects, selects the best from among
2175the rascals, sets the clock and then departs.
2176Servers do not have to be configured in advance and
2177all clients throughout the network can have the same
2178configuration file.
2179</p><a name="Manycast-Interactions-with-Autokey"></a>
2180<h4 class="subsubsection">1.1.5.2 Manycast Interactions with Autokey</h4>
2181<p>Each time a manycast client sends a client mode packet
2182to a multicast group address, all manycast servers
2183in scope generate a reply including the host name
2184and status word.
2185The manycast clients then run
2186the Autokey protocol, which collects and verifies
2187all certificates involved.
2188Following the burst interval
2189all but three survivors are cast off,
2190but the certificates remain in the local cache.
2191It often happens that several complete signing trails
2192from the client to the primary servers are collected in this way.
2193</p>
2194<p>About once an hour or less often if the poll interval
2195exceeds this, the client regenerates the Autokey key list.
2196This is in general transparent in client/server mode.
2197However, about once per day the server private value
2198used to generate cookies is refreshed along with all
2199manycast client associations.
2200In this case all
2201cryptographic values including certificates is refreshed.
2202If a new certificate has been generated since
2203the last refresh epoch, it will automatically revoke
2204all prior certificates that happen to be in the
2205certificate cache.
2206At the same time, the manycast
2207scheme starts all over from the beginning and
2208the expanding ring shrinks to the minimum and increments
2209from there while collecting all servers in scope.
2210</p><a name="Broadcast-Options"></a>
2211<h4 class="subsubsection">1.1.5.3 Broadcast Options</h4>
2212<dl compact="compact">
2213<dt><code>tos</code> <code>[<code>bcpollbstep</code> <kbd>gate</kbd>]</code></dt>
2214<dd><p>This command provides a way to delay,
2215by the specified number of broadcast poll intervals,
2216believing backward time steps from a broadcast server.
2217Broadcast time networks are expected to be trusted.
2218In the event a broadcast server&rsquo;s time is stepped backwards,
2219there is clear benefit to having the clients notice this change
2220as soon as possible.
2221Attacks such as replay attacks can happen, however,
2222and even though there are a number of protections built in to
2223broadcast mode, attempts to perform a replay attack are possible.
2224This value defaults to 0, but can be changed
2225to any number of poll intervals between 0 and 4.
2226</p></dd>
2227</dl>
2228<a name="Manycast-Options"></a>
2229<h4 class="subsubsection">1.1.5.4 Manycast Options</h4>
2230<dl compact="compact">
2231<dt><code>tos</code> <code>[<code>ceiling</code> <kbd>ceiling</kbd> | <code>cohort</code> <code>{</code> <code>0</code> | <code>1</code> <code>}</code> | <code>floor</code> <kbd>floor</kbd> | <code>minclock</code> <kbd>minclock</kbd> | <code>minsane</code> <kbd>minsane</kbd>]</code></dt>
2232<dd><p>This command affects the clock selection and clustering
2233algorithms.
2234It can be used to select the quality and
2235quantity of peers used to synchronize the system clock
2236and is most useful in manycast mode.
2237The variables operate
2238as follows:
2239</p><dl compact="compact">
2240<dt><code>ceiling</code> <kbd>ceiling</kbd></dt>
2241<dd><p>Peers with strata above
2242<code>ceiling</code>
2243will be discarded if there are at least
2244<code>minclock</code>
2245peers remaining.
2246This value defaults to 15, but can be changed
2247to any number from 1 to 15.
2248</p></dd>
2249<dt><code>cohort</code> <code>{0 | 1}</code></dt>
2250<dd><p>This is a binary flag which enables (0) or disables (1)
2251manycast server replies to manycast clients with the same
2252stratum level.
2253This is useful to reduce implosions where
2254large numbers of clients with the same stratum level
2255are present.
2256The default is to enable these replies.
2257</p></dd>
2258<dt><code>floor</code> <kbd>floor</kbd></dt>
2259<dd><p>Peers with strata below
2260<code>floor</code>
2261will be discarded if there are at least
2262<code>minclock</code>
2263peers remaining.
2264This value defaults to 1, but can be changed
2265to any number from 1 to 15.
2266</p></dd>
2267<dt><code>minclock</code> <kbd>minclock</kbd></dt>
2268<dd><p>The clustering algorithm repeatedly casts out outlier
2269associations until no more than
2270<code>minclock</code>
2271associations remain.
2272This value defaults to 3,
2273but can be changed to any number from 1 to the number of
2274configured sources.
2275</p></dd>
2276<dt><code>minsane</code> <kbd>minsane</kbd></dt>
2277<dd><p>This is the minimum number of candidates available
2278to the clock selection algorithm in order to produce
2279one or more truechimers for the clustering algorithm.
2280If fewer than this number are available, the clock is
2281undisciplined and allowed to run free.
2282The default is 1
2283for legacy purposes.
2284However, according to principles of
2285Byzantine agreement,
2286<code>minsane</code>
2287should be at least 4 in order to detect and discard
2288a single falseticker.
2289</p></dd>
2290</dl>
2291</dd>
2292<dt><code>ttl</code> <kbd>hop</kbd> <kbd>...</kbd></dt>
2293<dd><p>This command specifies a list of TTL values in increasing
2294order, up to 8 values can be specified.
2295In manycast mode these values are used in turn
2296in an expanding-ring search.
2297The default is eight
2298multiples of 32 starting at 31.
2299</p></dd>
2300</dl>
2301<hr>
2302<a name="Reference-Clock-Support"></a>
2303<div class="header">
2304<p>
2305Next: <a href="#Miscellaneous-Options" accesskey="n" rel="next">Miscellaneous Options</a>, Previous: <a href="#Automatic-NTP-Configuration-Options" accesskey="p" rel="prev">Automatic NTP Configuration Options</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> &nbsp; </p>
2306</div>
2307<a name="Reference-Clock-Support-1"></a>
2308<h4 class="subsection">1.1.6 Reference Clock Support</h4>
2309<p>The NTP Version 4 daemon supports some three dozen different radio,
2310satellite and modem reference clocks plus a special pseudo-clock
2311used for backup or when no other clock source is available.
2312Detailed descriptions of individual device drivers and options can
2313be found in the
2314&quot;Reference Clock Drivers&quot;
2315page
2316(available as part of the HTML documentation
2317provided in
2318<samp>/usr/share/doc/ntp</samp>).
2319Additional information can be found in the pages linked
2320there, including the
2321&quot;Debugging Hints for Reference Clock Drivers&quot;
2322and
2323&quot;How To Write a Reference Clock Driver&quot;
2324pages
2325(available as part of the HTML documentation
2326provided in
2327<samp>/usr/share/doc/ntp</samp>).
2328In addition, support for a PPS
2329signal is available as described in the
2330&quot;Pulse-per-second (PPS) Signal Interfacing&quot;
2331page
2332(available as part of the HTML documentation
2333provided in
2334<samp>/usr/share/doc/ntp</samp>).
2335Many
2336drivers support special line discipline/streams modules which can
2337significantly improve the accuracy using the driver.
2338These are
2339described in the
2340&quot;Line Disciplines and Streams Drivers&quot;
2341page
2342(available as part of the HTML documentation
2343provided in
2344<samp>/usr/share/doc/ntp</samp>).
2345</p>
2346<p>A reference clock will generally (though not always) be a radio
2347timecode receiver which is synchronized to a source of standard
2348time such as the services offered by the NRC in Canada and NIST and
2349USNO in the US.
2350The interface between the computer and the timecode
2351receiver is device dependent, but is usually a serial port.
2352A
2353device driver specific to each reference clock must be selected and
2354compiled in the distribution; however, most common radio, satellite
2355and modem clocks are included by default.
2356Note that an attempt to
2357configure a reference clock when the driver has not been compiled
2358or the hardware port has not been appropriately configured results
2359in a scalding remark to the system log file, but is otherwise non
2360hazardous.
2361</p>
2362<p>For the purposes of configuration,
2363<code>ntpd(1ntpdmdoc)</code>
2364treats
2365reference clocks in a manner analogous to normal NTP peers as much
2366as possible.
2367Reference clocks are identified by a syntactically
2368correct but invalid IP address, in order to distinguish them from
2369normal NTP peers.
2370Reference clock addresses are of the form
2371<code>127.127.</code><kbd>t</kbd>.<kbd>u</kbd>,
2372where
2373<kbd>t</kbd>
2374is an integer
2375denoting the clock type and
2376<kbd>u</kbd>
2377indicates the unit
2378number in the range 0-3.
2379While it may seem overkill, it is in fact
2380sometimes useful to configure multiple reference clocks of the same
2381type, in which case the unit numbers must be unique.
2382</p>
2383<p>The
2384<code>server</code>
2385command is used to configure a reference
2386clock, where the
2387<kbd>address</kbd>
2388argument in that command
2389is the clock address.
2390The
2391<code>key</code>,
2392<code>version</code>
2393and
2394<code>ttl</code>
2395options are not used for reference clock support.
2396The
2397<code>mode</code>
2398option is added for reference clock support, as
2399described below.
2400The
2401<code>prefer</code>
2402option can be useful to
2403persuade the server to cherish a reference clock with somewhat more
2404enthusiasm than other reference clocks or peers.
2405Further
2406information on this option can be found in the
2407&quot;Mitigation Rules and the prefer Keyword&quot;
2408(available as part of the HTML documentation
2409provided in
2410<samp>/usr/share/doc/ntp</samp>)
2411page.
2412The
2413<code>minpoll</code>
2414and
2415<code>maxpoll</code>
2416options have
2417meaning only for selected clock drivers.
2418See the individual clock
2419driver document pages for additional information.
2420</p>
2421<p>The
2422<code>fudge</code>
2423command is used to provide additional
2424information for individual clock drivers and normally follows
2425immediately after the
2426<code>server</code>
2427command.
2428The
2429<kbd>address</kbd>
2430argument specifies the clock address.
2431The
2432<code>refid</code>
2433and
2434<code>stratum</code>
2435options can be used to
2436override the defaults for the device.
2437There are two optional
2438device-dependent time offsets and four flags that can be included
2439in the
2440<code>fudge</code>
2441command as well.
2442</p>
2443<p>The stratum number of a reference clock is by default zero.
2444Since the
2445<code>ntpd(1ntpdmdoc)</code>
2446daemon adds one to the stratum of each
2447peer, a primary server ordinarily displays an external stratum of
2448one.
2449In order to provide engineered backups, it is often useful to
2450specify the reference clock stratum as greater than zero.
2451The
2452<code>stratum</code>
2453option is used for this purpose.
2454Also, in cases
2455involving both a reference clock and a pulse-per-second (PPS)
2456discipline signal, it is useful to specify the reference clock
2457identifier as other than the default, depending on the driver.
2458The
2459<code>refid</code>
2460option is used for this purpose.
2461Except where noted,
2462these options apply to all clock drivers.
2463</p><a name="Reference-Clock-Commands"></a>
2464<h4 class="subsubsection">1.1.6.1 Reference Clock Commands</h4>
2465<dl compact="compact">
2466<dt><code>server</code> <code>127.127.</code><kbd>t</kbd>.<kbd>u</kbd> <code>[<code>prefer</code>]</code> <code>[<code>mode</code> <kbd>int</kbd>]</code> <code>[<code>minpoll</code> <kbd>int</kbd>]</code> <code>[<code>maxpoll</code> <kbd>int</kbd>]</code></dt>
2467<dd><p>This command can be used to configure reference clocks in
2468special ways.
2469The options are interpreted as follows:
2470</p><dl compact="compact">
2471<dt><code>prefer</code></dt>
2472<dd><p>Marks the reference clock as preferred.
2473All other things being
2474equal, this host will be chosen for synchronization among a set of
2475correctly operating hosts.
2476See the
2477&quot;Mitigation Rules and the prefer Keyword&quot;
2478page
2479(available as part of the HTML documentation
2480provided in
2481<samp>/usr/share/doc/ntp</samp>)
2482for further information.
2483</p></dd>
2484<dt><code>mode</code> <kbd>int</kbd></dt>
2485<dd><p>Specifies a mode number which is interpreted in a
2486device-specific fashion.
2487For instance, it selects a dialing
2488protocol in the ACTS driver and a device subtype in the
2489parse
2490drivers.
2491</p></dd>
2492<dt><code>minpoll</code> <kbd>int</kbd></dt>
2493<dt><code>maxpoll</code> <kbd>int</kbd></dt>
2494<dd><p>These options specify the minimum and maximum polling interval
2495for reference clock messages, as a power of 2 in seconds
2496For
2497most directly connected reference clocks, both
2498<code>minpoll</code>
2499and
2500<code>maxpoll</code>
2501default to 6 (64 s).
2502For modem reference clocks,
2503<code>minpoll</code>
2504defaults to 10 (17.1 m) and
2505<code>maxpoll</code>
2506defaults to 14 (4.5 h).
2507The allowable range is 4 (16 s) to 17 (36.4 h) inclusive.
2508</p></dd>
2509</dl>
2510</dd>
2511<dt><code>fudge</code> <code>127.127.</code><kbd>t</kbd>.<kbd>u</kbd> <code>[<code>time1</code> <kbd>sec</kbd>]</code> <code>[<code>time2</code> <kbd>sec</kbd>]</code> <code>[<code>stratum</code> <kbd>int</kbd>]</code> <code>[<code>refid</code> <kbd>string</kbd>]</code> <code>[<code>mode</code> <kbd>int</kbd>]</code> <code>[<code>flag1</code> <code>0</code> <code>|</code> <code>1</code>]</code> <code>[<code>flag2</code> <code>0</code> <code>|</code> <code>1</code>]</code> <code>[<code>flag3</code> <code>0</code> <code>|</code> <code>1</code>]</code> <code>[<code>flag4</code> <code>0</code> <code>|</code> <code>1</code>]</code></dt>
2512<dd><p>This command can be used to configure reference clocks in
2513special ways.
2514It must immediately follow the
2515<code>server</code>
2516command which configures the driver.
2517Note that the same capability
2518is possible at run time using the
2519<code>ntpdc(1ntpdcmdoc)</code>
2520program.
2521The options are interpreted as
2522follows:
2523</p><dl compact="compact">
2524<dt><code>time1</code> <kbd>sec</kbd></dt>
2525<dd><p>Specifies a constant to be added to the time offset produced by
2526the driver, a fixed-point decimal number in seconds.
2527This is used
2528as a calibration constant to adjust the nominal time offset of a
2529particular clock to agree with an external standard, such as a
2530precision PPS signal.
2531It also provides a way to correct a
2532systematic error or bias due to serial port or operating system
2533latencies, different cable lengths or receiver internal delay.
2534The
2535specified offset is in addition to the propagation delay provided
2536by other means, such as internal DIPswitches.
2537Where a calibration
2538for an individual system and driver is available, an approximate
2539correction is noted in the driver documentation pages.
2540Note: in order to facilitate calibration when more than one
2541radio clock or PPS signal is supported, a special calibration
2542feature is available.
2543It takes the form of an argument to the
2544<code>enable</code>
2545command described in
2546<a href="#Miscellaneous-Options">Miscellaneous Options</a>
2547page and operates as described in the
2548&quot;Reference Clock Drivers&quot;
2549page
2550(available as part of the HTML documentation
2551provided in
2552<samp>/usr/share/doc/ntp</samp>).
2553</p></dd>
2554<dt><code>time2</code> <kbd>secs</kbd></dt>
2555<dd><p>Specifies a fixed-point decimal number in seconds, which is
2556interpreted in a driver-dependent way.
2557See the descriptions of
2558specific drivers in the
2559&quot;Reference Clock Drivers&quot;
2560page
2561(available as part of the HTML documentation
2562provided in
2563<samp>/usr/share/doc/ntp</samp> <samp>).</samp>
2564</p></dd>
2565<dt><code>stratum</code> <kbd>int</kbd></dt>
2566<dd><p>Specifies the stratum number assigned to the driver, an integer
2567between 0 and 15.
2568This number overrides the default stratum number
2569ordinarily assigned by the driver itself, usually zero.
2570</p></dd>
2571<dt><code>refid</code> <kbd>string</kbd></dt>
2572<dd><p>Specifies an ASCII string of from one to four characters which
2573defines the reference identifier used by the driver.
2574This string
2575overrides the default identifier ordinarily assigned by the driver
2576itself.
2577</p></dd>
2578<dt><code>mode</code> <kbd>int</kbd></dt>
2579<dd><p>Specifies a mode number which is interpreted in a
2580device-specific fashion.
2581For instance, it selects a dialing
2582protocol in the ACTS driver and a device subtype in the
2583parse
2584drivers.
2585</p></dd>
2586<dt><code>flag1</code> <code>0</code> <code>|</code> <code>1</code></dt>
2587<dt><code>flag2</code> <code>0</code> <code>|</code> <code>1</code></dt>
2588<dt><code>flag3</code> <code>0</code> <code>|</code> <code>1</code></dt>
2589<dt><code>flag4</code> <code>0</code> <code>|</code> <code>1</code></dt>
2590<dd><p>These four flags are used for customizing the clock driver.
2591The
2592interpretation of these values, and whether they are used at all,
2593is a function of the particular clock driver.
2594However, by
2595convention
2596<code>flag4</code>
2597is used to enable recording monitoring
2598data to the
2599<code>clockstats</code>
2600file configured with the
2601<code>filegen</code>
2602command.
2603Further information on the
2604<code>filegen</code>
2605command can be found in
2606&lsquo;Monitoring Options&rsquo;.
2607</p></dd>
2608</dl>
2609</dd>
2610</dl>
2611<hr>
2612<a name="Miscellaneous-Options"></a>
2613<div class="header">
2614<p>
2615Next: <a href="#ntp_002econf-Files" accesskey="n" rel="next">ntp.conf Files</a>, Previous: <a href="#Reference-Clock-Support" accesskey="p" rel="prev">Reference Clock Support</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> &nbsp; </p>
2616</div>
2617<a name="Miscellaneous-Options-1"></a>
2618<h4 class="subsection">1.1.7 Miscellaneous Options</h4>
2619<dl compact="compact">
2620<dt><code>broadcastdelay</code> <kbd>seconds</kbd></dt>
2621<dd><p>The broadcast and multicast modes require a special calibration
2622to determine the network delay between the local and remote
2623servers.
2624Ordinarily, this is done automatically by the initial
2625protocol exchanges between the client and server.
2626In some cases,
2627the calibration procedure may fail due to network or server access
2628controls, for example.
2629This command specifies the default delay to
2630be used under these circumstances.
2631Typically (for Ethernet), a
2632number between 0.003 and 0.007 seconds is appropriate.
2633The default
2634when this command is not used is 0.004 seconds.
2635</p></dd>
2636<dt><code>calldelay</code> <kbd>delay</kbd></dt>
2637<dd><p>This option controls the delay in seconds between the first and second
2638packets sent in burst or iburst mode to allow additional time for a modem
2639or ISDN call to complete.
2640</p></dd>
2641<dt><code>driftfile</code> <kbd>driftfile</kbd></dt>
2642<dd><p>This command specifies the complete path and name of the file used to
2643record the frequency of the local clock oscillator.
2644This is the same
2645operation as the
2646<code>-f</code>
2647command line option.
2648If the file exists, it is read at
2649startup in order to set the initial frequency and then updated once per
2650hour with the current frequency computed by the daemon.
2651If the file name is
2652specified, but the file itself does not exist, the starts with an initial
2653frequency of zero and creates the file when writing it for the first time.
2654If this command is not given, the daemon will always start with an initial
2655frequency of zero.
2656</p>
2657<p>The file format consists of a single line containing a single
2658floating point number, which records the frequency offset measured
2659in parts-per-million (PPM).
2660The file is updated by first writing
2661the current drift value into a temporary file and then renaming
2662this file to replace the old version.
2663This implies that
2664<code>ntpd(1ntpdmdoc)</code>
2665must have write permission for the directory the
2666drift file is located in, and that file system links, symbolic or
2667otherwise, should be avoided.
2668</p></dd>
2669<dt><code>dscp</code> <kbd>value</kbd></dt>
2670<dd><p>This option specifies the Differentiated Services Control Point (DSCP) value,
2671a 6-bit code.
2672The default value is 46, signifying Expedited Forwarding.
2673</p></dd>
2674<dt><code>enable</code> <code>[<code>auth</code> | <code>bclient</code> | <code>calibrate</code> | <code>kernel</code> | <code>mode7</code> | <code>monitor</code> | <code>ntp</code> | <code>stats</code> | <code>peer_clear_digest_early</code> | <code>unpeer_crypto_early</code> | <code>unpeer_crypto_nak_early</code> | <code>unpeer_digest_early</code>]</code></dt>
2675<dt><code>disable</code> <code>[<code>auth</code> | <code>bclient</code> | <code>calibrate</code> | <code>kernel</code> | <code>mode7</code> | <code>monitor</code> | <code>ntp</code> | <code>stats</code> | <code>peer_clear_digest_early</code> | <code>unpeer_crypto_early</code> | <code>unpeer_crypto_nak_early</code> | <code>unpeer_digest_early</code>]</code></dt>
2676<dd><p>Provides a way to enable or disable various server options.
2677Flags not mentioned are unaffected.
2678Note that all of these flags
2679can be controlled remotely using the
2680<code>ntpdc(1ntpdcmdoc)</code>
2681utility program.
2682</p><dl compact="compact">
2683<dt><code>auth</code></dt>
2684<dd><p>Enables the server to synchronize with unconfigured peers only if the
2685peer has been correctly authenticated using either public key or
2686private key cryptography.
2687The default for this flag is
2688<code>enable</code>.
2689</p></dd>
2690<dt><code>bclient</code></dt>
2691<dd><p>Enables the server to listen for a message from a broadcast or
2692multicast server, as in the
2693<code>multicastclient</code>
2694command with default
2695address.
2696The default for this flag is
2697<code>disable</code>.
2698</p></dd>
2699<dt><code>calibrate</code></dt>
2700<dd><p>Enables the calibrate feature for reference clocks.
2701The default for
2702this flag is
2703<code>disable</code>.
2704</p></dd>
2705<dt><code>kernel</code></dt>
2706<dd><p>Enables the kernel time discipline, if available.
2707The default for this
2708flag is
2709<code>enable</code>
2710if support is available, otherwise
2711<code>disable</code>.
2712</p></dd>
2713<dt><code>mode7</code></dt>
2714<dd><p>Enables processing of NTP mode 7 implementation-specific requests
2715which are used by the deprecated
2716<code>ntpdc(1ntpdcmdoc)</code>
2717program.
2718The default for this flag is disable.
2719This flag is excluded from runtime configuration using
2720<code>ntpq(1ntpqmdoc)</code>.
2721The
2722<code>ntpq(1ntpqmdoc)</code>
2723program provides the same capabilities as
2724<code>ntpdc(1ntpdcmdoc)</code>
2725using standard mode 6 requests.
2726</p></dd>
2727<dt><code>monitor</code></dt>
2728<dd><p>Enables the monitoring facility.
2729See the
2730<code>ntpdc(1ntpdcmdoc)</code>
2731program
2732and the
2733<code>monlist</code>
2734command or further information.
2735The
2736default for this flag is
2737<code>enable</code>.
2738</p></dd>
2739<dt><code>ntp</code></dt>
2740<dd><p>Enables time and frequency discipline.
2741In effect, this switch opens and
2742closes the feedback loop, which is useful for testing.
2743The default for
2744this flag is
2745<code>enable</code>.
2746</p></dd>
2747<dt><code>peer_clear_digest_early</code></dt>
2748<dd><p>By default, if
2749<code>ntpd(1ntpdmdoc)</code>
2750is using autokey and it
2751receives a crypto-NAK packet that
2752passes the duplicate packet and origin timestamp checks
2753the peer variables are immediately cleared.
2754While this is generally a feature
2755as it allows for quick recovery if a server key has changed,
2756a properly forged and appropriately delivered crypto-NAK packet
2757can be used in a DoS attack.
2758If you have active noticable problems with this type of DoS attack
2759then you should consider
2760disabling this option.
2761You can check your
2762<code>peerstats</code>
2763file for evidence of any of these attacks.
2764The
2765default for this flag is
2766<code>enable</code>.
2767</p></dd>
2768<dt><code>stats</code></dt>
2769<dd><p>Enables the statistics facility.
2770See the
2771&lsquo;Monitoring Options&rsquo;
2772section for further information.
2773The default for this flag is
2774<code>disable</code>.
2775</p></dd>
2776<dt><code>unpeer_crypto_early</code></dt>
2777<dd><p>By default, if
2778<code>ntpd(1ntpdmdoc)</code>
2779receives an autokey packet that fails TEST9,
2780a crypto failure,
2781the association is immediately cleared.
2782This is almost certainly a feature,
2783but if, in spite of the current recommendation of not using autokey,
2784you are
2785.B still
2786using autokey
2787.B and
2788you are seeing this sort of DoS attack
2789disabling this flag will delay
2790tearing down the association until the reachability counter
2791becomes zero.
2792You can check your
2793<code>peerstats</code>
2794file for evidence of any of these attacks.
2795The
2796default for this flag is
2797<code>enable</code>.
2798</p></dd>
2799<dt><code>unpeer_crypto_nak_early</code></dt>
2800<dd><p>By default, if
2801<code>ntpd(1ntpdmdoc)</code>
2802receives a crypto-NAK packet that
2803passes the duplicate packet and origin timestamp checks
2804the association is immediately cleared.
2805While this is generally a feature
2806as it allows for quick recovery if a server key has changed,
2807a properly forged and appropriately delivered crypto-NAK packet
2808can be used in a DoS attack.
2809If you have active noticable problems with this type of DoS attack
2810then you should consider
2811disabling this option.
2812You can check your
2813<code>peerstats</code>
2814file for evidence of any of these attacks.
2815The
2816default for this flag is
2817<code>enable</code>.
2818</p></dd>
2819<dt><code>unpeer_digest_early</code></dt>
2820<dd><p>By default, if
2821<code>ntpd(1ntpdmdoc)</code>
2822receives what should be an authenticated packet
2823that passes other packet sanity checks but
2824contains an invalid digest
2825the association is immediately cleared.
2826While this is generally a feature
2827as it allows for quick recovery,
2828if this type of packet is carefully forged and sent
2829during an appropriate window it can be used for a DoS attack.
2830If you have active noticable problems with this type of DoS attack
2831then you should consider
2832disabling this option.
2833You can check your
2834<code>peerstats</code>
2835file for evidence of any of these attacks.
2836The
2837default for this flag is
2838<code>enable</code>.
2839</p></dd>
2840</dl>
2841</dd>
2842<dt><code>includefile</code> <kbd>includefile</kbd></dt>
2843<dd><p>This command allows additional configuration commands
2844to be included from a separate file.
2845Include files may
2846be nested to a depth of five; upon reaching the end of any
2847include file, command processing resumes in the previous
2848configuration file.
2849This option is useful for sites that run
2850<code>ntpd(1ntpdmdoc)</code>
2851on multiple hosts, with (mostly) common options (e.g., a
2852restriction list).
2853</p></dd>
2854<dt><code>interface</code> <code>[<code>listen</code> | <code>ignore</code> | <code>drop</code>]</code> <code>[<code>all</code> | <code>ipv4</code> | <code>ipv6</code> | <code>wildcard</code> <kbd>name</kbd> | <kbd>address</kbd> <code>[<code>/</code> <kbd>prefixlen</kbd>]</code>]</code></dt>
2855<dd><p>The
2856<code>interface</code>
2857directive controls which network addresses
2858<code>ntpd(1ntpdmdoc)</code>
2859opens, and whether input is dropped without processing.
2860The first parameter determines the action for addresses
2861which match the second parameter.
2862The second parameter specifies a class of addresses,
2863or a specific interface name,
2864or an address.
2865In the address case,
2866<kbd>prefixlen</kbd>
2867determines how many bits must match for this rule to apply.
2868<code>ignore</code>
2869prevents opening matching addresses,
2870<code>drop</code>
2871causes
2872<code>ntpd(1ntpdmdoc)</code>
2873to open the address and drop all received packets without examination.
2874Multiple
2875<code>interface</code>
2876directives can be used.
2877The last rule which matches a particular address determines the action for it.
2878<code>interface</code>
2879directives are disabled if any
2880<code>-I</code>,
2881<code>--interface</code>,
2882<code>-L</code>,
2883or
2884<code>--novirtualips</code>
2885command-line options are specified in the configuration file,
2886all available network addresses are opened.
2887The
2888<code>nic</code>
2889directive is an alias for
2890<code>interface</code>.
2891</p></dd>
2892<dt><code>leapfile</code> <kbd>leapfile</kbd></dt>
2893<dd><p>This command loads the IERS leapseconds file and initializes the
2894leapsecond values for the next leapsecond event, leapfile expiration
2895time, and TAI offset.
2896The file can be obtained directly from the IERS at
2897<code>https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list</code>
2898or
2899<code>ftp://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list</code>.
2900The
2901<code>leapfile</code>
2902is scanned when
2903<code>ntpd(1ntpdmdoc)</code>
2904processes the
2905<code>leapfile</code> <code>directive</code> <code>or</code> <code>when</code>
2906<code>ntpd</code> <code>detects</code> <code>that</code> <code>the</code>
2907<kbd>leapfile</kbd>
2908has changed.
2909<code>ntpd</code>
2910checks once a day to see if the
2911<kbd>leapfile</kbd>
2912has changed.
2913The
2914<code>update-leap(1update_leapmdoc)</code>
2915script can be run to see if the
2916<kbd>leapfile</kbd>
2917should be updated.
2918</p></dd>
2919<dt><code>leapsmearinterval</code> <kbd>seconds</kbd></dt>
2920<dd><p>This EXPERIMENTAL option is only available if
2921<code>ntpd(1ntpdmdoc)</code>
2922was built with the
2923<code>--enable-leap-smear</code>
2924option to the
2925<code>configure</code>
2926script.
2927It specifies the interval over which a leap second correction will be applied.
2928Recommended values for this option are between
29297200 (2 hours) and 86400 (24 hours).
2930.Sy DO NOT USE THIS OPTION ON PUBLIC-ACCESS SERVERS!
2931See http://bugs.ntp.org/2855 for more information.
2932</p></dd>
2933<dt><code>logconfig</code> <kbd>configkeyword</kbd></dt>
2934<dd><p>This command controls the amount and type of output written to
2935the system
2936<code>syslog(3)</code>
2937facility or the alternate
2938<code>logfile</code>
2939log file.
2940By default, all output is turned on.
2941All
2942<kbd>configkeyword</kbd>
2943keywords can be prefixed with
2944&lsquo;=&rsquo;,
2945&lsquo;+&rsquo;
2946and
2947&lsquo;-&rsquo;,
2948where
2949&lsquo;=&rsquo;
2950sets the
2951<code>syslog(3)</code>
2952priority mask,
2953&lsquo;+&rsquo;
2954adds and
2955&lsquo;-&rsquo;
2956removes
2957messages.
2958<code>syslog(3)</code>
2959messages can be controlled in four
2960classes
2961(<code>clock</code>, <code>peer</code>, <code>sys</code> and <code>sync</code>).
2962Within these classes four types of messages can be
2963controlled: informational messages
2964(<code>info</code>),
2965event messages
2966(<code>events</code>),
2967statistics messages
2968(<code>statistics</code>)
2969and
2970status messages
2971(<code>status</code>).
2972</p>
2973<p>Configuration keywords are formed by concatenating the message class with
2974the event class.
2975The
2976<code>all</code>
2977prefix can be used instead of a message class.
2978A
2979message class may also be followed by the
2980<code>all</code>
2981keyword to enable/disable all
2982messages of the respective message class.
2983Thus, a minimal log configuration
2984could look like this:
2985</p><pre class="verbatim">logconfig =syncstatus +sysevents
2986</pre>
2987<p>This would just list the synchronizations state of
2988<code>ntpd(1ntpdmdoc)</code>
2989and the major system events.
2990For a simple reference server, the
2991following minimum message configuration could be useful:
2992</p><pre class="verbatim">logconfig =syncall +clockall
2993</pre>
2994<p>This configuration will list all clock information and
2995synchronization information.
2996All other events and messages about
2997peers, system events and so on is suppressed.
2998</p></dd>
2999<dt><code>logfile</code> <kbd>logfile</kbd></dt>
3000<dd><p>This command specifies the location of an alternate log file to
3001be used instead of the default system
3002<code>syslog(3)</code>
3003facility.
3004This is the same operation as the
3005<code>-l</code>
3006command line option.
3007</p></dd>
3008<dt><code>mru</code> <code>[<code>maxdepth</code> <kbd>count</kbd> | <code>maxmem</code> <kbd>kilobytes</kbd> | <code>mindepth</code> <kbd>count</kbd> | <code>maxage</code> <kbd>seconds</kbd> | <code>initialloc</code> <kbd>count</kbd> | <code>initmem</code> <kbd>kilobytes</kbd> | <code>incalloc</code> <kbd>count</kbd> | <code>incmem</code> <kbd>kilobytes</kbd>]</code></dt>
3009<dd><p>Controls size limite of the monitoring facility&rsquo;s Most Recently Used
3010(MRU) list
3011of client addresses, which is also used by the
3012rate control facility.
3013</p><dl compact="compact">
3014<dt><code>maxdepth</code> <kbd>count</kbd></dt>
3015<dt><code>maxmem</code> <kbd>kilobytes</kbd></dt>
3016<dd><p>Equivalent upper limits on the size of the MRU list, in terms of entries or kilobytes.
3017The acutal limit will be up to
3018<code>incalloc</code>
3019entries or
3020<code>incmem</code>
3021kilobytes larger.
3022As with all of the
3023<code>mru</code>
3024options offered in units of entries or kilobytes, if both
3025<code>maxdepth</code>
3026and
3027<code>maxmem</code> <code>are</code> <code>used,</code> <code>the</code> <code>last</code> <code>one</code> <code>used</code> <code>controls.</code>
3028The default is 1024 kilobytes.
3029</p></dd>
3030<dt><code>mindepth</code> <kbd>count</kbd></dt>
3031<dd><p>Lower limit on the MRU list size.
3032When the MRU list has fewer than
3033<code>mindepth</code>
3034entries, existing entries are never removed to make room for newer ones,
3035regardless of their age.
3036The default is 600 entries.
3037</p></dd>
3038<dt><code>maxage</code> <kbd>seconds</kbd></dt>
3039<dd><p>Once the MRU list has
3040<code>mindepth</code>
3041entries and an additional client is to ba added to the list,
3042if the oldest entry was updated more than
3043<code>maxage</code>
3044seconds ago, that entry is removed and its storage is reused.
3045If the oldest entry was updated more recently the MRU list is grown,
3046subject to
3047<code>maxdepth</code> <code>/</code> <code>moxmem</code>.
3048The default is 64 seconds.
3049</p></dd>
3050<dt><code>initalloc</code> <kbd>count</kbd></dt>
3051<dt><code>initmem</code> <kbd>kilobytes</kbd></dt>
3052<dd><p>Initial memory allocation at the time the monitoringfacility is first enabled,
3053in terms of the number of entries or kilobytes.
3054The default is 4 kilobytes.
3055</p></dd>
3056<dt><code>incalloc</code> <kbd>count</kbd></dt>
3057<dt><code>incmem</code> <kbd>kilobytes</kbd></dt>
3058<dd><p>Size of additional memory allocations when growing the MRU list, in entries or kilobytes.
3059The default is 4 kilobytes.
3060</p></dd>
3061</dl>
3062</dd>
3063<dt><code>nonvolatile</code> <kbd>threshold</kbd></dt>
3064<dd><p>Specify the
3065<kbd>threshold</kbd>
3066delta in seconds before an hourly change to the
3067<code>driftfile</code>
3068(frequency file) will be written, with a default value of 1e-7 (0.1 PPM).
3069The frequency file is inspected each hour.
3070If the difference between the current frequency and the last value written
3071exceeds the threshold, the file is written and the
3072<code>threshold</code>
3073becomes the new threshold value.
3074If the threshold is not exceeeded, it is reduced by half.
3075This is intended to reduce the number of file writes
3076for embedded systems with nonvolatile memory.
3077</p></dd>
3078<dt><code>phone</code> <kbd>dial</kbd> <kbd>...</kbd></dt>
3079<dd><p>This command is used in conjunction with
3080the ACTS modem driver (type 18)
3081or the JJY driver (type 40, mode 100 - 180).
3082For the ACTS modem driver (type 18), the arguments consist of
3083a maximum of 10 telephone numbers used to dial USNO, NIST, or European
3084time service.
3085For the JJY driver (type 40 mode 100 - 180), the argument is
3086one telephone number used to dial the telephone JJY service.
3087The Hayes command ATDT is normally prepended to the number.
3088The number can contain other modem control codes as well.
3089</p></dd>
3090<dt><code>pollskewlist</code> <code>[<kbd>poll</kbd> <kbd>value</kbd> | <kbd>value</kbd>]</code> <kbd>...</kbd> <code>[<code>default</code> <kbd>value</kbd> | <kbd>value</kbd>]</code></dt>
3091<dd><p>Enable skewing of our poll requests to our servers.
3092<kbd>poll</kbd>
3093is a number between 3 and 17 inclusive, identifying a specific poll interval.
3094A poll interval is 2^n seconds in duration,
3095so a poll value of 3 corresponds to 8 seconds
3096and
3097a poll interval of 17 corresponds to
3098131,072 seconds, or about a day and a half.
3099The next two numbers must be between 0 and one-half of the poll interval,
3100inclusive.
3101The first number specifies how early the poll may start,
3102while
3103the second number specifies how late the poll may be delayed.
3104With no arguments, internally specified default values are chosen.
3105</p></dd>
3106<dt><code>reset</code> <code>[<code>allpeers</code>]</code> <code>[<code>auth</code>]</code> <code>[<code>ctl</code>]</code> <code>[<code>io</code>]</code> <code>[<code>mem</code>]</code> <code>[<code>sys</code>]</code> <code>[<code>timer</code>]</code></dt>
3107<dd><p>Reset one or more groups of counters maintained by
3108<code>ntpd</code>
3109and exposed by
3110<code>ntpq</code>
3111and
3112<code>ntpdc</code>.
3113</p></dd>
3114<dt><code>rlimit</code> <code>[<code>memlock</code> <kbd>Nmegabytes</kbd> | <code>stacksize</code> <kbd>N4kPages</kbd> <code>filenum</code> <kbd>Nfiledescriptors</kbd>]</code></dt>
3115<dd><dl compact="compact">
3116<dt><code>memlock</code> <kbd>Nmegabytes</kbd></dt>
3117<dd><p>Specify the number of megabytes of memory that should be
3118allocated and locked.
3119Probably only available under Linux, this option may be useful
3120when dropping root (the
3121<code>-i</code>
3122option).
3123The default is 32 megabytes on non-Linux machines, and -1 under Linux.
3124-1 means &quot;do not lock the process into memory&quot;.
31250 means &quot;lock whatever memory the process wants into memory&quot;.
3126</p></dd>
3127<dt><code>stacksize</code> <kbd>N4kPages</kbd></dt>
3128<dd><p>Specifies the maximum size of the process stack on systems with the
3129<code>mlockall()</code>
3130function.
3131Defaults to 50 4k pages (200 4k pages in OpenBSD).
3132</p></dd>
3133<dt><code>filenum</code> <kbd>Nfiledescriptors</kbd></dt>
3134<dd><p>Specifies the maximum number of file descriptors ntpd may have open at once.
3135Defaults to the system default.
3136</p></dd>
3137</dl>
3138</dd>
3139<dt><code>saveconfigdir</code> <kbd>directory_path</kbd></dt>
3140<dd><p>Specify the directory in which to write configuration snapshots
3141requested with
3142.Cm ntpq &rsquo;s
3143<code>saveconfig</code>
3144command.
3145If
3146<code>saveconfigdir</code>
3147does not appear in the configuration file,
3148<code>saveconfig</code>
3149requests are rejected by
3150<code>ntpd</code>.
3151</p></dd>
3152<dt><code>saveconfig</code> <kbd>filename</kbd></dt>
3153<dd><p>Write the current configuration, including any runtime
3154modifications given with
3155<code>:config</code>
3156or
3157<code>config-from-file</code>
3158to the
3159<code>ntpd</code>
3160host&rsquo;s
3161<kbd>filename</kbd>
3162in the
3163<code>saveconfigdir</code>.
3164This command will be rejected unless the
3165<code>saveconfigdir</code>
3166directive appears in
3167.Cm ntpd &rsquo;s
3168configuration file.
3169<kbd>filename</kbd>
3170can use
3171<code>strftime(3)</code>
3172format directives to substitute the current date and time,
3173for example,
3174<code>saveconfig\ ntp-%Y%m%d-%H%M%S.conf</code>.
3175The filename used is stored in the system variable
3176<code>savedconfig</code>.
3177Authentication is required.
3178</p></dd>
3179<dt><code>setvar</code> <kbd>variable</kbd> <code>[<code>default</code>]</code></dt>
3180<dd><p>This command adds an additional system variable.
3181These
3182variables can be used to distribute additional information such as
3183the access policy.
3184If the variable of the form
3185<code>name</code><code>=</code><kbd>value</kbd>
3186is followed by the
3187<code>default</code>
3188keyword, the
3189variable will be listed as part of the default system variables
3190(<code>rv</code> command)).
3191These additional variables serve
3192informational purposes only.
3193They are not related to the protocol
3194other that they can be listed.
3195The known protocol variables will
3196always override any variables defined via the
3197<code>setvar</code>
3198mechanism.
3199There are three special variables that contain the names
3200of all variable of the same group.
3201The
3202<code>sys_var_list</code>
3203holds
3204the names of all system variables.
3205The
3206<code>peer_var_list</code>
3207holds
3208the names of all peer variables and the
3209<code>clock_var_list</code>
3210holds the names of the reference clock variables.
3211</p></dd>
3212<dt><code>sysinfo</code></dt>
3213<dd><p>Display operational summary.
3214</p></dd>
3215<dt><code>sysstats</code></dt>
3216<dd><p>Show statistics counters maintained in the protocol module.
3217</p></dd>
3218<dt><code>tinker</code> <code>[<code>allan</code> <kbd>allan</kbd> | <code>dispersion</code> <kbd>dispersion</kbd> | <code>freq</code> <kbd>freq</kbd> | <code>huffpuff</code> <kbd>huffpuff</kbd> | <code>panic</code> <kbd>panic</kbd> | <code>step</code> <kbd>step</kbd> | <code>stepback</code> <kbd>stepback</kbd> | <code>stepfwd</code> <kbd>stepfwd</kbd> | <code>stepout</code> <kbd>stepout</kbd>]</code></dt>
3219<dd><p>This command can be used to alter several system variables in
3220very exceptional circumstances.
3221It should occur in the
3222configuration file before any other configuration options.
3223The
3224default values of these variables have been carefully optimized for
3225a wide range of network speeds and reliability expectations.
3226In
3227general, they interact in intricate ways that are hard to predict
3228and some combinations can result in some very nasty behavior.
3229Very
3230rarely is it necessary to change the default values; but, some
3231folks cannot resist twisting the knobs anyway and this command is
3232for them.
3233Emphasis added: twisters are on their own and can expect
3234no help from the support group.
3235</p>
3236<p>The variables operate as follows:
3237</p><dl compact="compact">
3238<dt><code>allan</code> <kbd>allan</kbd></dt>
3239<dd><p>The argument becomes the new value for the minimum Allan
3240intercept, which is a parameter of the PLL/FLL clock discipline
3241algorithm.
3242The value in log2 seconds defaults to 7 (1024 s), which is also the lower
3243limit.
3244</p></dd>
3245<dt><code>dispersion</code> <kbd>dispersion</kbd></dt>
3246<dd><p>The argument becomes the new value for the dispersion increase rate,
3247normally .000015 s/s.
3248</p></dd>
3249<dt><code>freq</code> <kbd>freq</kbd></dt>
3250<dd><p>The argument becomes the initial value of the frequency offset in
3251parts-per-million.
3252This overrides the value in the frequency file, if
3253present, and avoids the initial training state if it is not.
3254</p></dd>
3255<dt><code>huffpuff</code> <kbd>huffpuff</kbd></dt>
3256<dd><p>The argument becomes the new value for the experimental
3257huff-n&rsquo;-puff filter span, which determines the most recent interval
3258the algorithm will search for a minimum delay.
3259The lower limit is
3260900 s (15 m), but a more reasonable value is 7200 (2 hours).
3261There
3262is no default, since the filter is not enabled unless this command
3263is given.
3264</p></dd>
3265<dt><code>panic</code> <kbd>panic</kbd></dt>
3266<dd><p>The argument is the panic threshold, normally 1000 s.
3267If set to zero,
3268the panic sanity check is disabled and a clock offset of any value will
3269be accepted.
3270</p></dd>
3271<dt><code>step</code> <kbd>step</kbd></dt>
3272<dd><p>The argument is the step threshold, which by default is 0.128 s.
3273It can
3274be set to any positive number in seconds.
3275If set to zero, step
3276adjustments will never occur.
3277Note: The kernel time discipline is
3278disabled if the step threshold is set to zero or greater than the
3279default.
3280</p></dd>
3281<dt><code>stepback</code> <kbd>stepback</kbd></dt>
3282<dd><p>The argument is the step threshold for the backward direction,
3283which by default is 0.128 s.
3284It can
3285be set to any positive number in seconds.
3286If both the forward and backward step thresholds are set to zero, step
3287adjustments will never occur.
3288Note: The kernel time discipline is
3289disabled if
3290each direction of step threshold are either
3291set to zero or greater than .5 second.
3292</p></dd>
3293<dt><code>stepfwd</code> <kbd>stepfwd</kbd></dt>
3294<dd><p>As for stepback, but for the forward direction.
3295</p></dd>
3296<dt><code>stepout</code> <kbd>stepout</kbd></dt>
3297<dd><p>The argument is the stepout timeout, which by default is 900 s.
3298It can
3299be set to any positive number in seconds.
3300If set to zero, the stepout
3301pulses will not be suppressed.
3302</p></dd>
3303</dl>
3304</dd>
3305<dt><code>writevar</code> <kbd>assocID\ name</kbd> <kbd>=</kbd> <kbd>value</kbd> <kbd>[,...]</kbd></dt>
3306<dd><p>Write (create or update) the specified variables.
3307If the
3308<code>assocID</code>
3309is zero, the variablea re from the
3310system variables
3311name space, otherwise they are from the
3312peer variables
3313name space.
3314The
3315<code>assocID</code>
3316is required, as the same name can occur in both name spaces.
3317</p></dd>
3318<dt><code>trap</code> <kbd>host_address</kbd> <code>[<code>port</code> <kbd>port_number</kbd>]</code> <code>[<code>interface</code> <kbd>interface_address</kbd>]</code></dt>
3319<dd><p>This command configures a trap receiver at the given host
3320address and port number for sending messages with the specified
3321local interface address.
3322If the port number is unspecified, a value
3323of 18447 is used.
3324If the interface address is not specified, the
3325message is sent with a source address of the local interface the
3326message is sent through.
3327Note that on a multihomed host the
3328interface used may vary from time to time with routing changes.
3329</p></dd>
3330<dt><code>ttl</code> <kbd>hop</kbd> <kbd>...</kbd></dt>
3331<dd><p>This command specifies a list of TTL values in increasing order.
3332Up to 8 values can be specified.
3333In
3334<code>manycast</code>
3335mode these values are used in-turn in an expanding-ring search.
3336The default is eight multiples of 32 starting at 31.
3337</p>
3338<p>The trap receiver will generally log event messages and other
3339information from the server in a log file.
3340While such monitor
3341programs may also request their own trap dynamically, configuring a
3342trap receiver will ensure that no messages are lost when the server
3343is started.
3344</p></dd>
3345<dt><code>hop</code> <kbd>...</kbd></dt>
3346<dd><p>This command specifies a list of TTL values in increasing order, up to 8
3347values can be specified.
3348In manycast mode these values are used in turn in
3349an expanding-ring search.
3350The default is eight multiples of 32 starting at
335131.
3352</p></dd>
3353</dl>
3354
3355<p>This section was generated by <strong>AutoGen</strong>,
3356using the <code>agtexi-cmd</code> template and the option descriptions for the <code>ntp.conf</code> program.
3357This software is released under the NTP license, &lt;http://ntp.org/license&gt;.
3358</p>
3359<table class="menu" border="0" cellspacing="0">
3360<tr><td align="left" valign="top">&bull; <a href="#ntp_002econf-Files" accesskey="1">ntp.conf Files</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Files
3361</td></tr>
3362<tr><td align="left" valign="top">&bull; <a href="#ntp_002econf-See-Also" accesskey="2">ntp.conf See Also</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">See Also
3363</td></tr>
3364<tr><td align="left" valign="top">&bull; <a href="#ntp_002econf-Bugs" accesskey="3">ntp.conf Bugs</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Bugs
3365</td></tr>
3366<tr><td align="left" valign="top">&bull; <a href="#ntp_002econf-Notes" accesskey="4">ntp.conf Notes</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Notes
3367</td></tr>
3368</table>
3369
3370<hr>
3371<a name="ntp_002econf-Files"></a>
3372<div class="header">
3373<p>
3374Next: <a href="#ntp_002econf-See-Also" accesskey="n" rel="next">ntp.conf See Also</a>, Previous: <a href="#Miscellaneous-Options" accesskey="p" rel="prev">Miscellaneous Options</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> &nbsp; </p>
3375</div>
3376<a name="ntp_002econf-Files-1"></a>
3377<h4 class="subsection">1.1.8 ntp.conf Files</h4>
3378<dl compact="compact">
3379<dt><samp>/etc/ntp.conf</samp></dt>
3380<dd><p>the default name of the configuration file
3381</p></dd>
3382<dt><samp>ntp.keys</samp></dt>
3383<dd><p>private MD5 keys
3384</p></dd>
3385<dt><samp>ntpkey</samp></dt>
3386<dd><p>RSA private key
3387</p></dd>
3388<dt><samp>ntpkey_</samp><kbd>host</kbd></dt>
3389<dd><p>RSA public key
3390</p></dd>
3391<dt><samp>ntp_dh</samp></dt>
3392<dd><p>Diffie-Hellman agreement parameters
3393</p></dd>
3394</dl>
3395<hr>
3396<a name="ntp_002econf-See-Also"></a>
3397<div class="header">
3398<p>
3399Next: <a href="#ntp_002econf-Bugs" accesskey="n" rel="next">ntp.conf Bugs</a>, Previous: <a href="#ntp_002econf-Files" accesskey="p" rel="prev">ntp.conf Files</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> &nbsp; </p>
3400</div>
3401<a name="ntp_002econf-See-Also-1"></a>
3402<h4 class="subsection">1.1.9 ntp.conf See Also</h4>
3403<p><code>ntpd(1ntpdmdoc)</code>,
3404<code>ntpdc(1ntpdcmdoc)</code>,
3405<code>ntpq(1ntpqmdoc)</code>
3406</p>
3407<p>In addition to the manual pages provided,
3408comprehensive documentation is available on the world wide web
3409at
3410<code>http://www.ntp.org/</code>.
3411A snapshot of this documentation is available in HTML format in
3412<samp>/usr/share/doc/ntp</samp>.
3413<br>
3414</p>
3415<br>
3416<p>David L. Mills, <em>Network Time Protocol (Version 4)</em>, RFC5905
3417</p><hr>
3418<a name="ntp_002econf-Bugs"></a>
3419<div class="header">
3420<p>
3421Previous: <a href="#ntp_002econf-See-Also" accesskey="p" rel="prev">ntp.conf See Also</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> &nbsp; </p>
3422</div>
3423<a name="ntp_002econf-Bugs-1"></a>
3424<h4 class="subsection">1.1.10 ntp.conf Bugs</h4>
3425<p>The syntax checking is not picky; some combinations of
3426ridiculous and even hilarious options and modes may not be
3427detected.
3428</p>
3429<p>The
3430<samp>ntpkey_</samp><kbd>host</kbd>
3431files are really digital
3432certificates.
3433These should be obtained via secure directory
3434services when they become universally available.
3435</p><hr>
3436<div class="header">
3437<p>
3438 &nbsp; </p>
3439</div>
3440<a name="ntp_002econf-Notes-1"></a>
3441<h4 class="subsection">1.1.11 ntp.conf Notes</h4>
3442<p>This document was derived from FreeBSD.
3443</p><hr>
3444
3445
3446
3447</body>
3448</html>
3449