xref: /freebsd/contrib/ntp/ntpd/ntp.conf.html (revision f5f40dd63bc7acbb5312b26ac1ea1103c12352a6)
1<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
2<html>
3<!-- Created by GNU Texinfo 6.6, http://www.gnu.org/software/texinfo/ -->
4<head>
5<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
6<title>NTP Configuration File User&rsquo;s Manual</title>
7
8<meta name="description" content="NTP Configuration File User&rsquo;s Manual">
9<meta name="keywords" content="NTP Configuration File User&rsquo;s Manual">
10<meta name="resource-type" content="document">
11<meta name="distribution" content="global">
12<meta name="Generator" content="makeinfo">
13<link href="#Top" rel="start" title="Top">
14<link href="dir.html#Top" rel="up" title="(dir)">
15<style type="text/css">
16<!--
17a.summary-letter {text-decoration: none}
18blockquote.indentedblock {margin-right: 0em}
19div.display {margin-left: 3.2em}
20div.example {margin-left: 3.2em}
21div.lisp {margin-left: 3.2em}
22kbd {font-style: oblique}
23pre.display {font-family: inherit}
24pre.format {font-family: inherit}
25pre.menu-comment {font-family: serif}
26pre.menu-preformatted {font-family: serif}
27span.nolinebreak {white-space: nowrap}
28span.roman {font-family: initial; font-weight: normal}
29span.sansserif {font-family: sans-serif; font-weight: normal}
30ul.no-bullet {list-style: none}
31-->
32</style>
33
34
35</head>
36
37<body lang="en">
38<h1 class="settitle" align="center">NTP Configuration File User&rsquo;s Manual</h1>
39
40
41
42
43
44<span id="Top"></span><div class="header">
45<p>
46Next: <a href="#ntp_002econf-Description" accesskey="n" rel="next">ntp.conf Description</a>, Previous: <a href="dir.html#Top" accesskey="p" rel="prev">(dir)</a>, Up: <a href="dir.html#Top" accesskey="u" rel="up">(dir)</a> &nbsp; </p>
47</div>
48<span id="NTP_0027s-Configuration-File-User-Manual"></span><h1 class="top">NTP&rsquo;s Configuration File User Manual</h1>
49
50<p>This document describes the configuration file for the NTP Project&rsquo;s
51<code>ntpd</code> program.
52</p>
53<p>This document applies to version 4.2.8p18 of <code>ntp.conf</code>.
54</p>
55<span id="SEC_Overview"></span>
56<h2 class="shortcontents-heading">Short Table of Contents</h2>
57
58<div class="shortcontents">
59<ul class="no-bullet">
60<li><a id="stoc-Description" href="#toc-Description">1 Description</a></li>
61</ul>
62</div>
63
64
65<table class="menu" border="0" cellspacing="0">
66<tr><td align="left" valign="top">&bull; <a href="#ntp_002econf-Description" accesskey="1">ntp.conf Description</a></td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
67</td></tr>
68<tr><td align="left" valign="top">&bull; <a href="#ntp_002econf-Notes" accesskey="2">ntp.conf Notes</a></td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
69</td></tr>
70</table>
71
72<hr>
73<span id="ntp_002econf-Description"></span><div class="header">
74<p>
75Previous: <a href="#Top" accesskey="p" rel="prev">Top</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; </p>
76</div>
77<span id="Description"></span><h2 class="chapter">1 Description</h2>
78
79<p>The behavior of  <code>ntpd</code> can be changed by a configuration file,
80by default <code>ntp.conf</code>.
81</p>
82<table class="menu" border="0" cellspacing="0">
83<tr><td align="left" valign="top">&bull; <a href="#ntp_002econf-Notes" accesskey="1">Notes about ntp.conf</a></td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
84</td></tr>
85</table>
86
87<hr>
88<span id="ntp_002econf-Notes"></span><div class="header">
89<p>
90Previous: <a href="#ntp_002econf-Bugs" accesskey="p" rel="prev">ntp.conf Bugs</a>, Up: <a href="#ntp_002econf-Description" accesskey="u" rel="up">ntp.conf Description</a> &nbsp; </p>
91</div>
92<span id="Notes-about-ntp_002econf"></span><h3 class="section">1.1 Notes about ntp.conf</h3>
93<span id="index-ntp_002econf"></span>
94<span id="index-Network-Time-Protocol-_0028NTP_0029-daemon-configuration-file-format"></span>
95
96
97
98<p>The
99<code>ntp.conf</code>
100configuration file is read at initial startup by the
101<code>ntpd(1ntpdmdoc)</code>
102daemon in order to specify the synchronization sources,
103modes and other related information.
104Usually, it is installed in the
105<samp>/etc</samp>
106directory,
107but could be installed elsewhere
108(see the daemon&rsquo;s
109<code>-c</code>
110command line option).
111</p>
112<p>The file format is similar to other
113<small>UNIX</small>
114configuration files.
115Comments begin with a
116&lsquo;#&rsquo;
117character and extend to the end of the line;
118blank lines are ignored.
119Configuration commands consist of an initial keyword
120followed by a list of arguments,
121some of which may be optional, separated by whitespace.
122Commands may not be continued over multiple lines.
123Arguments may be host names,
124host addresses written in numeric, dotted-quad form,
125integers, floating point numbers (when specifying times in seconds)
126and text strings.
127</p>
128<p>The rest of this page describes the configuration and control options.
129The
130&quot;Notes on Configuring NTP and Setting up an NTP Subnet&quot;
131page
132(available as part of the HTML documentation
133provided in
134<samp>/usr/share/doc/ntp</samp>)
135contains an extended discussion of these options.
136In addition to the discussion of general
137&lsquo;Configuration Options&rsquo;,
138there are sections describing the following supported functionality
139and the options used to control it:
140</p><ul>
141<li> <a href="#Authentication-Support">Authentication Support</a>
142</li><li> <a href="#Monitoring-Support">Monitoring Support</a>
143</li><li> <a href="#Access-Control-Support">Access Control Support</a>
144</li><li> <a href="#Automatic-NTP-Configuration-Options">Automatic NTP Configuration Options</a>
145</li><li> <a href="#Reference-Clock-Support">Reference Clock Support</a>
146</li><li> <a href="#Miscellaneous-Options">Miscellaneous Options</a>
147</li></ul>
148
149<p>Following these is a section describing
150<a href="#Miscellaneous-Options">Miscellaneous Options</a>.
151While there is a rich set of options available,
152the only required option is one or more
153<code>pool</code>,
154<code>server</code>,
155<code>peer</code>,
156<code>broadcast</code>
157or
158<code>manycastclient</code>
159commands.
160</p><table class="menu" border="0" cellspacing="0">
161<tr><td align="left" valign="top">&bull; <a href="#Configuration-Support" accesskey="1">Configuration Support</a></td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
162</td></tr>
163<tr><td align="left" valign="top">&bull; <a href="#Authentication-Support" accesskey="2">Authentication Support</a></td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
164</td></tr>
165<tr><td align="left" valign="top">&bull; <a href="#Monitoring-Support" accesskey="3">Monitoring Support</a></td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
166</td></tr>
167<tr><td align="left" valign="top">&bull; <a href="#Access-Control-Support" accesskey="4">Access Control Support</a></td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
168</td></tr>
169<tr><td align="left" valign="top">&bull; <a href="#Automatic-NTP-Configuration-Options" accesskey="5">Automatic NTP Configuration Options</a></td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
170</td></tr>
171<tr><td align="left" valign="top">&bull; <a href="#Reference-Clock-Support" accesskey="6">Reference Clock Support</a></td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
172</td></tr>
173<tr><td align="left" valign="top">&bull; <a href="#Miscellaneous-Options" accesskey="7">Miscellaneous Options</a></td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
174</td></tr>
175<tr><td align="left" valign="top">&bull; <a href="#ntp_002econf-Files" accesskey="8">ntp.conf Files</a></td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
176</td></tr>
177<tr><td align="left" valign="top">&bull; <a href="#ntp_002econf-See-Also" accesskey="9">ntp.conf See Also</a></td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
178</td></tr>
179<tr><td align="left" valign="top">&bull; <a href="#ntp_002econf-Bugs">ntp.conf Bugs</a></td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
180</td></tr>
181<tr><td align="left" valign="top">&bull; ntp.conf Notes</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
182</td></tr>
183</table>
184
185<hr>
186<span id="Configuration-Support"></span><div class="header">
187<p>
188Next: <a href="#Authentication-Support" accesskey="n" rel="next">Authentication Support</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> &nbsp; </p>
189</div>
190<span id="Configuration-Support-1"></span><h4 class="subsection">1.1.1 Configuration Support</h4>
191<p>Following is a description of the configuration commands in
192NTPv4.
193These commands have the same basic functions as in NTPv3 and
194in some cases new functions and new arguments.
195There are two
196classes of commands, configuration commands that configure a
197persistent association with a remote server or peer or reference
198clock, and auxiliary commands that specify environmental variables
199that control various related operations.
200</p><span id="Configuration-Commands"></span><h4 class="subsubsection">1.1.1.1 Configuration Commands</h4>
201<p>The various modes are determined by the command keyword and the
202type of the required IP address.
203Addresses are classed by type as
204(s) a remote server or peer (IPv4 class A, B and C), (b) the
205broadcast address of a local interface, (m) a multicast address (IPv4
206class D), or (r) a reference clock address (127.127.x.x).
207Note that
208only those options applicable to each command are listed below.
209Use
210of options not listed may not be caught as an error, but may result
211in some weird and even destructive behavior.
212</p>
213<p>If the Basic Socket Interface Extensions for IPv6 (RFC-2553)
214is detected, support for the IPv6 address family is generated
215in addition to the default support of the IPv4 address family.
216In a few cases, including the
217<code>reslist</code>
218billboard generated
219by
220<code>ntpq(1ntpqmdoc)</code>
221or
222<code>ntpdc(1ntpdcmdoc)</code>,
223IPv6 addresses are automatically generated.
224IPv6 addresses can be identified by the presence of colons
225&ldquo;:&rdquo;
226in the address field.
227IPv6 addresses can be used almost everywhere where
228IPv4 addresses can be used,
229with the exception of reference clock addresses,
230which are always IPv4.
231</p>
232<p>Note that in contexts where a host name is expected, a
233<code>-4</code>
234qualifier preceding
235the host name forces DNS resolution to the IPv4 namespace,
236while a
237<code>-6</code>
238qualifier forces DNS resolution to the IPv6 namespace.
239See IPv6 references for the
240equivalent classes for that address family.
241</p><dl compact="compact">
242<dt><code>pool</code> <kbd>address</kbd> <code>[<code>burst</code>]</code> <code>[<code>iburst</code>]</code> <code>[<code>version</code> <kbd>version</kbd>]</code> <code>[<code>prefer</code>]</code> <code>[<code>minpoll</code> <kbd>minpoll</kbd>]</code> <code>[<code>maxpoll</code> <kbd>maxpoll</kbd>]</code> <code>[<code>xmtnonce</code>]</code></dt>
243<dt><code>server</code> <kbd>address</kbd> <code>[<code>key</code> <kbd>key</kbd> <kbd>|</kbd> <code>autokey</code>]</code> <code>[<code>burst</code>]</code> <code>[<code>iburst</code>]</code> <code>[<code>version</code> <kbd>version</kbd>]</code> <code>[<code>prefer</code>]</code> <code>[<code>minpoll</code> <kbd>minpoll</kbd>]</code> <code>[<code>maxpoll</code> <kbd>maxpoll</kbd>]</code> <code>[<code>true</code>]</code> <code>[<code>xmtnonce</code>]</code></dt>
244<dt><code>peer</code> <kbd>address</kbd> <code>[<code>key</code> <kbd>key</kbd> <kbd>|</kbd> <code>autokey</code>]</code> <code>[<code>version</code> <kbd>version</kbd>]</code> <code>[<code>prefer</code>]</code> <code>[<code>minpoll</code> <kbd>minpoll</kbd>]</code> <code>[<code>maxpoll</code> <kbd>maxpoll</kbd>]</code> <code>[<code>true</code>]</code> <code>[<code>xleave</code>]</code></dt>
245<dt><code>broadcast</code> <kbd>address</kbd> <code>[<code>key</code> <kbd>key</kbd> <kbd>|</kbd> <code>autokey</code>]</code> <code>[<code>version</code> <kbd>version</kbd>]</code> <code>[<code>prefer</code>]</code> <code>[<code>minpoll</code> <kbd>minpoll</kbd>]</code> <code>[<code>ttl</code> <kbd>ttl</kbd>]</code> <code>[<code>xleave</code>]</code></dt>
246<dt><code>manycastclient</code> <kbd>address</kbd> <code>[<code>key</code> <kbd>key</kbd> <kbd>|</kbd> <code>autokey</code>]</code> <code>[<code>version</code> <kbd>version</kbd>]</code> <code>[<code>prefer</code>]</code> <code>[<code>minpoll</code> <kbd>minpoll</kbd>]</code> <code>[<code>maxpoll</code> <kbd>maxpoll</kbd>]</code> <code>[<code>ttl</code> <kbd>ttl</kbd>]</code></dt>
247</dl>
248
249<p>These five commands specify the time server name or address to
250be used and the mode in which to operate.
251The
252<kbd>address</kbd>
253can be
254either a DNS name or an IP address in dotted-quad notation.
255Additional information on association behavior can be found in the
256&quot;Association Management&quot;
257page
258(available as part of the HTML documentation
259provided in
260<samp>/usr/share/doc/ntp</samp>).
261</p><dl compact="compact">
262<dt><code>pool</code></dt>
263<dd><p>For type s addresses, this command mobilizes a persistent
264client mode association with a number of remote servers.
265In this mode the local clock can synchronized to the
266remote server, but the remote server can never be synchronized to
267the local clock.
268</p></dd>
269<dt><code>server</code></dt>
270<dd><p>For type s and r addresses, this command mobilizes a persistent
271client mode association with the specified remote server or local
272radio clock.
273In this mode the local clock can synchronized to the
274remote server, but the remote server can never be synchronized to
275the local clock.
276This command should
277<em>not</em>
278be used for type
279b or m addresses.
280</p></dd>
281<dt><code>peer</code></dt>
282<dd><p>For type s addresses (only), this command mobilizes a
283persistent symmetric-active mode association with the specified
284remote peer.
285In this mode the local clock can be synchronized to
286the remote peer or the remote peer can be synchronized to the local
287clock.
288This is useful in a network of servers where, depending on
289various failure scenarios, either the local or remote peer may be
290the better source of time.
291This command should NOT be used for type
292b, m or r addresses.
293</p></dd>
294<dt><code>broadcast</code></dt>
295<dd><p>For type b and m addresses (only), this
296command mobilizes a persistent broadcast mode association.
297Multiple
298commands can be used to specify multiple local broadcast interfaces
299(subnets) and/or multiple multicast groups.
300Note that local
301broadcast messages go only to the interface associated with the
302subnet specified, but multicast messages go to all interfaces.
303In broadcast mode the local server sends periodic broadcast
304messages to a client population at the
305<kbd>address</kbd>
306specified, which is usually the broadcast address on (one of) the
307local network(s) or a multicast address assigned to NTP.
308The IANA
309has assigned the multicast group address IPv4 224.0.1.1 and
310IPv6 ff05::101 (site local) exclusively to
311NTP, but other nonconflicting addresses can be used to contain the
312messages within administrative boundaries.
313Ordinarily, this
314specification applies only to the local server operating as a
315sender; for operation as a broadcast client, see the
316<code>broadcastclient</code>
317or
318<code>multicastclient</code>
319commands
320below.
321</p></dd>
322<dt><code>manycastclient</code></dt>
323<dd><p>For type m addresses (only), this command mobilizes a
324manycast client mode association for the multicast address
325specified.
326In this case a specific address must be supplied which
327matches the address used on the
328<code>manycastserver</code>
329command for
330the designated manycast servers.
331The NTP multicast address
332224.0.1.1 assigned by the IANA should NOT be used, unless specific
333means are taken to avoid spraying large areas of the Internet with
334these messages and causing a possibly massive implosion of replies
335at the sender.
336The
337<code>manycastserver</code>
338command specifies that the local server
339is to operate in client mode with the remote servers that are
340discovered as the result of broadcast/multicast messages.
341The
342client broadcasts a request message to the group address associated
343with the specified
344<kbd>address</kbd>
345and specifically enabled
346servers respond to these messages.
347The client selects the servers
348providing the best time and continues as with the
349<code>server</code>
350command.
351The remaining servers are discarded as if never
352heard.
353</p></dd>
354</dl>
355
356<p>Options:
357</p><dl compact="compact">
358<dt><code>autokey</code></dt>
359<dd><p>All packets sent to and received from the server or peer are to
360include authentication fields encrypted using the autokey scheme
361described in
362&lsquo;Authentication Options&rsquo;.
363</p></dd>
364<dt><code>burst</code></dt>
365<dd><p>when the server is reachable, send a burst of six packets
366instead of the usual one. The packet spacing is 2 s.
367This is designed to improve timekeeping quality with the
368<code>server</code>
369command and s addresses.
370</p></dd>
371<dt><code>iburst</code></dt>
372<dd><p>When the server is unreachable, send a burst of eight packets
373instead of the usual one.
374The packet spacing is 2 s.
375This is designed to speed the initial synchronization
376acquisition with the
377<code>server</code>
378command and s addresses and when
379<code>ntpd(1ntpdmdoc)</code>
380is started with the
381<code>-q</code>
382option.
383</p></dd>
384<dt><code>key</code> <kbd>key</kbd></dt>
385<dd><p>All packets sent to and received from the server or peer are to
386include authentication fields encrypted using the specified
387<kbd>key</kbd>
388identifier with values from 1 to 65535, inclusive.
389The
390default is to include no encryption field.
391</p></dd>
392<dt><code>minpoll</code> <kbd>minpoll</kbd></dt>
393<dt><code>maxpoll</code> <kbd>maxpoll</kbd></dt>
394<dd><p>These options specify the minimum and maximum poll intervals
395for NTP messages, as a power of 2 in seconds
396The maximum poll
397interval defaults to 10 (1,024 s), but can be increased by the
398<code>maxpoll</code>
399option to an upper limit of 17 (36.4 h).
400The
401minimum poll interval defaults to 6 (64 s), but can be decreased by
402the
403<code>minpoll</code>
404option to a lower limit of 4 (16 s).
405</p></dd>
406<dt><code>noselect</code></dt>
407<dd><p>Marks the server as unused, except for display purposes.
408The server is discarded by the selection algroithm.
409</p></dd>
410<dt><code>preempt</code></dt>
411<dd><p>Says the association can be preempted.
412</p></dd>
413<dt><code>prefer</code></dt>
414<dd><p>Marks the server as preferred.
415All other things being equal,
416this host will be chosen for synchronization among a set of
417correctly operating hosts.
418See the
419&quot;Mitigation Rules and the prefer Keyword&quot;
420page
421(available as part of the HTML documentation
422provided in
423<samp>/usr/share/doc/ntp</samp>)
424for further information.
425</p></dd>
426<dt><code>true</code></dt>
427<dd><p>Marks the server as a truechimer,
428forcing the association to always survive the selection and clustering algorithms.
429This option should almost certainly
430<em>only</em>
431be used while testing an association.
432</p></dd>
433<dt><code>ttl</code> <kbd>ttl</kbd></dt>
434<dd><p>This option is used only with broadcast server and manycast
435client modes.
436It specifies the time-to-live
437<kbd>ttl</kbd>
438to
439use on broadcast server and multicast server and the maximum
440<kbd>ttl</kbd>
441for the expanding ring search with manycast
442client packets.
443Selection of the proper value, which defaults to
444127, is something of a black art and should be coordinated with the
445network administrator.
446</p></dd>
447<dt><code>version</code> <kbd>version</kbd></dt>
448<dd><p>Specifies the version number to be used for outgoing NTP
449packets.
450Versions 1-4 are the choices, with version 4 the
451default.
452</p></dd>
453<dt><code>xleave</code></dt>
454<dd><p>Valid in
455<code>peer</code>
456and
457<code>broadcast</code>
458modes only, this flag enables interleave mode.
459</p></dd>
460<dt><code>xmtnonce</code></dt>
461<dd><p>Valid only for
462<code>server</code>
463and
464<code>pool</code>
465modes, this flag puts a random number in the packet&rsquo;s transmit timestamp.
466</p>
467</dd>
468</dl>
469<span id="Auxiliary-Commands"></span><h4 class="subsubsection">1.1.1.2 Auxiliary Commands</h4>
470<dl compact="compact">
471<dt><code>broadcastclient</code></dt>
472<dd><p>This command enables reception of broadcast server messages to
473any local interface (type b) address.
474Upon receiving a message for
475the first time, the broadcast client measures the nominal server
476propagation delay using a brief client/server exchange with the
477server, then enters the broadcast client mode, in which it
478synchronizes to succeeding broadcast messages.
479Note that, in order
480to avoid accidental or malicious disruption in this mode, both the
481server and client should operate using symmetric-key or public-key
482authentication as described in
483&lsquo;Authentication Options&rsquo;.
484</p></dd>
485<dt><code>manycastserver</code> <kbd>address</kbd> <kbd>...</kbd></dt>
486<dd><p>This command enables reception of manycast client messages to
487the multicast group address(es) (type m) specified.
488At least one
489address is required, but the NTP multicast address 224.0.1.1
490assigned by the IANA should NOT be used, unless specific means are
491taken to limit the span of the reply and avoid a possibly massive
492implosion at the original sender.
493Note that, in order to avoid
494accidental or malicious disruption in this mode, both the server
495and client should operate using symmetric-key or public-key
496authentication as described in
497&lsquo;Authentication Options&rsquo;.
498</p></dd>
499<dt><code>multicastclient</code> <kbd>address</kbd> <kbd>...</kbd></dt>
500<dd><p>This command enables reception of multicast server messages to
501the multicast group address(es) (type m) specified.
502Upon receiving
503a message for the first time, the multicast client measures the
504nominal server propagation delay using a brief client/server
505exchange with the server, then enters the broadcast client mode, in
506which it synchronizes to succeeding multicast messages.
507Note that,
508in order to avoid accidental or malicious disruption in this mode,
509both the server and client should operate using symmetric-key or
510public-key authentication as described in
511&lsquo;Authentication Options&rsquo;.
512</p></dd>
513<dt><code>mdnstries</code> <kbd>number</kbd></dt>
514<dd><p>If we are participating in mDNS,
515after we have synched for the first time
516we attempt to register with the mDNS system.
517If that registration attempt fails,
518we try again at one minute intervals for up to
519<code>mdnstries</code>
520times.
521After all,
522<code>ntpd</code>
523may be starting before mDNS.
524The default value for
525<code>mdnstries</code>
526is 5.
527</p></dd>
528</dl>
529<hr>
530<span id="Authentication-Support"></span><div class="header">
531<p>
532Next: <a href="#Monitoring-Support" accesskey="n" rel="next">Monitoring Support</a>, Previous: <a href="#Configuration-Support" accesskey="p" rel="prev">Configuration Support</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> &nbsp; </p>
533</div>
534<span id="Authentication-Support-1"></span><h4 class="subsection">1.1.2 Authentication Support</h4>
535<p>Authentication support allows the NTP client to verify that the
536server is in fact known and trusted and not an intruder intending
537accidentally or on purpose to masquerade as that server.
538The NTPv3
539specification RFC-1305 defines a scheme which provides
540cryptographic authentication of received NTP packets.
541Originally,
542this was done using the Data Encryption Standard (DES) algorithm
543operating in Cipher Block Chaining (CBC) mode, commonly called
544DES-CBC.
545Subsequently, this was replaced by the RSA Message Digest
5465 (MD5) algorithm using a private key, commonly called keyed-MD5.
547Either algorithm computes a message digest, or one-way hash, which
548can be used to verify the server has the correct private key and
549key identifier.
550</p>
551<p>NTPv4 retains the NTPv3 scheme, properly described as symmetric key
552cryptography and, in addition, provides a new Autokey scheme
553based on public key cryptography.
554Public key cryptography is generally considered more secure
555than symmetric key cryptography, since the security is based
556on a private value which is generated by each server and
557never revealed.
558With Autokey all key distribution and
559management functions involve only public values, which
560considerably simplifies key distribution and storage.
561Public key management is based on X.509 certificates,
562which can be provided by commercial services or
563produced by utility programs in the OpenSSL software library
564or the NTPv4 distribution.
565</p>
566<p>While the algorithms for symmetric key cryptography are
567included in the NTPv4 distribution, public key cryptography
568requires the OpenSSL software library to be installed
569before building the NTP distribution.
570Directions for doing that
571are on the Building and Installing the Distribution page.
572</p>
573<p>Authentication is configured separately for each association
574using the
575<code>key</code>
576or
577<code>autokey</code>
578subcommand on the
579<code>peer</code>,
580<code>server</code>,
581<code>broadcast</code>
582and
583<code>manycastclient</code>
584configuration commands as described in
585&lsquo;Configuration Options&rsquo;
586page.
587The authentication
588options described below specify the locations of the key files,
589if other than default, which symmetric keys are trusted
590and the interval between various operations, if other than default.
591</p>
592<p>Authentication is always enabled,
593although ineffective if not configured as
594described below.
595If a NTP packet arrives
596including a message authentication
597code (MAC), it is accepted only if it
598passes all cryptographic checks.
599The
600checks require correct key ID, key value
601and message digest.
602If the packet has
603been modified in any way or replayed
604by an intruder, it will fail one or more
605of these checks and be discarded.
606Furthermore, the Autokey scheme requires a
607preliminary protocol exchange to obtain
608the server certificate, verify its
609credentials and initialize the protocol
610</p>
611<p>The
612<code>auth</code>
613flag controls whether new associations or
614remote configuration commands require cryptographic authentication.
615This flag can be set or reset by the
616<code>enable</code>
617and
618<code>disable</code>
619commands and also by remote
620configuration commands sent by a
621<code>ntpdc(1ntpdcmdoc)</code>
622program running on
623another machine.
624If this flag is enabled, which is the default
625case, new broadcast client and symmetric passive associations and
626remote configuration commands must be cryptographically
627authenticated using either symmetric key or public key cryptography.
628If this
629flag is disabled, these operations are effective
630even if not cryptographic
631authenticated.
632It should be understood
633that operating with the
634<code>auth</code>
635flag disabled invites a significant vulnerability
636where a rogue hacker can
637masquerade as a falseticker and seriously
638disrupt system timekeeping.
639It is
640important to note that this flag has no purpose
641other than to allow or disallow
642a new association in response to new broadcast
643and symmetric active messages
644and remote configuration commands and, in particular,
645the flag has no effect on
646the authentication process itself.
647</p>
648<p>An attractive alternative where multicast support is available
649is manycast mode, in which clients periodically troll
650for servers as described in the
651<a href="#Automatic-NTP-Configuration-Options">Automatic NTP Configuration Options</a>
652page.
653Either symmetric key or public key
654cryptographic authentication can be used in this mode.
655The principle advantage
656of manycast mode is that potential servers need not be
657configured in advance,
658since the client finds them during regular operation,
659and the configuration
660files for all clients can be identical.
661</p>
662<p>The security model and protocol schemes for
663both symmetric key and public key
664cryptography are summarized below;
665further details are in the briefings, papers
666and reports at the NTP project page linked from
667<code>http://www.ntp.org/</code>.
668</p><span id="Symmetric_002dKey-Cryptography"></span><h4 class="subsubsection">1.1.2.1 Symmetric-Key Cryptography</h4>
669<p>The original RFC-1305 specification allows any one of possibly
67065,535 keys, each distinguished by a 32-bit key identifier, to
671authenticate an association.
672The servers and clients involved must
673agree on the key and key identifier to
674authenticate NTP packets.
675Keys and
676related information are specified in a key
677file, usually called
678<samp>ntp.keys</samp>,
679which must be distributed and stored using
680secure means beyond the scope of the NTP protocol itself.
681Besides the keys used
682for ordinary NTP associations,
683additional keys can be used as passwords for the
684<code>ntpq(1ntpqmdoc)</code>
685and
686<code>ntpdc(1ntpdcmdoc)</code>
687utility programs.
688</p>
689<p>When
690<code>ntpd(1ntpdmdoc)</code>
691is first started, it reads the key file specified in the
692<code>keys</code>
693configuration command and installs the keys
694in the key cache.
695However,
696individual keys must be activated with the
697<code>trusted</code>
698command before use.
699This
700allows, for instance, the installation of possibly
701several batches of keys and
702then activating or deactivating each batch
703remotely using
704<code>ntpdc(1ntpdcmdoc)</code>.
705This also provides a revocation capability that can be used
706if a key becomes compromised.
707The
708<code>requestkey</code>
709command selects the key used as the password for the
710<code>ntpdc(1ntpdcmdoc)</code>
711utility, while the
712<code>controlkey</code>
713command selects the key used as the password for the
714<code>ntpq(1ntpqmdoc)</code>
715utility.
716</p><span id="Public-Key-Cryptography"></span><h4 class="subsubsection">1.1.2.2 Public Key Cryptography</h4>
717<p>NTPv4 supports the original NTPv3 symmetric key scheme
718described in RFC-1305 and in addition the Autokey protocol,
719which is based on public key cryptography.
720The Autokey Version 2 protocol described on the Autokey Protocol
721page verifies packet integrity using MD5 message digests
722and verifies the source with digital signatures and any of several
723digest/signature schemes.
724Optional identity schemes described on the Identity Schemes
725page and based on cryptographic challenge/response algorithms
726are also available.
727Using all of these schemes provides strong security against
728replay with or without modification, spoofing, masquerade
729and most forms of clogging attacks.
730</p>
731<p>The Autokey protocol has several modes of operation
732corresponding to the various NTP modes supported.
733Most modes use a special cookie which can be
734computed independently by the client and server,
735but encrypted in transmission.
736All modes use in addition a variant of the S-KEY scheme,
737in which a pseudo-random key list is generated and used
738in reverse order.
739These schemes are described along with an executive summary,
740current status, briefing slides and reading list on the
741&lsquo;Autonomous Authentication&rsquo;
742page.
743</p>
744<p>The specific cryptographic environment used by Autokey servers
745and clients is determined by a set of files
746and soft links generated by the
747<code>ntp-keygen(1ntpkeygenmdoc)</code>
748program.
749This includes a required host key file,
750required certificate file and optional sign key file,
751leapsecond file and identity scheme files.
752The
753digest/signature scheme is specified in the X.509 certificate
754along with the matching sign key.
755There are several schemes
756available in the OpenSSL software library, each identified
757by a specific string such as
758<code>md5WithRSAEncryption</code>,
759which stands for the MD5 message digest with RSA
760encryption scheme.
761The current NTP distribution supports
762all the schemes in the OpenSSL library, including
763those based on RSA and DSA digital signatures.
764</p>
765<p>NTP secure groups can be used to define cryptographic compartments
766and security hierarchies.
767It is important that every host
768in the group be able to construct a certificate trail to one
769or more trusted hosts in the same group.
770Each group
771host runs the Autokey protocol to obtain the certificates
772for all hosts along the trail to one or more trusted hosts.
773This requires the configuration file in all hosts to be
774engineered so that, even under anticipated failure conditions,
775the NTP subnet will form such that every group host can find
776a trail to at least one trusted host.
777</p><span id="Naming-and-Addressing"></span><h4 class="subsubsection">1.1.2.3 Naming and Addressing</h4>
778<p>It is important to note that Autokey does not use DNS to
779resolve addresses, since DNS can&rsquo;t be completely trusted
780until the name servers have synchronized clocks.
781The cryptographic name used by Autokey to bind the host identity
782credentials and cryptographic values must be independent
783of interface, network and any other naming convention.
784The name appears in the host certificate in either or both
785the subject and issuer fields, so protection against
786DNS compromise is essential.
787</p>
788<p>By convention, the name of an Autokey host is the name returned
789by the Unix
790<code>gethostname(2)</code>
791system call or equivalent in other systems.
792By the system design
793model, there are no provisions to allow alternate names or aliases.
794However, this is not to say that DNS aliases, different names
795for each interface, etc., are constrained in any way.
796</p>
797<p>It is also important to note that Autokey verifies authenticity
798using the host name, network address and public keys,
799all of which are bound together by the protocol specifically
800to deflect masquerade attacks.
801For this reason Autokey
802includes the source and destination IP addresses in message digest
803computations and so the same addresses must be available
804at both the server and client.
805For this reason operation
806with network address translation schemes is not possible.
807This reflects the intended robust security model where government
808and corporate NTP servers are operated outside firewall perimeters.
809</p><span id="Operation"></span><h4 class="subsubsection">1.1.2.4 Operation</h4>
810<p>A specific combination of authentication scheme (none,
811symmetric key, public key) and identity scheme is called
812a cryptotype, although not all combinations are compatible.
813There may be management configurations where the clients,
814servers and peers may not all support the same cryptotypes.
815A secure NTPv4 subnet can be configured in many ways while
816keeping in mind the principles explained above and
817in this section.
818Note however that some cryptotype
819combinations may successfully interoperate with each other,
820but may not represent good security practice.
821</p>
822<p>The cryptotype of an association is determined at the time
823of mobilization, either at configuration time or some time
824later when a message of appropriate cryptotype arrives.
825When mobilized by a
826<code>server</code>
827or
828<code>peer</code>
829configuration command and no
830<code>key</code>
831or
832<code>autokey</code>
833subcommands are present, the association is not
834authenticated; if the
835<code>key</code>
836subcommand is present, the association is authenticated
837using the symmetric key ID specified; if the
838<code>autokey</code>
839subcommand is present, the association is authenticated
840using Autokey.
841</p>
842<p>When multiple identity schemes are supported in the Autokey
843protocol, the first message exchange determines which one is used.
844The client request message contains bits corresponding
845to which schemes it has available.
846The server response message
847contains bits corresponding to which schemes it has available.
848Both server and client match the received bits with their own
849and select a common scheme.
850</p>
851<p>Following the principle that time is a public value,
852a server responds to any client packet that matches
853its cryptotype capabilities.
854Thus, a server receiving
855an unauthenticated packet will respond with an unauthenticated
856packet, while the same server receiving a packet of a cryptotype
857it supports will respond with packets of that cryptotype.
858However, unconfigured broadcast or manycast client
859associations or symmetric passive associations will not be
860mobilized unless the server supports a cryptotype compatible
861with the first packet received.
862By default, unauthenticated associations will not be mobilized
863unless overridden in a decidedly dangerous way.
864</p>
865<p>Some examples may help to reduce confusion.
866Client Alice has no specific cryptotype selected.
867Server Bob has both a symmetric key file and minimal Autokey files.
868Alice&rsquo;s unauthenticated messages arrive at Bob, who replies with
869unauthenticated messages.
870Cathy has a copy of Bob&rsquo;s symmetric
871key file and has selected key ID 4 in messages to Bob.
872Bob verifies the message with his key ID 4.
873If it&rsquo;s the
874same key and the message is verified, Bob sends Cathy a reply
875authenticated with that key.
876If verification fails,
877Bob sends Cathy a thing called a crypto-NAK, which tells her
878something broke.
879She can see the evidence using the
880<code>ntpq(1ntpqmdoc)</code>
881program.
882</p>
883<p>Denise has rolled her own host key and certificate.
884She also uses one of the identity schemes as Bob.
885She sends the first Autokey message to Bob and they
886both dance the protocol authentication and identity steps.
887If all comes out okay, Denise and Bob continue as described above.
888</p>
889<p>It should be clear from the above that Bob can support
890all the girls at the same time, as long as he has compatible
891authentication and identity credentials.
892Now, Bob can act just like the girls in his own choice of servers;
893he can run multiple configured associations with multiple different
894servers (or the same server, although that might not be useful).
895But, wise security policy might preclude some cryptotype
896combinations; for instance, running an identity scheme
897with one server and no authentication with another might not be wise.
898</p><span id="Key-Management"></span><h4 class="subsubsection">1.1.2.5 Key Management</h4>
899<p>The cryptographic values used by the Autokey protocol are
900incorporated as a set of files generated by the
901<code>ntp-keygen(1ntpkeygenmdoc)</code>
902utility program, including symmetric key, host key and
903public certificate files, as well as sign key, identity parameters
904and leapseconds files.
905Alternatively, host and sign keys and
906certificate files can be generated by the OpenSSL utilities
907and certificates can be imported from public certificate
908authorities.
909Note that symmetric keys are necessary for the
910<code>ntpq(1ntpqmdoc)</code>
911and
912<code>ntpdc(1ntpdcmdoc)</code>
913utility programs.
914The remaining files are necessary only for the
915Autokey protocol.
916</p>
917<p>Certificates imported from OpenSSL or public certificate
918authorities have certian limitations.
919The certificate should be in ASN.1 syntax, X.509 Version 3
920format and encoded in PEM, which is the same format
921used by OpenSSL.
922The overall length of the certificate encoded
923in ASN.1 must not exceed 1024 bytes.
924The subject distinguished
925name field (CN) is the fully qualified name of the host
926on which it is used; the remaining subject fields are ignored.
927The certificate extension fields must not contain either
928a subject key identifier or a issuer key identifier field;
929however, an extended key usage field for a trusted host must
930contain the value
931<code>trustRoot</code>;.
932Other extension fields are ignored.
933</p><span id="Authentication-Commands"></span><h4 class="subsubsection">1.1.2.6 Authentication Commands</h4>
934<dl compact="compact">
935<dt><code>autokey</code> <code>[<kbd>logsec</kbd>]</code></dt>
936<dd><p>Specifies the interval between regenerations of the session key
937list used with the Autokey protocol.
938Note that the size of the key
939list for each association depends on this interval and the current
940poll interval.
941The default value is 12 (4096 s or about 1.1 hours).
942For poll intervals above the specified interval, a session key list
943with a single entry will be regenerated for every message
944sent.
945</p></dd>
946<dt><code>controlkey</code> <kbd>key</kbd></dt>
947<dd><p>Specifies the key identifier to use with the
948<code>ntpq(1ntpqmdoc)</code>
949utility, which uses the standard
950protocol defined in RFC-1305.
951The
952<kbd>key</kbd>
953argument is
954the key identifier for a trusted key, where the value can be in the
955range 1 to 65,535, inclusive.
956</p></dd>
957<dt><code>crypto</code> <code>[<code>cert</code> <kbd>file</kbd>]</code> <code>[<code>leap</code> <kbd>file</kbd>]</code> <code>[<code>randfile</code> <kbd>file</kbd>]</code> <code>[<code>host</code> <kbd>file</kbd>]</code> <code>[<code>gq</code> <kbd>file</kbd>]</code> <code>[<code>gqpar</code> <kbd>file</kbd>]</code> <code>[<code>iffpar</code> <kbd>file</kbd>]</code> <code>[<code>mvpar</code> <kbd>file</kbd>]</code> <code>[<code>pw</code> <kbd>password</kbd>]</code></dt>
958<dd><p>This command requires the OpenSSL library.
959It activates public key
960cryptography, selects the message digest and signature
961encryption scheme and loads the required private and public
962values described above.
963If one or more files are left unspecified,
964the default names are used as described above.
965Unless the complete path and name of the file are specified, the
966location of a file is relative to the keys directory specified
967in the
968<code>keysdir</code>
969command or default
970<samp>/usr/local/etc</samp>.
971Following are the subcommands:
972</p><dl compact="compact">
973<dt><code>cert</code> <kbd>file</kbd></dt>
974<dd><p>Specifies the location of the required host public certificate file.
975This overrides the link
976<samp>ntpkey_cert_</samp><kbd>hostname</kbd>
977in the keys directory.
978</p></dd>
979<dt><code>gqpar</code> <kbd>file</kbd></dt>
980<dd><p>Specifies the location of the optional GQ parameters file.
981This
982overrides the link
983<samp>ntpkey_gq_</samp><kbd>hostname</kbd>
984in the keys directory.
985</p></dd>
986<dt><code>host</code> <kbd>file</kbd></dt>
987<dd><p>Specifies the location of the required host key file.
988This overrides
989the link
990<samp>ntpkey_key_</samp><kbd>hostname</kbd>
991in the keys directory.
992</p></dd>
993<dt><code>iffpar</code> <kbd>file</kbd></dt>
994<dd><p>Specifies the location of the optional IFF parameters file.
995This overrides the link
996<samp>ntpkey_iff_</samp><kbd>hostname</kbd>
997in the keys directory.
998</p></dd>
999<dt><code>leap</code> <kbd>file</kbd></dt>
1000<dd><p>Specifies the location of the optional leapsecond file.
1001This overrides the link
1002<samp>ntpkey_leap</samp>
1003in the keys directory.
1004</p></dd>
1005<dt><code>mvpar</code> <kbd>file</kbd></dt>
1006<dd><p>Specifies the location of the optional MV parameters file.
1007This overrides the link
1008<samp>ntpkey_mv_</samp><kbd>hostname</kbd>
1009in the keys directory.
1010</p></dd>
1011<dt><code>pw</code> <kbd>password</kbd></dt>
1012<dd><p>Specifies the password to decrypt files containing private keys and
1013identity parameters.
1014This is required only if these files have been
1015encrypted.
1016</p></dd>
1017<dt><code>randfile</code> <kbd>file</kbd></dt>
1018<dd><p>Specifies the location of the random seed file used by the OpenSSL
1019library.
1020The defaults are described in the main text above.
1021</p></dd>
1022</dl>
1023</dd>
1024<dt><code>keys</code> <kbd>keyfile</kbd></dt>
1025<dd><p>Specifies the complete path and location of the MD5 key file
1026containing the keys and key identifiers used by
1027<code>ntpd(1ntpdmdoc)</code>,
1028<code>ntpq(1ntpqmdoc)</code>
1029and
1030<code>ntpdc(1ntpdcmdoc)</code>
1031when operating with symmetric key cryptography.
1032This is the same operation as the
1033<code>-k</code>
1034command line option.
1035</p></dd>
1036<dt><code>keysdir</code> <kbd>path</kbd></dt>
1037<dd><p>This command specifies the default directory path for
1038cryptographic keys, parameters and certificates.
1039The default is
1040<samp>/usr/local/etc/</samp>.
1041</p></dd>
1042<dt><code>requestkey</code> <kbd>key</kbd></dt>
1043<dd><p>Specifies the key identifier to use with the
1044<code>ntpdc(1ntpdcmdoc)</code>
1045utility program, which uses a
1046proprietary protocol specific to this implementation of
1047<code>ntpd(1ntpdmdoc)</code>.
1048The
1049<kbd>key</kbd>
1050argument is a key identifier
1051for the trusted key, where the value can be in the range 1 to
105265,535, inclusive.
1053</p></dd>
1054<dt><code>revoke</code> <kbd>logsec</kbd></dt>
1055<dd><p>Specifies the interval between re-randomization of certain
1056cryptographic values used by the Autokey scheme, as a power of 2 in
1057seconds.
1058These values need to be updated frequently in order to
1059deflect brute-force attacks on the algorithms of the scheme;
1060however, updating some values is a relatively expensive operation.
1061The default interval is 16 (65,536 s or about 18 hours).
1062For poll
1063intervals above the specified interval, the values will be updated
1064for every message sent.
1065</p></dd>
1066<dt><code>trustedkey</code> <kbd>key</kbd> <kbd>...</kbd></dt>
1067<dd><p>Specifies the key identifiers which are trusted for the
1068purposes of authenticating peers with symmetric key cryptography,
1069as well as keys used by the
1070<code>ntpq(1ntpqmdoc)</code>
1071and
1072<code>ntpdc(1ntpdcmdoc)</code>
1073programs.
1074The authentication procedures require that both the local
1075and remote servers share the same key and key identifier for this
1076purpose, although different keys can be used with different
1077servers.
1078The
1079<kbd>key</kbd>
1080arguments are 32-bit unsigned
1081integers with values from 1 to 65,535.
1082</p></dd>
1083</dl>
1084<span id="Error-Codes"></span><h4 class="subsubsection">1.1.2.7 Error Codes</h4>
1085<p>The following error codes are reported via the NTP control
1086and monitoring protocol trap mechanism.
1087</p><dl compact="compact">
1088<dt>101</dt>
1089<dd><p>(bad field format or length)
1090The packet has invalid version, length or format.
1091</p></dd>
1092<dt>102</dt>
1093<dd><p>(bad timestamp)
1094The packet timestamp is the same or older than the most recent received.
1095This could be due to a replay or a server clock time step.
1096</p></dd>
1097<dt>103</dt>
1098<dd><p>(bad filestamp)
1099The packet filestamp is the same or older than the most recent received.
1100This could be due to a replay or a key file generation error.
1101</p></dd>
1102<dt>104</dt>
1103<dd><p>(bad or missing public key)
1104The public key is missing, has incorrect format or is an unsupported type.
1105</p></dd>
1106<dt>105</dt>
1107<dd><p>(unsupported digest type)
1108The server requires an unsupported digest/signature scheme.
1109</p></dd>
1110<dt>106</dt>
1111<dd><p>(mismatched digest types)
1112Not used.
1113</p></dd>
1114<dt>107</dt>
1115<dd><p>(bad signature length)
1116The signature length does not match the current public key.
1117</p></dd>
1118<dt>108</dt>
1119<dd><p>(signature not verified)
1120The message fails the signature check.
1121It could be bogus or signed by a
1122different private key.
1123</p></dd>
1124<dt>109</dt>
1125<dd><p>(certificate not verified)
1126The certificate is invalid or signed with the wrong key.
1127</p></dd>
1128<dt>110</dt>
1129<dd><p>(certificate not verified)
1130The certificate is not yet valid or has expired or the signature could not
1131be verified.
1132</p></dd>
1133<dt>111</dt>
1134<dd><p>(bad or missing cookie)
1135The cookie is missing, corrupted or bogus.
1136</p></dd>
1137<dt>112</dt>
1138<dd><p>(bad or missing leapseconds table)
1139The leapseconds table is missing, corrupted or bogus.
1140</p></dd>
1141<dt>113</dt>
1142<dd><p>(bad or missing certificate)
1143The certificate is missing, corrupted or bogus.
1144</p></dd>
1145<dt>114</dt>
1146<dd><p>(bad or missing identity)
1147The identity key is missing, corrupt or bogus.
1148</p></dd>
1149</dl>
1150<hr>
1151<span id="Monitoring-Support"></span><div class="header">
1152<p>
1153Next: <a href="#Access-Control-Support" accesskey="n" rel="next">Access Control Support</a>, Previous: <a href="#Authentication-Support" accesskey="p" rel="prev">Authentication Support</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> &nbsp; </p>
1154</div>
1155<span id="Monitoring-Support-1"></span><h4 class="subsection">1.1.3 Monitoring Support</h4>
1156<p><code>ntpd(1ntpdmdoc)</code>
1157includes a comprehensive monitoring facility suitable
1158for continuous, long term recording of server and client
1159timekeeping performance.
1160See the
1161<code>statistics</code>
1162command below
1163for a listing and example of each type of statistics currently
1164supported.
1165Statistic files are managed using file generation sets
1166and scripts in the
1167<samp>./scripts</samp>
1168directory of the source code distribution.
1169Using
1170these facilities and
1171<small>UNIX</small>
1172<code>cron(8)</code>
1173jobs, the data can be
1174automatically summarized and archived for retrospective analysis.
1175</p><span id="Monitoring-Commands"></span><h4 class="subsubsection">1.1.3.1 Monitoring Commands</h4>
1176<dl compact="compact">
1177<dt><code>statistics</code> <kbd>name</kbd> <kbd>...</kbd></dt>
1178<dd><p>Enables writing of statistics records.
1179Currently, eight kinds of
1180<kbd>name</kbd>
1181statistics are supported.
1182</p><dl compact="compact">
1183<dt><code>clockstats</code></dt>
1184<dd><p>Enables recording of clock driver statistics information.
1185Each update
1186received from a clock driver appends a line of the following form to
1187the file generation set named
1188<code>clockstats</code>:
1189</p><pre class="verbatim">49213 525.624 127.127.4.1 93 226 00:08:29.606 D
1190</pre>
1191<p>The first two fields show the date (Modified Julian Day) and time
1192(seconds and fraction past UTC midnight).
1193The next field shows the
1194clock address in dotted-quad notation.
1195The final field shows the last
1196timecode received from the clock in decoded ASCII format, where
1197meaningful.
1198In some clock drivers a good deal of additional information
1199can be gathered and displayed as well.
1200See information specific to each
1201clock for further details.
1202</p></dd>
1203<dt><code>cryptostats</code></dt>
1204<dd><p>This option requires the OpenSSL cryptographic software library.
1205It
1206enables recording of cryptographic public key protocol information.
1207Each message received by the protocol module appends a line of the
1208following form to the file generation set named
1209<code>cryptostats</code>:
1210</p><pre class="verbatim">49213 525.624 127.127.4.1 message
1211</pre>
1212<p>The first two fields show the date (Modified Julian Day) and time
1213(seconds and fraction past UTC midnight).
1214The next field shows the peer
1215address in dotted-quad notation, The final message field includes the
1216message type and certain ancillary information.
1217See the
1218&lsquo;Authentication Options&rsquo;
1219section for further information.
1220</p></dd>
1221<dt><code>loopstats</code></dt>
1222<dd><p>Enables recording of loop filter statistics information.
1223Each
1224update of the local clock outputs a line of the following form to
1225the file generation set named
1226<code>loopstats</code>:
1227</p><pre class="verbatim">50935 75440.031 0.000006019 13.778190 0.000351733 0.0133806
1228</pre>
1229<p>The first two fields show the date (Modified Julian Day) and
1230time (seconds and fraction past UTC midnight).
1231The next five fields
1232show time offset (seconds), frequency offset (parts per million -
1233PPM), RMS jitter (seconds), Allan deviation (PPM) and clock
1234discipline time constant.
1235</p></dd>
1236<dt><code>peerstats</code></dt>
1237<dd><p>Enables recording of peer statistics information.
1238This includes
1239statistics records of all peers of a NTP server and of special
1240signals, where present and configured.
1241Each valid update appends a
1242line of the following form to the current element of a file
1243generation set named
1244<code>peerstats</code>:
1245</p><pre class="verbatim">48773 10847.650 127.127.4.1 9714 -0.001605376 0.000000000 0.001424877 0.000958674
1246</pre>
1247<p>The first two fields show the date (Modified Julian Day) and
1248time (seconds and fraction past UTC midnight).
1249The next two fields
1250show the peer address in dotted-quad notation and status,
1251respectively.
1252The status field is encoded in hex in the format
1253described in Appendix A of the NTP specification RFC 1305.
1254The final four fields show the offset,
1255delay, dispersion and RMS jitter, all in seconds.
1256</p></dd>
1257<dt><code>rawstats</code></dt>
1258<dd><p>Enables recording of raw-timestamp statistics information.
1259This
1260includes statistics records of all peers of a NTP server and of
1261special signals, where present and configured.
1262Each NTP message
1263received from a peer or clock driver appends a line of the
1264following form to the file generation set named
1265<code>rawstats</code>:
1266</p><pre class="verbatim">50928 2132.543 128.4.1.1 128.4.1.20 3102453281.584327000 3102453281.58622800031 02453332.540806000 3102453332.541458000
1267</pre>
1268<p>The first two fields show the date (Modified Julian Day) and
1269time (seconds and fraction past UTC midnight).
1270The next two fields
1271show the remote peer or clock address followed by the local address
1272in dotted-quad notation.
1273The final four fields show the originate,
1274receive, transmit and final NTP timestamps in order.
1275The timestamp
1276values are as received and before processing by the various data
1277smoothing and mitigation algorithms.
1278</p></dd>
1279<dt><code>sysstats</code></dt>
1280<dd><p>Enables recording of ntpd statistics counters on a periodic basis.
1281Each
1282hour a line of the following form is appended to the file generation
1283set named
1284<code>sysstats</code>:
1285</p><pre class="verbatim">50928 2132.543 36000 81965 0 9546 56 71793 512 540 10 147
1286</pre>
1287<p>The first two fields show the date (Modified Julian Day) and time
1288(seconds and fraction past UTC midnight).
1289The remaining ten fields show
1290the statistics counter values accumulated since the last generated
1291line.
1292</p><dl compact="compact">
1293<dt>Time since restart <code>36000</code></dt>
1294<dd><p>Time in hours since the system was last rebooted.
1295</p></dd>
1296<dt>Packets received <code>81965</code></dt>
1297<dd><p>Total number of packets received.
1298</p></dd>
1299<dt>Packets processed <code>0</code></dt>
1300<dd><p>Number of packets received in response to previous packets sent
1301</p></dd>
1302<dt>Current version <code>9546</code></dt>
1303<dd><p>Number of packets matching the current NTP version.
1304</p></dd>
1305<dt>Previous version <code>56</code></dt>
1306<dd><p>Number of packets matching the previous NTP version.
1307</p></dd>
1308<dt>Bad version <code>71793</code></dt>
1309<dd><p>Number of packets matching neither NTP version.
1310</p></dd>
1311<dt>Access denied <code>512</code></dt>
1312<dd><p>Number of packets denied access for any reason.
1313</p></dd>
1314<dt>Bad length or format <code>540</code></dt>
1315<dd><p>Number of packets with invalid length, format or port number.
1316</p></dd>
1317<dt>Bad authentication <code>10</code></dt>
1318<dd><p>Number of packets not verified as authentic.
1319</p></dd>
1320<dt>Rate exceeded <code>147</code></dt>
1321<dd><p>Number of packets discarded due to rate limitation.
1322</p></dd>
1323</dl>
1324</dd>
1325<dt><code>statsdir</code> <kbd>directory_path</kbd></dt>
1326<dd><p>Indicates the full path of a directory where statistics files
1327should be created (see below).
1328This keyword allows
1329the (otherwise constant)
1330<code>filegen</code>
1331filename prefix to be modified for file generation sets, which
1332is useful for handling statistics logs.
1333</p></dd>
1334<dt><code>filegen</code> <kbd>name</kbd> <code>[<code>file</code> <kbd>filename</kbd>]</code> <code>[<code>type</code> <kbd>typename</kbd>]</code> <code>[<code>link</code> | <code>nolink</code>]</code> <code>[<code>enable</code> | <code>disable</code>]</code></dt>
1335<dd><p>Configures setting of generation file set name.
1336Generation
1337file sets provide a means for handling files that are
1338continuously growing during the lifetime of a server.
1339Server statistics are a typical example for such files.
1340Generation file sets provide access to a set of files used
1341to store the actual data.
1342At any time at most one element
1343of the set is being written to.
1344The type given specifies
1345when and how data will be directed to a new element of the set.
1346This way, information stored in elements of a file set
1347that are currently unused are available for administrational
1348operations without the risk of disturbing the operation of ntpd.
1349(Most important: they can be removed to free space for new data
1350produced.)
1351</p>
1352<p>Note that this command can be sent from the
1353<code>ntpdc(1ntpdcmdoc)</code>
1354program running at a remote location.
1355</p><dl compact="compact">
1356<dt><code>name</code></dt>
1357<dd><p>This is the type of the statistics records, as shown in the
1358<code>statistics</code>
1359command.
1360</p></dd>
1361<dt><code>file</code> <kbd>filename</kbd></dt>
1362<dd><p>This is the file name for the statistics records.
1363Filenames of set
1364members are built from three concatenated elements
1365<code>prefix</code>,
1366<code>filename</code>
1367and
1368<code>suffix</code>:
1369</p><dl compact="compact">
1370<dt><code>prefix</code></dt>
1371<dd><p>This is a constant filename path.
1372It is not subject to
1373modifications via the
1374<kbd>filegen</kbd>
1375option.
1376It is defined by the
1377server, usually specified as a compile-time constant.
1378It may,
1379however, be configurable for individual file generation sets
1380via other commands.
1381For example, the prefix used with
1382<kbd>loopstats</kbd>
1383and
1384<kbd>peerstats</kbd>
1385generation can be configured using the
1386<kbd>statsdir</kbd>
1387option explained above.
1388</p></dd>
1389<dt><code>filename</code></dt>
1390<dd><p>This string is directly concatenated to the prefix mentioned
1391above (no intervening
1392&lsquo;/&rsquo;).
1393This can be modified using
1394the file argument to the
1395<kbd>filegen</kbd>
1396statement.
1397No
1398<samp>..</samp>
1399elements are
1400allowed in this component to prevent filenames referring to
1401parts outside the filesystem hierarchy denoted by
1402<kbd>prefix</kbd>.
1403</p></dd>
1404<dt><code>suffix</code></dt>
1405<dd><p>This part is reflects individual elements of a file set.
1406It is
1407generated according to the type of a file set.
1408</p></dd>
1409</dl>
1410</dd>
1411<dt><code>type</code> <kbd>typename</kbd></dt>
1412<dd><p>A file generation set is characterized by its type.
1413The following
1414types are supported:
1415</p><dl compact="compact">
1416<dt><code>none</code></dt>
1417<dd><p>The file set is actually a single plain file.
1418</p></dd>
1419<dt><code>pid</code></dt>
1420<dd><p>One element of file set is used per incarnation of a ntpd
1421server.
1422This type does not perform any changes to file set
1423members during runtime, however it provides an easy way of
1424separating files belonging to different
1425<code>ntpd(1ntpdmdoc)</code>
1426server incarnations.
1427The set member filename is built by appending a
1428&lsquo;.&rsquo;
1429to concatenated
1430<kbd>prefix</kbd>
1431and
1432<kbd>filename</kbd>
1433strings, and
1434appending the decimal representation of the process ID of the
1435<code>ntpd(1ntpdmdoc)</code>
1436server process.
1437</p></dd>
1438<dt><code>day</code></dt>
1439<dd><p>One file generation set element is created per day.
1440A day is
1441defined as the period between 00:00 and 24:00 UTC.
1442The file set
1443member suffix consists of a
1444&lsquo;.&rsquo;
1445and a day specification in
1446the form
1447<code>YYYYMMdd</code>.
1448<code>YYYY</code>
1449is a 4-digit year number (e.g., 1992).
1450<code>MM</code>
1451is a two digit month number.
1452<code>dd</code>
1453is a two digit day number.
1454Thus, all information written at 10 December 1992 would end up
1455in a file named
1456<kbd>prefix</kbd>
1457<kbd>filename</kbd>.19921210.
1458</p></dd>
1459<dt><code>week</code></dt>
1460<dd><p>Any file set member contains data related to a certain week of
1461a year.
1462The term week is defined by computing day-of-year
1463modulo 7.
1464Elements of such a file generation set are
1465distinguished by appending the following suffix to the file set
1466filename base: A dot, a 4-digit year number, the letter
1467<code>W</code>,
1468and a 2-digit week number.
1469For example, information from January,
147010th 1992 would end up in a file with suffix
1471.No . Ns Ar 1992W1 .
1472</p></dd>
1473<dt><code>month</code></dt>
1474<dd><p>One generation file set element is generated per month.
1475The
1476file name suffix consists of a dot, a 4-digit year number, and
1477a 2-digit month.
1478</p></dd>
1479<dt><code>year</code></dt>
1480<dd><p>One generation file element is generated per year.
1481The filename
1482suffix consists of a dot and a 4 digit year number.
1483</p></dd>
1484<dt><code>age</code></dt>
1485<dd><p>This type of file generation sets changes to a new element of
1486the file set every 24 hours of server operation.
1487The filename
1488suffix consists of a dot, the letter
1489<code>a</code>,
1490and an 8-digit number.
1491This number is taken to be the number of seconds the server is
1492running at the start of the corresponding 24-hour period.
1493Information is only written to a file generation by specifying
1494<code>enable</code>;
1495output is prevented by specifying
1496<code>disable</code>.
1497</p></dd>
1498</dl>
1499</dd>
1500<dt><code>link</code> | <code>nolink</code></dt>
1501<dd><p>It is convenient to be able to access the current element of a file
1502generation set by a fixed name.
1503This feature is enabled by
1504specifying
1505<code>link</code>
1506and disabled using
1507<code>nolink</code>.
1508If link is specified, a
1509hard link from the current file set element to a file without
1510suffix is created.
1511When there is already a file with this name and
1512the number of links of this file is one, it is renamed appending a
1513dot, the letter
1514<code>C</code>,
1515and the pid of the
1516<code>ntpd(1ntpdmdoc)</code>
1517server process.
1518When the
1519number of links is greater than one, the file is unlinked.
1520This
1521allows the current file to be accessed by a constant name.
1522</p></dd>
1523<dt><code>enable</code> <code>|</code> <code>disable</code></dt>
1524<dd><p>Enables or disables the recording function.
1525</p></dd>
1526</dl>
1527</dd>
1528</dl>
1529</dd>
1530</dl>
1531<hr>
1532<span id="Access-Control-Support"></span><div class="header">
1533<p>
1534Next: <a href="#Automatic-NTP-Configuration-Options" accesskey="n" rel="next">Automatic NTP Configuration Options</a>, Previous: <a href="#Monitoring-Support" accesskey="p" rel="prev">Monitoring Support</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> &nbsp; </p>
1535</div>
1536<span id="Access-Control-Support-1"></span><h4 class="subsection">1.1.4 Access Control Support</h4>
1537<p>The
1538<code>ntpd(1ntpdmdoc)</code>
1539daemon implements a general purpose address/mask based restriction
1540list.
1541The list contains address/match entries sorted first
1542by increasing address values and and then by increasing mask values.
1543A match occurs when the bitwise AND of the mask and the packet
1544source address is equal to the bitwise AND of the mask and
1545address in the list.
1546The list is searched in order with the
1547last match found defining the restriction flags associated
1548with the entry.
1549Additional information and examples can be found in the
1550&quot;Notes on Configuring NTP and Setting up a NTP Subnet&quot;
1551page
1552(available as part of the HTML documentation
1553provided in
1554<samp>/usr/share/doc/ntp</samp>).
1555</p>
1556<p>The restriction facility was implemented in conformance
1557with the access policies for the original NSFnet backbone
1558time servers.
1559Later the facility was expanded to deflect
1560cryptographic and clogging attacks.
1561While this facility may
1562be useful for keeping unwanted or broken or malicious clients
1563from congesting innocent servers, it should not be considered
1564an alternative to the NTP authentication facilities.
1565Source address based restrictions are easily circumvented
1566by a determined cracker.
1567</p>
1568<p>Clients can be denied service because they are explicitly
1569included in the restrict list created by the
1570<code>restrict</code>
1571command
1572or implicitly as the result of cryptographic or rate limit
1573violations.
1574Cryptographic violations include certificate
1575or identity verification failure; rate limit violations generally
1576result from defective NTP implementations that send packets
1577at abusive rates.
1578Some violations cause denied service
1579only for the offending packet, others cause denied service
1580for a timed period and others cause the denied service for
1581an indefinite period.
1582When a client or network is denied access
1583for an indefinite period, the only way at present to remove
1584the restrictions is by restarting the server.
1585</p><span id="The-Kiss_002dof_002dDeath-Packet"></span><h4 class="subsubsection">1.1.4.1 The Kiss-of-Death Packet</h4>
1586<p>Ordinarily, packets denied service are simply dropped with no
1587further action except incrementing statistics counters.
1588Sometimes a
1589more proactive response is needed, such as a server message that
1590explicitly requests the client to stop sending and leave a message
1591for the system operator.
1592A special packet format has been created
1593for this purpose called the &quot;kiss-of-death&quot; (KoD) packet.
1594KoD packets have the leap bits set unsynchronized and stratum set
1595to zero and the reference identifier field set to a four-byte
1596ASCII code.
1597If the
1598<code>noserve</code>
1599or
1600<code>notrust</code>
1601flag of the matching restrict list entry is set,
1602the code is &quot;DENY&quot;; if the
1603<code>limited</code>
1604flag is set and the rate limit
1605is exceeded, the code is &quot;RATE&quot;.
1606Finally, if a cryptographic violation occurs, the code is &quot;CRYP&quot;.
1607</p>
1608<p>A client receiving a KoD performs a set of sanity checks to
1609minimize security exposure, then updates the stratum and
1610reference identifier peer variables, sets the access
1611denied (TEST4) bit in the peer flash variable and sends
1612a message to the log.
1613As long as the TEST4 bit is set,
1614the client will send no further packets to the server.
1615The only way at present to recover from this condition is
1616to restart the protocol at both the client and server.
1617This
1618happens automatically at the client when the association times out.
1619It will happen at the server only if the server operator cooperates.
1620</p><span id="Access-Control-Commands"></span><h4 class="subsubsection">1.1.4.2 Access Control Commands</h4>
1621<dl compact="compact">
1622<dt><code>discard</code> <code>[<code>average</code> <kbd>avg</kbd>]</code> <code>[<code>minimum</code> <kbd>min</kbd>]</code> <code>[<code>monitor</code> <kbd>prob</kbd>]</code></dt>
1623<dd><p>Set the parameters of the
1624<code>limited</code>
1625facility which protects the server from
1626client abuse.
1627The
1628<code>average</code>
1629subcommand specifies the minimum average packet
1630spacing in log2 seconds, defaulting to 3 (8s), while the
1631<code>minimum</code>
1632subcommand specifies the minimum packet spacing
1633in seconds, defaulting to 2.
1634Packets that violate these minima are discarded
1635and a kiss-o&rsquo;-death packet returned if enabled.
1636The
1637<code>monitor</code>
1638subcommand indirectly specifies the probability of
1639replacing the oldest entry from the monitor (MRU)
1640list of recent requests used to enforce rate controls,
1641when that list is at its maximum size. The probability
1642of replacing the oldest entry is the age of that entry
1643in seconds divided by the
1644<code>monitor</code>
1645value, default 3000. For example, if the oldest entry
1646in the MRU list represents a request 300 seconds ago,
1647by default the probability of replacing it with an
1648entry representing the client request being processed
1649now is 10%. Conversely, if the oldest entry is more
1650than 3000 seconds old, the probability is 100%.
1651</p></dd>
1652<dt><code>restrict</code> <kbd>address</kbd> <code>[<code>mask</code> <kbd>mask</kbd>]</code> <code>[<code>ippeerlimit</code> <kbd>int</kbd>]</code> <code>[<kbd>flag</kbd> <kbd>...</kbd>]</code></dt>
1653<dd><p>The
1654<kbd>address</kbd>
1655argument expressed in
1656numeric form is the address of a host or network.
1657Alternatively, the
1658<kbd>address</kbd>
1659argument can be a valid hostname.  When a hostname
1660is provided, a restriction entry is created for each
1661address the hostname resolves to, and any provided
1662<kbd>mask</kbd>
1663is ignored and an individual host mask is
1664used for each entry.
1665The
1666<kbd>mask</kbd>
1667argument expressed in numeric form defaults to
1668all bits lit, meaning that the
1669<kbd>address</kbd>
1670is treated as the address of an individual host.
1671A default entry with address and mask all zeroes
1672is always included and is always the first entry in the list.
1673Note that text string
1674<code>default</code>,
1675with no mask option, may
1676be used to indicate the default entry.
1677The
1678<code>ippeerlimit</code>
1679directive limits the number of peer requests for each IP to
1680<kbd>int</kbd>,
1681where a value of -1 means &quot;unlimited&quot;, the current default.
1682A value of 0 means &quot;none&quot;.
1683There would usually be at most 1 peering request per IP,
1684but if the remote peering requests are behind a proxy
1685there could well be more than 1 per IP.
1686In the current implementation,
1687<code>flag</code>
1688always
1689restricts access, i.e., an entry with no flags indicates that free
1690access to the server is to be given.
1691The flags are not orthogonal,
1692in that more restrictive flags will often make less restrictive
1693ones redundant.
1694The flags can generally be classed into two
1695categories, those which restrict time service and those which
1696restrict informational queries and attempts to do run-time
1697reconfiguration of the server.
1698One or more of the following flags
1699may be specified:
1700</p><dl compact="compact">
1701<dt><code>ignore</code></dt>
1702<dd><p>Deny packets of all kinds, including
1703<code>ntpq(1ntpqmdoc)</code>
1704and
1705<code>ntpdc(1ntpdcmdoc)</code>
1706queries.
1707</p></dd>
1708<dt><code>kod</code></dt>
1709<dd><p>If this flag is set when a rate violation occurs, a kiss-o&rsquo;-death
1710(KoD) packet is sometimes sent.
1711KoD packets are rate limited to no more than one per minimum
1712average interpacket spacing, set by
1713<code>discard</code> <code>average</code>
1714defaulting to 8s.  Otherwise, no response is sent.
1715</p></dd>
1716<dt><code>limited</code></dt>
1717<dd><p>Deny service if the packet spacing violates the lower limits specified
1718in the
1719<code>discard</code>
1720command.
1721A history of clients is kept using the
1722monitoring capability of
1723<code>ntpd(1ntpdmdoc)</code>.
1724Thus, monitoring is always active as
1725long as there is a restriction entry with the
1726<code>limited</code>
1727flag.
1728</p></dd>
1729<dt><code>lowpriotrap</code></dt>
1730<dd><p>Declare traps set by matching hosts to be low priority.
1731The
1732number of traps a server can maintain is limited (the current limit
1733is 3).
1734Traps are usually assigned on a first come, first served
1735basis, with later trap requestors being denied service.
1736This flag
1737modifies the assignment algorithm by allowing low priority traps to
1738be overridden by later requests for normal priority traps.
1739</p></dd>
1740<dt><code>noepeer</code></dt>
1741<dd><p>Deny ephemeral peer requests,
1742even if they come from an authenticated source.
1743Note that the ability to use a symmetric key for authentication may be restricted to
1744one or more IPs or subnets via the third field of the
1745<samp>ntp.keys</samp>
1746file.
1747This restriction is not enabled by default,
1748to maintain backward compatability.
1749Expect
1750<code>noepeer</code>
1751to become the default in ntp-4.4.
1752</p></dd>
1753<dt><code>nomodify</code></dt>
1754<dd><p>Deny
1755<code>ntpq(1ntpqmdoc)</code>
1756and
1757<code>ntpdc(1ntpdcmdoc)</code>
1758queries which attempt to modify the state of the
1759server (i.e., run time reconfiguration).
1760Queries which return
1761information are permitted.
1762</p></dd>
1763<dt><code>noquery</code></dt>
1764<dd><p>Deny
1765<code>ntpq(1ntpqmdoc)</code>
1766and
1767<code>ntpdc(1ntpdcmdoc)</code>
1768queries.
1769Time service is not affected.
1770</p></dd>
1771<dt><code>nopeer</code></dt>
1772<dd><p>Deny unauthenticated packets which would result in mobilizing a new association.
1773This includes
1774broadcast and symmetric active packets
1775when a configured association does not exist.
1776It also includes
1777<code>pool</code>
1778associations, so if you want to use servers from a
1779<code>pool</code>
1780directive and also want to use
1781<code>nopeer</code>
1782by default, you&rsquo;ll want a
1783<code>restrict source ...</code>
1784line as well that does
1785<em>not</em>
1786include the
1787<code>nopeer</code>
1788directive.
1789</p></dd>
1790<dt><code>noserve</code></dt>
1791<dd><p>Deny all packets except
1792<code>ntpq(1ntpqmdoc)</code>
1793and
1794<code>ntpdc(1ntpdcmdoc)</code>
1795queries.
1796</p></dd>
1797<dt><code>notrap</code></dt>
1798<dd><p>Decline to provide mode 6 control message trap service to matching
1799hosts.
1800The trap service is a subsystem of the
1801<code>ntpq(1ntpqmdoc)</code>
1802control message
1803protocol which is intended for use by remote event logging programs.
1804</p></dd>
1805<dt><code>notrust</code></dt>
1806<dd><p>Deny service unless the packet is cryptographically authenticated.
1807</p></dd>
1808<dt><code>ntpport</code></dt>
1809<dd><p>This is actually a match algorithm modifier, rather than a
1810restriction flag.
1811Its presence causes the restriction entry to be
1812matched only if the source port in the packet is the standard NTP
1813UDP port (123).
1814There can be two restriction entries with the same IP address if
1815one specifies
1816<code>ntpport</code>
1817and the other does not.
1818The
1819<code>ntpport</code>
1820entry is considered more specific and
1821is sorted later in the list.
1822</p></dd>
1823<dt><code>serverresponse fuzz</code></dt>
1824<dd><p>When reponding to server requests,
1825fuzz the low order bits of the
1826<code>reftime</code>.
1827</p></dd>
1828<dt><code>version</code></dt>
1829<dd><p>Deny packets that do not match the current NTP version.
1830</p></dd>
1831</dl>
1832
1833<p>Default restriction list entries with the flags ignore, interface,
1834ntpport, for each of the local host&rsquo;s interface addresses are
1835inserted into the table at startup to prevent ntpd
1836from attempting to synchronize to itself, such as with
1837<code>manycastclient</code>
1838when
1839<code>manycast</code>
1840is also specified with the same multicast address.
1841A default entry is also always present, though if it is
1842otherwise unconfigured; no flags are associated
1843with the default entry (i.e., everything besides your own
1844NTP server is unrestricted).
1845</p></dd>
1846<dt><code>delrestrict</code> <code>[source]</code> <kbd>address</kbd></dt>
1847<dd><p>Remove a previously-set restriction.  This is useful for
1848runtime configuration via
1849<code>ntpq(1ntpqmdoc)</code>
1850.  If
1851<code>source</code>
1852is specified, a dynamic restriction created from the
1853<code>restrict</code> <code>source</code>
1854template at the time
1855an association was added is removed.  Without
1856<code>source</code>
1857a static restriction is removed.
1858</p></dd>
1859</dl>
1860<hr>
1861<span id="Automatic-NTP-Configuration-Options"></span><div class="header">
1862<p>
1863Next: <a href="#Reference-Clock-Support" accesskey="n" rel="next">Reference Clock Support</a>, Previous: <a href="#Access-Control-Support" accesskey="p" rel="prev">Access Control Support</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> &nbsp; </p>
1864</div>
1865<span id="Automatic-NTP-Configuration-Options-1"></span><h4 class="subsection">1.1.5 Automatic NTP Configuration Options</h4>
1866<span id="Manycasting"></span><h4 class="subsubsection">1.1.5.1 Manycasting</h4>
1867<p>Manycasting is a automatic discovery and configuration paradigm
1868new to NTPv4.
1869It is intended as a means for a multicast client
1870to troll the nearby network neighborhood to find cooperating
1871manycast servers, validate them using cryptographic means
1872and evaluate their time values with respect to other servers
1873that might be lurking in the vicinity.
1874The intended result is that each manycast client mobilizes
1875client associations with some number of the &quot;best&quot;
1876of the nearby manycast servers, yet automatically reconfigures
1877to sustain this number of servers should one or another fail.
1878</p>
1879<p>Note that the manycasting paradigm does not coincide
1880with the anycast paradigm described in RFC-1546,
1881which is designed to find a single server from a clique
1882of servers providing the same service.
1883The manycast paradigm is designed to find a plurality
1884of redundant servers satisfying defined optimality criteria.
1885</p>
1886<p>Manycasting can be used with either symmetric key
1887or public key cryptography.
1888The public key infrastructure (PKI)
1889offers the best protection against compromised keys
1890and is generally considered stronger, at least with relatively
1891large key sizes.
1892It is implemented using the Autokey protocol and
1893the OpenSSL cryptographic library available from
1894<code>http://www.openssl.org/</code>.
1895The library can also be used with other NTPv4 modes
1896as well and is highly recommended, especially for broadcast modes.
1897</p>
1898<p>A persistent manycast client association is configured
1899using the
1900<code>manycastclient</code>
1901command, which is similar to the
1902<code>server</code>
1903command but with a multicast (IPv4 class
1904<code>D</code>
1905or IPv6 prefix
1906<code>FF</code>)
1907group address.
1908The IANA has designated IPv4 address 224.1.1.1
1909and IPv6 address FF05::101 (site local) for NTP.
1910When more servers are needed, it broadcasts manycast
1911client messages to this address at the minimum feasible rate
1912and minimum feasible time-to-live (TTL) hops, depending
1913on how many servers have already been found.
1914There can be as many manycast client associations
1915as different group address, each one serving as a template
1916for a future ephemeral unicast client/server association.
1917</p>
1918<p>Manycast servers configured with the
1919<code>manycastserver</code>
1920command listen on the specified group address for manycast
1921client messages.
1922Note the distinction between manycast client,
1923which actively broadcasts messages, and manycast server,
1924which passively responds to them.
1925If a manycast server is
1926in scope of the current TTL and is itself synchronized
1927to a valid source and operating at a stratum level equal
1928to or lower than the manycast client, it replies to the
1929manycast client message with an ordinary unicast server message.
1930</p>
1931<p>The manycast client receiving this message mobilizes
1932an ephemeral client/server association according to the
1933matching manycast client template, but only if cryptographically
1934authenticated and the server stratum is less than or equal
1935to the client stratum.
1936Authentication is explicitly required
1937and either symmetric key or public key (Autokey) can be used.
1938Then, the client polls the server at its unicast address
1939in burst mode in order to reliably set the host clock
1940and validate the source.
1941This normally results
1942in a volley of eight client/server at 2-s intervals
1943during which both the synchronization and cryptographic
1944protocols run concurrently.
1945Following the volley,
1946the client runs the NTP intersection and clustering
1947algorithms, which act to discard all but the &quot;best&quot;
1948associations according to stratum and synchronization
1949distance.
1950The surviving associations then continue
1951in ordinary client/server mode.
1952</p>
1953<p>The manycast client polling strategy is designed to reduce
1954as much as possible the volume of manycast client messages
1955and the effects of implosion due to near-simultaneous
1956arrival of manycast server messages.
1957The strategy is determined by the
1958<code>manycastclient</code>,
1959<code>tos</code>
1960and
1961<code>ttl</code>
1962configuration commands.
1963The manycast poll interval is
1964normally eight times the system poll interval,
1965which starts out at the
1966<code>minpoll</code>
1967value specified in the
1968<code>manycastclient</code>,
1969command and, under normal circumstances, increments to the
1970<code>maxpolll</code>
1971value specified in this command.
1972Initially, the TTL is
1973set at the minimum hops specified by the
1974<code>ttl</code>
1975command.
1976At each retransmission the TTL is increased until reaching
1977the maximum hops specified by this command or a sufficient
1978number client associations have been found.
1979Further retransmissions use the same TTL.
1980</p>
1981<p>The quality and reliability of the suite of associations
1982discovered by the manycast client is determined by the NTP
1983mitigation algorithms and the
1984<code>minclock</code>
1985and
1986<code>minsane</code>
1987values specified in the
1988<code>tos</code>
1989configuration command.
1990At least
1991<code>minsane</code>
1992candidate servers must be available and the mitigation
1993algorithms produce at least
1994<code>minclock</code>
1995survivors in order to synchronize the clock.
1996Byzantine agreement principles require at least four
1997candidates in order to correctly discard a single falseticker.
1998For legacy purposes,
1999<code>minsane</code>
2000defaults to 1 and
2001<code>minclock</code>
2002defaults to 3.
2003For manycast service
2004<code>minsane</code>
2005should be explicitly set to 4, assuming at least that
2006number of servers are available.
2007</p>
2008<p>If at least
2009<code>minclock</code>
2010servers are found, the manycast poll interval is immediately
2011set to eight times
2012<code>maxpoll</code>.
2013If less than
2014<code>minclock</code>
2015servers are found when the TTL has reached the maximum hops,
2016the manycast poll interval is doubled.
2017For each transmission
2018after that, the poll interval is doubled again until
2019reaching the maximum of eight times
2020<code>maxpoll</code>.
2021Further transmissions use the same poll interval and
2022TTL values.
2023Note that while all this is going on,
2024each client/server association found is operating normally
2025it the system poll interval.
2026</p>
2027<p>Administratively scoped multicast boundaries are normally
2028specified by the network router configuration and,
2029in the case of IPv6, the link/site scope prefix.
2030By default, the increment for TTL hops is 32 starting
2031from 31; however, the
2032<code>ttl</code>
2033configuration command can be
2034used to modify the values to match the scope rules.
2035</p>
2036<p>It is often useful to narrow the range of acceptable
2037servers which can be found by manycast client associations.
2038Because manycast servers respond only when the client
2039stratum is equal to or greater than the server stratum,
2040primary (stratum 1) servers fill find only primary servers
2041in TTL range, which is probably the most common objective.
2042However, unless configured otherwise, all manycast clients
2043in TTL range will eventually find all primary servers
2044in TTL range, which is probably not the most common
2045objective in large networks.
2046The
2047<code>tos</code>
2048command can be used to modify this behavior.
2049Servers with stratum below
2050<code>floor</code>
2051or above
2052<code>ceiling</code>
2053specified in the
2054<code>tos</code>
2055command are strongly discouraged during the selection
2056process; however, these servers may be temporally
2057accepted if the number of servers within TTL range is
2058less than
2059<code>minclock</code>.
2060</p>
2061<p>The above actions occur for each manycast client message,
2062which repeats at the designated poll interval.
2063However, once the ephemeral client association is mobilized,
2064subsequent manycast server replies are discarded,
2065since that would result in a duplicate association.
2066If during a poll interval the number of client associations
2067falls below
2068<code>minclock</code>,
2069all manycast client prototype associations are reset
2070to the initial poll interval and TTL hops and operation
2071resumes from the beginning.
2072It is important to avoid
2073frequent manycast client messages, since each one requires
2074all manycast servers in TTL range to respond.
2075The result could well be an implosion, either minor or major,
2076depending on the number of servers in range.
2077The recommended value for
2078<code>maxpoll</code>
2079is 12 (4,096 s).
2080</p>
2081<p>It is possible and frequently useful to configure a host
2082as both manycast client and manycast server.
2083A number of hosts configured this way and sharing a common
2084group address will automatically organize themselves
2085in an optimum configuration based on stratum and
2086synchronization distance.
2087For example, consider an NTP
2088subnet of two primary servers and a hundred or more
2089dependent clients.
2090With two exceptions, all servers
2091and clients have identical configuration files including both
2092<code>multicastclient</code>
2093and
2094<code>multicastserver</code>
2095commands using, for instance, multicast group address
2096239.1.1.1.
2097The only exception is that each primary server
2098configuration file must include commands for the primary
2099reference source such as a GPS receiver.
2100</p>
2101<p>The remaining configuration files for all secondary
2102servers and clients have the same contents, except for the
2103<code>tos</code>
2104command, which is specific for each stratum level.
2105For stratum 1 and stratum 2 servers, that command is
2106not necessary.
2107For stratum 3 and above servers the
2108<code>floor</code>
2109value is set to the intended stratum number.
2110Thus, all stratum 3 configuration files are identical,
2111all stratum 4 files are identical and so forth.
2112</p>
2113<p>Once operations have stabilized in this scenario,
2114the primary servers will find the primary reference source
2115and each other, since they both operate at the same
2116stratum (1), but not with any secondary server or client,
2117since these operate at a higher stratum.
2118The secondary
2119servers will find the servers at the same stratum level.
2120If one of the primary servers loses its GPS receiver,
2121it will continue to operate as a client and other clients
2122will time out the corresponding association and
2123re-associate accordingly.
2124</p>
2125<p>Some administrators prefer to avoid running
2126<code>ntpd(1ntpdmdoc)</code>
2127continuously and run either
2128<code>sntp(1sntpmdoc)</code>
2129or
2130<code>ntpd(1ntpdmdoc)</code>
2131<code>-q</code>
2132as a cron job.
2133In either case the servers must be
2134configured in advance and the program fails if none are
2135available when the cron job runs.
2136A really slick
2137application of manycast is with
2138<code>ntpd(1ntpdmdoc)</code>
2139<code>-q</code>.
2140The program wakes up, scans the local landscape looking
2141for the usual suspects, selects the best from among
2142the rascals, sets the clock and then departs.
2143Servers do not have to be configured in advance and
2144all clients throughout the network can have the same
2145configuration file.
2146</p><span id="Manycast-Interactions-with-Autokey"></span><h4 class="subsubsection">1.1.5.2 Manycast Interactions with Autokey</h4>
2147<p>Each time a manycast client sends a client mode packet
2148to a multicast group address, all manycast servers
2149in scope generate a reply including the host name
2150and status word.
2151The manycast clients then run
2152the Autokey protocol, which collects and verifies
2153all certificates involved.
2154Following the burst interval
2155all but three survivors are cast off,
2156but the certificates remain in the local cache.
2157It often happens that several complete signing trails
2158from the client to the primary servers are collected in this way.
2159</p>
2160<p>About once an hour or less often if the poll interval
2161exceeds this, the client regenerates the Autokey key list.
2162This is in general transparent in client/server mode.
2163However, about once per day the server private value
2164used to generate cookies is refreshed along with all
2165manycast client associations.
2166In this case all
2167cryptographic values including certificates is refreshed.
2168If a new certificate has been generated since
2169the last refresh epoch, it will automatically revoke
2170all prior certificates that happen to be in the
2171certificate cache.
2172At the same time, the manycast
2173scheme starts all over from the beginning and
2174the expanding ring shrinks to the minimum and increments
2175from there while collecting all servers in scope.
2176</p><span id="Broadcast-Options"></span><h4 class="subsubsection">1.1.5.3 Broadcast Options</h4>
2177<dl compact="compact">
2178<dt><code>tos</code> <code>[<code>bcpollbstep</code> <kbd>gate</kbd>]</code></dt>
2179<dd><p>This command provides a way to delay,
2180by the specified number of broadcast poll intervals,
2181believing backward time steps from a broadcast server.
2182Broadcast time networks are expected to be trusted.
2183In the event a broadcast server&rsquo;s time is stepped backwards,
2184there is clear benefit to having the clients notice this change
2185as soon as possible.
2186Attacks such as replay attacks can happen, however,
2187and even though there are a number of protections built in to
2188broadcast mode, attempts to perform a replay attack are possible.
2189This value defaults to 0, but can be changed
2190to any number of poll intervals between 0 and 4.
2191</p></dd>
2192</dl>
2193<span id="Manycast-Options"></span><h4 class="subsubsection">1.1.5.4 Manycast Options</h4>
2194<dl compact="compact">
2195<dt><code>tos</code> <code>[<code>ceiling</code> <kbd>ceiling</kbd> | <code>cohort</code> <code>{</code> <code>0</code> | <code>1</code> <code>}</code> | <code>floor</code> <kbd>floor</kbd> | <code>minclock</code> <kbd>minclock</kbd> | <code>minsane</code> <kbd>minsane</kbd>]</code></dt>
2196<dd><p>This command affects the clock selection and clustering
2197algorithms.
2198It can be used to select the quality and
2199quantity of peers used to synchronize the system clock
2200and is most useful in manycast mode.
2201The variables operate
2202as follows:
2203</p><dl compact="compact">
2204<dt><code>ceiling</code> <kbd>ceiling</kbd></dt>
2205<dd><p>Peers with strata above
2206<code>ceiling</code>
2207will be discarded if there are at least
2208<code>minclock</code>
2209peers remaining.
2210This value defaults to 15, but can be changed
2211to any number from 1 to 15.
2212</p></dd>
2213<dt><code>cohort</code> <code>{0 | 1}</code></dt>
2214<dd><p>This is a binary flag which enables (0) or disables (1)
2215manycast server replies to manycast clients with the same
2216stratum level.
2217This is useful to reduce implosions where
2218large numbers of clients with the same stratum level
2219are present.
2220The default is to enable these replies.
2221</p></dd>
2222<dt><code>floor</code> <kbd>floor</kbd></dt>
2223<dd><p>Peers with strata below
2224<code>floor</code>
2225will be discarded if there are at least
2226<code>minclock</code>
2227peers remaining.
2228This value defaults to 1, but can be changed
2229to any number from 1 to 15.
2230</p></dd>
2231<dt><code>minclock</code> <kbd>minclock</kbd></dt>
2232<dd><p>The clustering algorithm repeatedly casts out outlier
2233associations until no more than
2234<code>minclock</code>
2235associations remain.
2236This value defaults to 3,
2237but can be changed to any number from 1 to the number of
2238configured sources.
2239</p></dd>
2240<dt><code>minsane</code> <kbd>minsane</kbd></dt>
2241<dd><p>This is the minimum number of candidates available
2242to the clock selection algorithm in order to produce
2243one or more truechimers for the clustering algorithm.
2244If fewer than this number are available, the clock is
2245undisciplined and allowed to run free.
2246The default is 1
2247for legacy purposes.
2248However, according to principles of
2249Byzantine agreement,
2250<code>minsane</code>
2251should be at least 4 in order to detect and discard
2252a single falseticker.
2253</p></dd>
2254</dl>
2255</dd>
2256<dt><code>ttl</code> <kbd>hop</kbd> <kbd>...</kbd></dt>
2257<dd><p>This command specifies a list of TTL values in increasing
2258order, up to 8 values can be specified.
2259In manycast mode these values are used in turn
2260in an expanding-ring search.
2261The default is eight
2262multiples of 32 starting at 31.
2263</p></dd>
2264</dl>
2265<hr>
2266<span id="Reference-Clock-Support"></span><div class="header">
2267<p>
2268Next: <a href="#Miscellaneous-Options" accesskey="n" rel="next">Miscellaneous Options</a>, Previous: <a href="#Automatic-NTP-Configuration-Options" accesskey="p" rel="prev">Automatic NTP Configuration Options</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> &nbsp; </p>
2269</div>
2270<span id="Reference-Clock-Support-1"></span><h4 class="subsection">1.1.6 Reference Clock Support</h4>
2271<p>The NTP Version 4 daemon supports some three dozen different radio,
2272satellite and modem reference clocks plus a special pseudo-clock
2273used for backup or when no other clock source is available.
2274Detailed descriptions of individual device drivers and options can
2275be found in the
2276&quot;Reference Clock Drivers&quot;
2277page
2278(available as part of the HTML documentation
2279provided in
2280<samp>/usr/share/doc/ntp</samp>).
2281Additional information can be found in the pages linked
2282there, including the
2283&quot;Debugging Hints for Reference Clock Drivers&quot;
2284and
2285&quot;How To Write a Reference Clock Driver&quot;
2286pages
2287(available as part of the HTML documentation
2288provided in
2289<samp>/usr/share/doc/ntp</samp>).
2290In addition, support for a PPS
2291signal is available as described in the
2292&quot;Pulse-per-second (PPS) Signal Interfacing&quot;
2293page
2294(available as part of the HTML documentation
2295provided in
2296<samp>/usr/share/doc/ntp</samp>).
2297Many
2298drivers support special line discipline/streams modules which can
2299significantly improve the accuracy using the driver.
2300These are
2301described in the
2302&quot;Line Disciplines and Streams Drivers&quot;
2303page
2304(available as part of the HTML documentation
2305provided in
2306<samp>/usr/share/doc/ntp</samp>).
2307</p>
2308<p>A reference clock will generally (though not always) be a radio
2309timecode receiver which is synchronized to a source of standard
2310time such as the services offered by the NRC in Canada and NIST and
2311USNO in the US.
2312The interface between the computer and the timecode
2313receiver is device dependent, but is usually a serial port.
2314A
2315device driver specific to each reference clock must be selected and
2316compiled in the distribution; however, most common radio, satellite
2317and modem clocks are included by default.
2318Note that an attempt to
2319configure a reference clock when the driver has not been compiled
2320or the hardware port has not been appropriately configured results
2321in a scalding remark to the system log file, but is otherwise non
2322hazardous.
2323</p>
2324<p>For the purposes of configuration,
2325<code>ntpd(1ntpdmdoc)</code>
2326treats
2327reference clocks in a manner analogous to normal NTP peers as much
2328as possible.
2329Reference clocks are identified by a syntactically
2330correct but invalid IP address, in order to distinguish them from
2331normal NTP peers.
2332Reference clock addresses are of the form
2333<code>127.127.</code><kbd>t</kbd>.<kbd>u</kbd>,
2334where
2335<kbd>t</kbd>
2336is an integer
2337denoting the clock type and
2338<kbd>u</kbd>
2339indicates the unit
2340number in the range 0-3.
2341While it may seem overkill, it is in fact
2342sometimes useful to configure multiple reference clocks of the same
2343type, in which case the unit numbers must be unique.
2344</p>
2345<p>The
2346<code>server</code>
2347command is used to configure a reference
2348clock, where the
2349<kbd>address</kbd>
2350argument in that command
2351is the clock address.
2352The
2353<code>key</code>,
2354<code>version</code>
2355and
2356<code>ttl</code>
2357options are not used for reference clock support.
2358The
2359<code>mode</code>
2360option is added for reference clock support, as
2361described below.
2362The
2363<code>prefer</code>
2364option can be useful to
2365persuade the server to cherish a reference clock with somewhat more
2366enthusiasm than other reference clocks or peers.
2367Further
2368information on this option can be found in the
2369&quot;Mitigation Rules and the prefer Keyword&quot;
2370(available as part of the HTML documentation
2371provided in
2372<samp>/usr/share/doc/ntp</samp>)
2373page.
2374The
2375<code>minpoll</code>
2376and
2377<code>maxpoll</code>
2378options have
2379meaning only for selected clock drivers.
2380See the individual clock
2381driver document pages for additional information.
2382</p>
2383<p>The
2384<code>fudge</code>
2385command is used to provide additional
2386information for individual clock drivers and normally follows
2387immediately after the
2388<code>server</code>
2389command.
2390The
2391<kbd>address</kbd>
2392argument specifies the clock address.
2393The
2394<code>refid</code>
2395and
2396<code>stratum</code>
2397options can be used to
2398override the defaults for the device.
2399There are two optional
2400device-dependent time offsets and four flags that can be included
2401in the
2402<code>fudge</code>
2403command as well.
2404</p>
2405<p>The stratum number of a reference clock is by default zero.
2406Since the
2407<code>ntpd(1ntpdmdoc)</code>
2408daemon adds one to the stratum of each
2409peer, a primary server ordinarily displays an external stratum of
2410one.
2411In order to provide engineered backups, it is often useful to
2412specify the reference clock stratum as greater than zero.
2413The
2414<code>stratum</code>
2415option is used for this purpose.
2416Also, in cases
2417involving both a reference clock and a pulse-per-second (PPS)
2418discipline signal, it is useful to specify the reference clock
2419identifier as other than the default, depending on the driver.
2420The
2421<code>refid</code>
2422option is used for this purpose.
2423Except where noted,
2424these options apply to all clock drivers.
2425</p><span id="Reference-Clock-Commands"></span><h4 class="subsubsection">1.1.6.1 Reference Clock Commands</h4>
2426<dl compact="compact">
2427<dt><code>server</code> <code>127.127.</code><kbd>t</kbd>.<kbd>u</kbd> <code>[<code>prefer</code>]</code> <code>[<code>mode</code> <kbd>int</kbd>]</code> <code>[<code>minpoll</code> <kbd>int</kbd>]</code> <code>[<code>maxpoll</code> <kbd>int</kbd>]</code></dt>
2428<dd><p>This command can be used to configure reference clocks in
2429special ways.
2430The options are interpreted as follows:
2431</p><dl compact="compact">
2432<dt><code>prefer</code></dt>
2433<dd><p>Marks the reference clock as preferred.
2434All other things being
2435equal, this host will be chosen for synchronization among a set of
2436correctly operating hosts.
2437See the
2438&quot;Mitigation Rules and the prefer Keyword&quot;
2439page
2440(available as part of the HTML documentation
2441provided in
2442<samp>/usr/share/doc/ntp</samp>)
2443for further information.
2444</p></dd>
2445<dt><code>mode</code> <kbd>int</kbd></dt>
2446<dd><p>Specifies a mode number which is interpreted in a
2447device-specific fashion.
2448For instance, it selects a dialing
2449protocol in the ACTS driver and a device subtype in the
2450parse
2451drivers.
2452</p></dd>
2453<dt><code>minpoll</code> <kbd>int</kbd></dt>
2454<dt><code>maxpoll</code> <kbd>int</kbd></dt>
2455<dd><p>These options specify the minimum and maximum polling interval
2456for reference clock messages, as a power of 2 in seconds
2457For
2458most directly connected reference clocks, both
2459<code>minpoll</code>
2460and
2461<code>maxpoll</code>
2462default to 6 (64 s).
2463For modem reference clocks,
2464<code>minpoll</code>
2465defaults to 10 (17.1 m) and
2466<code>maxpoll</code>
2467defaults to 14 (4.5 h).
2468The allowable range is 4 (16 s) to 17 (36.4 h) inclusive.
2469</p></dd>
2470</dl>
2471</dd>
2472<dt><code>fudge</code> <code>127.127.</code><kbd>t</kbd>.<kbd>u</kbd> <code>[<code>time1</code> <kbd>sec</kbd>]</code> <code>[<code>time2</code> <kbd>sec</kbd>]</code> <code>[<code>stratum</code> <kbd>int</kbd>]</code> <code>[<code>refid</code> <kbd>string</kbd>]</code> <code>[<code>mode</code> <kbd>int</kbd>]</code> <code>[<code>flag1</code> <code>0</code> <code>|</code> <code>1</code>]</code> <code>[<code>flag2</code> <code>0</code> <code>|</code> <code>1</code>]</code> <code>[<code>flag3</code> <code>0</code> <code>|</code> <code>1</code>]</code> <code>[<code>flag4</code> <code>0</code> <code>|</code> <code>1</code>]</code></dt>
2473<dd><p>This command can be used to configure reference clocks in
2474special ways.
2475It must immediately follow the
2476<code>server</code>
2477command which configures the driver.
2478Note that the same capability
2479is possible at run time using the
2480<code>ntpdc(1ntpdcmdoc)</code>
2481program.
2482The options are interpreted as
2483follows:
2484</p><dl compact="compact">
2485<dt><code>time1</code> <kbd>sec</kbd></dt>
2486<dd><p>Specifies a constant to be added to the time offset produced by
2487the driver, a fixed-point decimal number in seconds.
2488This is used
2489as a calibration constant to adjust the nominal time offset of a
2490particular clock to agree with an external standard, such as a
2491precision PPS signal.
2492It also provides a way to correct a
2493systematic error or bias due to serial port or operating system
2494latencies, different cable lengths or receiver internal delay.
2495The
2496specified offset is in addition to the propagation delay provided
2497by other means, such as internal DIPswitches.
2498Where a calibration
2499for an individual system and driver is available, an approximate
2500correction is noted in the driver documentation pages.
2501Note: in order to facilitate calibration when more than one
2502radio clock or PPS signal is supported, a special calibration
2503feature is available.
2504It takes the form of an argument to the
2505<code>enable</code>
2506command described in
2507<a href="#Miscellaneous-Options">Miscellaneous Options</a>
2508page and operates as described in the
2509&quot;Reference Clock Drivers&quot;
2510page
2511(available as part of the HTML documentation
2512provided in
2513<samp>/usr/share/doc/ntp</samp>).
2514</p></dd>
2515<dt><code>time2</code> <kbd>secs</kbd></dt>
2516<dd><p>Specifies a fixed-point decimal number in seconds, which is
2517interpreted in a driver-dependent way.
2518See the descriptions of
2519specific drivers in the
2520&quot;Reference Clock Drivers&quot;
2521page
2522(available as part of the HTML documentation
2523provided in
2524<samp>/usr/share/doc/ntp</samp> <samp>).</samp>
2525</p></dd>
2526<dt><code>stratum</code> <kbd>int</kbd></dt>
2527<dd><p>Specifies the stratum number assigned to the driver, an integer
2528between 0 and 15.
2529This number overrides the default stratum number
2530ordinarily assigned by the driver itself, usually zero.
2531</p></dd>
2532<dt><code>refid</code> <kbd>string</kbd></dt>
2533<dd><p>Specifies an ASCII string of from one to four characters which
2534defines the reference identifier used by the driver.
2535This string
2536overrides the default identifier ordinarily assigned by the driver
2537itself.
2538</p></dd>
2539<dt><code>mode</code> <kbd>int</kbd></dt>
2540<dd><p>Specifies a mode number which is interpreted in a
2541device-specific fashion.
2542For instance, it selects a dialing
2543protocol in the ACTS driver and a device subtype in the
2544parse
2545drivers.
2546</p></dd>
2547<dt><code>flag1</code> <code>0</code> <code>|</code> <code>1</code></dt>
2548<dt><code>flag2</code> <code>0</code> <code>|</code> <code>1</code></dt>
2549<dt><code>flag3</code> <code>0</code> <code>|</code> <code>1</code></dt>
2550<dt><code>flag4</code> <code>0</code> <code>|</code> <code>1</code></dt>
2551<dd><p>These four flags are used for customizing the clock driver.
2552The
2553interpretation of these values, and whether they are used at all,
2554is a function of the particular clock driver.
2555However, by
2556convention
2557<code>flag4</code>
2558is used to enable recording monitoring
2559data to the
2560<code>clockstats</code>
2561file configured with the
2562<code>filegen</code>
2563command.
2564Further information on the
2565<code>filegen</code>
2566command can be found in
2567&lsquo;Monitoring Options&rsquo;.
2568</p></dd>
2569</dl>
2570</dd>
2571</dl>
2572<hr>
2573<span id="Miscellaneous-Options"></span><div class="header">
2574<p>
2575Next: <a href="#ntp_002econf-Files" accesskey="n" rel="next">ntp.conf Files</a>, Previous: <a href="#Reference-Clock-Support" accesskey="p" rel="prev">Reference Clock Support</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> &nbsp; </p>
2576</div>
2577<span id="Miscellaneous-Options-1"></span><h4 class="subsection">1.1.7 Miscellaneous Options</h4>
2578<dl compact="compact">
2579<dt><code>broadcastdelay</code> <kbd>seconds</kbd></dt>
2580<dd><p>The broadcast and multicast modes require a special calibration
2581to determine the network delay between the local and remote
2582servers.
2583Ordinarily, this is done automatically by the initial
2584protocol exchanges between the client and server.
2585In some cases,
2586the calibration procedure may fail due to network or server access
2587controls, for example.
2588This command specifies the default delay to
2589be used under these circumstances.
2590Typically (for Ethernet), a
2591number between 0.003 and 0.007 seconds is appropriate.
2592The default
2593when this command is not used is 0.004 seconds.
2594</p></dd>
2595<dt><code>driftfile</code> <kbd>driftfile</kbd></dt>
2596<dd><p>This command specifies the complete path and name of the file used to
2597record the frequency of the local clock oscillator.
2598This is the same
2599operation as the
2600<code>-f</code>
2601command line option.
2602If the file exists, it is read at
2603startup in order to set the initial frequency and then updated once per
2604hour with the current frequency computed by the daemon.
2605If the file name is
2606specified, but the file itself does not exist, the starts with an initial
2607frequency of zero and creates the file when writing it for the first time.
2608If this command is not given, the daemon will always start with an initial
2609frequency of zero.
2610</p>
2611<p>The file format consists of a single line containing a single
2612floating point number, which records the frequency offset measured
2613in parts-per-million (PPM).
2614The file is updated by first writing
2615the current drift value into a temporary file and then renaming
2616this file to replace the old version.
2617This implies that
2618<code>ntpd(1ntpdmdoc)</code>
2619must have write permission for the directory the
2620drift file is located in, and that file system links, symbolic or
2621otherwise, should be avoided.
2622</p></dd>
2623<dt><code>dscp</code> <kbd>value</kbd></dt>
2624<dd><p>This option specifies the Differentiated Services Control Point (DSCP) value,
2625a 6-bit code.
2626The default value is 46, signifying Expedited Forwarding.
2627</p></dd>
2628<dt><code>enable</code> <code>[<code>auth</code> | <code>bclient</code> | <code>calibrate</code> | <code>kernel</code> | <code>mode7</code> | <code>monitor</code> | <code>ntp</code> | <code>stats</code> | <code>peer_clear_digest_early</code> | <code>unpeer_crypto_early</code> | <code>unpeer_crypto_nak_early</code> | <code>unpeer_digest_early</code>]</code></dt>
2629<dt><code>disable</code> <code>[<code>auth</code> | <code>bclient</code> | <code>calibrate</code> | <code>kernel</code> | <code>mode7</code> | <code>monitor</code> | <code>ntp</code> | <code>stats</code> | <code>peer_clear_digest_early</code> | <code>unpeer_crypto_early</code> | <code>unpeer_crypto_nak_early</code> | <code>unpeer_digest_early</code>]</code></dt>
2630<dd><p>Provides a way to enable or disable various server options.
2631Flags not mentioned are unaffected.
2632Note that all of these flags
2633can be controlled remotely using the
2634<code>ntpdc(1ntpdcmdoc)</code>
2635utility program.
2636</p><dl compact="compact">
2637<dt><code>auth</code></dt>
2638<dd><p>Enables the server to synchronize with unconfigured peers only if the
2639peer has been correctly authenticated using either public key or
2640private key cryptography.
2641The default for this flag is
2642<code>enable</code>.
2643</p></dd>
2644<dt><code>bclient</code></dt>
2645<dd><p>Enables the server to listen for a message from a broadcast or
2646multicast server, as in the
2647<code>multicastclient</code>
2648command with default
2649address.
2650The default for this flag is
2651<code>disable</code>.
2652</p></dd>
2653<dt><code>calibrate</code></dt>
2654<dd><p>Enables the calibrate feature for reference clocks.
2655The default for
2656this flag is
2657<code>disable</code>.
2658</p></dd>
2659<dt><code>kernel</code></dt>
2660<dd><p>Enables the kernel time discipline, if available.
2661The default for this
2662flag is
2663<code>enable</code>
2664if support is available, otherwise
2665<code>disable</code>.
2666</p></dd>
2667<dt><code>mode7</code></dt>
2668<dd><p>Enables processing of NTP mode 7 implementation-specific requests
2669which are used by the deprecated
2670<code>ntpdc(1ntpdcmdoc)</code>
2671program.
2672The default for this flag is disable.
2673This flag is excluded from runtime configuration using
2674<code>ntpq(1ntpqmdoc)</code>.
2675The
2676<code>ntpq(1ntpqmdoc)</code>
2677program provides the same capabilities as
2678<code>ntpdc(1ntpdcmdoc)</code>
2679using standard mode 6 requests.
2680</p></dd>
2681<dt><code>monitor</code></dt>
2682<dd><p>Enables the monitoring facility.
2683See the
2684<code>ntpdc(1ntpdcmdoc)</code>
2685program
2686and the
2687<code>monlist</code>
2688command or further information.
2689The
2690default for this flag is
2691<code>enable</code>.
2692</p></dd>
2693<dt><code>ntp</code></dt>
2694<dd><p>Enables time and frequency discipline.
2695In effect, this switch opens and
2696closes the feedback loop, which is useful for testing.
2697The default for
2698this flag is
2699<code>enable</code>.
2700</p></dd>
2701<dt><code>peer_clear_digest_early</code></dt>
2702<dd><p>By default, if
2703<code>ntpd(1ntpdmdoc)</code>
2704is using autokey and it
2705receives a crypto-NAK packet that
2706passes the duplicate packet and origin timestamp checks
2707the peer variables are immediately cleared.
2708While this is generally a feature
2709as it allows for quick recovery if a server key has changed,
2710a properly forged and appropriately delivered crypto-NAK packet
2711can be used in a DoS attack.
2712If you have active noticable problems with this type of DoS attack
2713then you should consider
2714disabling this option.
2715You can check your
2716<code>peerstats</code>
2717file for evidence of any of these attacks.
2718The
2719default for this flag is
2720<code>enable</code>.
2721</p></dd>
2722<dt><code>stats</code></dt>
2723<dd><p>Enables the statistics facility.
2724See the
2725&lsquo;Monitoring Options&rsquo;
2726section for further information.
2727The default for this flag is
2728<code>disable</code>.
2729</p></dd>
2730<dt><code>unpeer_crypto_early</code></dt>
2731<dd><p>By default, if
2732<code>ntpd(1ntpdmdoc)</code>
2733receives an autokey packet that fails TEST9,
2734a crypto failure,
2735the association is immediately cleared.
2736This is almost certainly a feature,
2737but if, in spite of the current recommendation of not using autokey,
2738you are
2739.B still
2740using autokey
2741.B and
2742you are seeing this sort of DoS attack
2743disabling this flag will delay
2744tearing down the association until the reachability counter
2745becomes zero.
2746You can check your
2747<code>peerstats</code>
2748file for evidence of any of these attacks.
2749The
2750default for this flag is
2751<code>enable</code>.
2752</p></dd>
2753<dt><code>unpeer_crypto_nak_early</code></dt>
2754<dd><p>By default, if
2755<code>ntpd(1ntpdmdoc)</code>
2756receives a crypto-NAK packet that
2757passes the duplicate packet and origin timestamp checks
2758the association is immediately cleared.
2759While this is generally a feature
2760as it allows for quick recovery if a server key has changed,
2761a properly forged and appropriately delivered crypto-NAK packet
2762can be used in a DoS attack.
2763If you have active noticable problems with this type of DoS attack
2764then you should consider
2765disabling this option.
2766You can check your
2767<code>peerstats</code>
2768file for evidence of any of these attacks.
2769The
2770default for this flag is
2771<code>enable</code>.
2772</p></dd>
2773<dt><code>unpeer_digest_early</code></dt>
2774<dd><p>By default, if
2775<code>ntpd(1ntpdmdoc)</code>
2776receives what should be an authenticated packet
2777that passes other packet sanity checks but
2778contains an invalid digest
2779the association is immediately cleared.
2780While this is generally a feature
2781as it allows for quick recovery,
2782if this type of packet is carefully forged and sent
2783during an appropriate window it can be used for a DoS attack.
2784If you have active noticable problems with this type of DoS attack
2785then you should consider
2786disabling this option.
2787You can check your
2788<code>peerstats</code>
2789file for evidence of any of these attacks.
2790The
2791default for this flag is
2792<code>enable</code>.
2793</p></dd>
2794</dl>
2795</dd>
2796<dt><code>includefile</code> <kbd>includefile</kbd></dt>
2797<dd><p>This command allows additional configuration commands
2798to be included from a separate file.
2799Include files may
2800be nested to a depth of five; upon reaching the end of any
2801include file, command processing resumes in the previous
2802configuration file.
2803This option is useful for sites that run
2804<code>ntpd(1ntpdmdoc)</code>
2805on multiple hosts, with (mostly) common options (e.g., a
2806restriction list).
2807</p></dd>
2808<dt><code>interface</code> <code>[<code>listen</code> | <code>ignore</code> | <code>drop</code>]</code> <code>[<code>all</code> | <code>ipv4</code> | <code>ipv6</code> | <code>wildcard</code> <kbd>name</kbd> | <kbd>address</kbd> <code>[<code>/</code> <kbd>prefixlen</kbd>]</code>]</code></dt>
2809<dd><p>The
2810<code>interface</code>
2811directive controls which network addresses
2812<code>ntpd(1ntpdmdoc)</code>
2813opens, and whether input is dropped without processing.
2814The first parameter determines the action for addresses
2815which match the second parameter.
2816The second parameter specifies a class of addresses,
2817or a specific interface name,
2818or an address.
2819In the address case,
2820<kbd>prefixlen</kbd>
2821determines how many bits must match for this rule to apply.
2822<code>ignore</code>
2823prevents opening matching addresses,
2824<code>drop</code>
2825causes
2826<code>ntpd(1ntpdmdoc)</code>
2827to open the address and drop all received packets without examination.
2828Multiple
2829<code>interface</code>
2830directives can be used.
2831The last rule which matches a particular address determines the action for it.
2832<code>interface</code>
2833directives are disabled if any
2834<code>-I</code>,
2835<code>--interface</code>,
2836<code>-L</code>,
2837or
2838<code>--novirtualips</code>
2839command-line options are specified in the configuration file,
2840all available network addresses are opened.
2841The
2842<code>nic</code>
2843directive is an alias for
2844<code>interface</code>.
2845</p></dd>
2846<dt><code>leapfile</code> <kbd>leapfile</kbd></dt>
2847<dd><p>This command loads the IERS leapseconds file and initializes the
2848leapsecond values for the next leapsecond event, leapfile expiration
2849time, and TAI offset.
2850The file can be obtained directly from the IERS at
2851<code>https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list</code>
2852or
2853<code>ftp://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list</code>.
2854The
2855<code>leapfile</code>
2856is scanned when
2857<code>ntpd(1ntpdmdoc)</code>
2858processes the
2859<code>leapfile</code> <code>directive</code> <code>or</code> <code>when</code>
2860<code>ntpd</code> <code>detects</code> <code>that</code> <code>the</code>
2861<kbd>leapfile</kbd>
2862has changed.
2863<code>ntpd</code>
2864checks once a day to see if the
2865<kbd>leapfile</kbd>
2866has changed.
2867The
2868<code>update-leap(1update_leapmdoc)</code>
2869script can be run to see if the
2870<kbd>leapfile</kbd>
2871should be updated.
2872</p></dd>
2873<dt><code>leapsmearinterval</code> <kbd>seconds</kbd></dt>
2874<dd><p>This EXPERIMENTAL option is only available if
2875<code>ntpd(1ntpdmdoc)</code>
2876was built with the
2877<code>--enable-leap-smear</code>
2878option to the
2879<code>configure</code>
2880script.
2881It specifies the interval over which a leap second correction will be applied.
2882Recommended values for this option are between
28837200 (2 hours) and 86400 (24 hours).
2884.Sy DO NOT USE THIS OPTION ON PUBLIC-ACCESS SERVERS!
2885See http://bugs.ntp.org/2855 for more information.
2886</p></dd>
2887<dt><code>logconfig</code> <kbd>configkeyword</kbd></dt>
2888<dd><p>This command controls the amount and type of output written to
2889the system
2890<code>syslog(3)</code>
2891facility or the alternate
2892<code>logfile</code>
2893log file.
2894By default, all output is turned on.
2895All
2896<kbd>configkeyword</kbd>
2897keywords can be prefixed with
2898&lsquo;=&rsquo;,
2899&lsquo;+&rsquo;
2900and
2901&lsquo;-&rsquo;,
2902where
2903&lsquo;=&rsquo;
2904sets the
2905<code>syslog(3)</code>
2906priority mask,
2907&lsquo;+&rsquo;
2908adds and
2909&lsquo;-&rsquo;
2910removes
2911messages.
2912<code>syslog(3)</code>
2913messages can be controlled in four
2914classes
2915(<code>clock</code>, <code>peer</code>, <code>sys</code> and <code>sync</code>).
2916Within these classes four types of messages can be
2917controlled: informational messages
2918(<code>info</code>),
2919event messages
2920(<code>events</code>),
2921statistics messages
2922(<code>statistics</code>)
2923and
2924status messages
2925(<code>status</code>).
2926</p>
2927<p>Configuration keywords are formed by concatenating the message class with
2928the event class.
2929The
2930<code>all</code>
2931prefix can be used instead of a message class.
2932A
2933message class may also be followed by the
2934<code>all</code>
2935keyword to enable/disable all
2936messages of the respective message class.
2937Thus, a minimal log configuration
2938could look like this:
2939</p><pre class="verbatim">logconfig =syncstatus +sysevents
2940</pre>
2941<p>This would just list the synchronizations state of
2942<code>ntpd(1ntpdmdoc)</code>
2943and the major system events.
2944For a simple reference server, the
2945following minimum message configuration could be useful:
2946</p><pre class="verbatim">logconfig =syncall +clockall
2947</pre>
2948<p>This configuration will list all clock information and
2949synchronization information.
2950All other events and messages about
2951peers, system events and so on is suppressed.
2952</p></dd>
2953<dt><code>logfile</code> <kbd>logfile</kbd></dt>
2954<dd><p>This command specifies the location of an alternate log file to
2955be used instead of the default system
2956<code>syslog(3)</code>
2957facility.
2958This is the same operation as the
2959<code>-l</code>
2960command line option.
2961</p></dd>
2962<dt><code>mru</code> <code>[<code>maxdepth</code> <kbd>count</kbd> | <code>maxmem</code> <kbd>kilobytes</kbd> | <code>mindepth</code> <kbd>count</kbd> | <code>maxage</code> <kbd>seconds</kbd> | <code>initialloc</code> <kbd>count</kbd> | <code>initmem</code> <kbd>kilobytes</kbd> | <code>incalloc</code> <kbd>count</kbd> | <code>incmem</code> <kbd>kilobytes</kbd>]</code></dt>
2963<dd><p>Controls size limite of the monitoring facility&rsquo;s Most Recently Used
2964(MRU) list
2965of client addresses, which is also used by the
2966rate control facility.
2967</p><dl compact="compact">
2968<dt><code>maxdepth</code> <kbd>count</kbd></dt>
2969<dt><code>maxmem</code> <kbd>kilobytes</kbd></dt>
2970<dd><p>Equivalent upper limits on the size of the MRU list, in terms of entries or kilobytes.
2971The acutal limit will be up to
2972<code>incalloc</code>
2973entries or
2974<code>incmem</code>
2975kilobytes larger.
2976As with all of the
2977<code>mru</code>
2978options offered in units of entries or kilobytes, if both
2979<code>maxdepth</code>
2980and
2981<code>maxmem</code> <code>are</code> <code>used,</code> <code>the</code> <code>last</code> <code>one</code> <code>used</code> <code>controls.</code>
2982The default is 1024 kilobytes.
2983</p></dd>
2984<dt><code>mindepth</code> <kbd>count</kbd></dt>
2985<dd><p>Lower limit on the MRU list size.
2986When the MRU list has fewer than
2987<code>mindepth</code>
2988entries, existing entries are never removed to make room for newer ones,
2989regardless of their age.
2990The default is 600 entries.
2991</p></dd>
2992<dt><code>maxage</code> <kbd>seconds</kbd></dt>
2993<dd><p>Once the MRU list has
2994<code>mindepth</code>
2995entries and an additional client is to ba added to the list,
2996if the oldest entry was updated more than
2997<code>maxage</code>
2998seconds ago, that entry is removed and its storage is reused.
2999If the oldest entry was updated more recently the MRU list is grown,
3000subject to
3001<code>maxdepth</code> <code>/</code> <code>moxmem</code>.
3002The default is 64 seconds.
3003</p></dd>
3004<dt><code>initalloc</code> <kbd>count</kbd></dt>
3005<dt><code>initmem</code> <kbd>kilobytes</kbd></dt>
3006<dd><p>Initial memory allocation at the time the monitoringfacility is first enabled,
3007in terms of the number of entries or kilobytes.
3008The default is 4 kilobytes.
3009</p></dd>
3010<dt><code>incalloc</code> <kbd>count</kbd></dt>
3011<dt><code>incmem</code> <kbd>kilobytes</kbd></dt>
3012<dd><p>Size of additional memory allocations when growing the MRU list, in entries or kilobytes.
3013The default is 4 kilobytes.
3014</p></dd>
3015</dl>
3016</dd>
3017<dt><code>nonvolatile</code> <kbd>threshold</kbd></dt>
3018<dd><p>Specify the
3019<kbd>threshold</kbd>
3020delta in seconds before an hourly change to the
3021<code>driftfile</code>
3022(frequency file) will be written, with a default value of 1e-7 (0.1 PPM).
3023The frequency file is inspected each hour.
3024If the difference between the current frequency and the last value written
3025exceeds the threshold, the file is written and the
3026<code>threshold</code>
3027becomes the new threshold value.
3028If the threshold is not exceeeded, it is reduced by half.
3029This is intended to reduce the number of file writes
3030for embedded systems with nonvolatile memory.
3031</p></dd>
3032<dt><code>phone</code> <kbd>dial</kbd> <kbd>...</kbd></dt>
3033<dd><p>This command is used in conjunction with
3034the ACTS modem driver (type 18)
3035or the JJY driver (type 40, mode 100 - 180).
3036For the ACTS modem driver (type 18), the arguments consist of
3037a maximum of 10 telephone numbers used to dial USNO, NIST, or European
3038time service.
3039For the JJY driver (type 40 mode 100 - 180), the argument is
3040one telephone number used to dial the telephone JJY service.
3041The Hayes command ATDT is normally prepended to the number.
3042The number can contain other modem control codes as well.
3043</p></dd>
3044<dt><code>pollskewlist</code> <code>[<kbd>poll</kbd> <kbd>early</kbd> <kbd>late</kbd>]</code> <kbd>...</kbd> <code>[<code>default</code> <kbd>early</kbd> <kbd>late</kbd>]</code></dt>
3045<dd><p>Enable skewing of our poll requests to our servers.
3046<kbd>poll</kbd>
3047is a number between 3 and 17 inclusive, identifying a specific poll interval.
3048A poll interval is 2^n seconds in duration,
3049so a poll value of 3 corresponds to 8 seconds
3050and
3051a poll interval of 17 corresponds to
3052131,072 seconds, or about a day and a half.
3053The next two numbers must be between 0 and one-half of the poll interval,
3054inclusive.
3055Ar early
3056specifies how early the poll may start,
3057while
3058Ar late
3059specifies how late the poll may be delayed.
3060With no arguments, internally specified default values are chosen.
3061</p></dd>
3062<dt><code>reset</code> <code>[<code>allpeers</code>]</code> <code>[<code>auth</code>]</code> <code>[<code>ctl</code>]</code> <code>[<code>io</code>]</code> <code>[<code>mem</code>]</code> <code>[<code>sys</code>]</code> <code>[<code>timer</code>]</code></dt>
3063<dd><p>Reset one or more groups of counters maintained by
3064<code>ntpd</code>
3065and exposed by
3066<code>ntpq</code>
3067and
3068<code>ntpdc</code>.
3069</p></dd>
3070<dt><code>rlimit</code> <code>[<code>memlock</code> <kbd>Nmegabytes</kbd> | <code>stacksize</code> <kbd>N4kPages</kbd> <code>filenum</code> <kbd>Nfiledescriptors</kbd>]</code></dt>
3071<dd><dl compact="compact">
3072<dt><code>memlock</code> <kbd>Nmegabytes</kbd></dt>
3073<dd><p>Specify the number of megabytes of memory that should be
3074allocated and locked.
3075Probably only available under Linux, this option may be useful
3076when dropping root (the
3077<code>-i</code>
3078option).
3079The default is 32 megabytes on non-Linux machines, and -1 under Linux.
3080-1 means &quot;do not lock the process into memory&quot;.
30810 means &quot;lock whatever memory the process wants into memory&quot;.
3082</p></dd>
3083<dt><code>stacksize</code> <kbd>N4kPages</kbd></dt>
3084<dd><p>Specifies the maximum size of the process stack on systems with the
3085<code>mlockall()</code>
3086function.
3087Defaults to 50 4k pages (200 4k pages in OpenBSD).
3088</p></dd>
3089<dt><code>filenum</code> <kbd>Nfiledescriptors</kbd></dt>
3090<dd><p>Specifies the maximum number of file descriptors ntpd may have open at once.
3091Defaults to the system default.
3092</p></dd>
3093</dl>
3094</dd>
3095<dt><code>saveconfigdir</code> <kbd>directory_path</kbd></dt>
3096<dd><p>Specify the directory in which to write configuration snapshots
3097requested with
3098.Cm ntpq &rsquo;s
3099<code>saveconfig</code>
3100command.
3101If
3102<code>saveconfigdir</code>
3103does not appear in the configuration file,
3104<code>saveconfig</code>
3105requests are rejected by
3106<code>ntpd</code>.
3107</p></dd>
3108<dt><code>saveconfig</code> <kbd>filename</kbd></dt>
3109<dd><p>Write the current configuration, including any runtime
3110modifications given with
3111<code>:config</code>
3112or
3113<code>config-from-file</code>
3114to the
3115<code>ntpd</code>
3116host&rsquo;s
3117<kbd>filename</kbd>
3118in the
3119<code>saveconfigdir</code>.
3120This command will be rejected unless the
3121<code>saveconfigdir</code>
3122directive appears in
3123.Cm ntpd &rsquo;s
3124configuration file.
3125<kbd>filename</kbd>
3126can use
3127<code>strftime(3)</code>
3128format directives to substitute the current date and time,
3129for example,
3130<code>saveconfig\ ntp-%Y%m%d-%H%M%S.conf</code>.
3131The filename used is stored in the system variable
3132<code>savedconfig</code>.
3133Authentication is required.
3134</p></dd>
3135<dt><code>setvar</code> <kbd>variable</kbd> <code>[<code>default</code>]</code></dt>
3136<dd><p>This command adds an additional system variable.
3137These
3138variables can be used to distribute additional information such as
3139the access policy.
3140If the variable of the form
3141<code>name</code><code>=</code><kbd>value</kbd>
3142is followed by the
3143<code>default</code>
3144keyword, the
3145variable will be listed as part of the default system variables
3146(<code>rv</code> command)).
3147These additional variables serve
3148informational purposes only.
3149They are not related to the protocol
3150other that they can be listed.
3151The known protocol variables will
3152always override any variables defined via the
3153<code>setvar</code>
3154mechanism.
3155There are three special variables that contain the names
3156of all variable of the same group.
3157The
3158<code>sys_var_list</code>
3159holds
3160the names of all system variables.
3161The
3162<code>peer_var_list</code>
3163holds
3164the names of all peer variables and the
3165<code>clock_var_list</code>
3166holds the names of the reference clock variables.
3167</p></dd>
3168<dt><code>sysinfo</code></dt>
3169<dd><p>Display operational summary.
3170</p></dd>
3171<dt><code>sysstats</code></dt>
3172<dd><p>Show statistics counters maintained in the protocol module.
3173</p></dd>
3174<dt><code>tinker</code> <code>[<code>allan</code> <kbd>allan</kbd> | <code>dispersion</code> <kbd>dispersion</kbd> | <code>freq</code> <kbd>freq</kbd> | <code>huffpuff</code> <kbd>huffpuff</kbd> | <code>panic</code> <kbd>panic</kbd> | <code>step</code> <kbd>step</kbd> | <code>stepback</code> <kbd>stepback</kbd> | <code>stepfwd</code> <kbd>stepfwd</kbd> | <code>stepout</code> <kbd>stepout</kbd>]</code></dt>
3175<dd><p>This command can be used to alter several system variables in
3176very exceptional circumstances.
3177It should occur in the
3178configuration file before any other configuration options.
3179The
3180default values of these variables have been carefully optimized for
3181a wide range of network speeds and reliability expectations.
3182In
3183general, they interact in intricate ways that are hard to predict
3184and some combinations can result in some very nasty behavior.
3185Very
3186rarely is it necessary to change the default values; but, some
3187folks cannot resist twisting the knobs anyway and this command is
3188for them.
3189Emphasis added: twisters are on their own and can expect
3190no help from the support group.
3191</p>
3192<p>The variables operate as follows:
3193</p><dl compact="compact">
3194<dt><code>allan</code> <kbd>allan</kbd></dt>
3195<dd><p>The argument becomes the new value for the minimum Allan
3196intercept, which is a parameter of the PLL/FLL clock discipline
3197algorithm.
3198The value in log2 seconds defaults to 7 (1024 s), which is also the lower
3199limit.
3200</p></dd>
3201<dt><code>dispersion</code> <kbd>dispersion</kbd></dt>
3202<dd><p>The argument becomes the new value for the dispersion increase rate,
3203normally .000015 s/s.
3204</p></dd>
3205<dt><code>freq</code> <kbd>freq</kbd></dt>
3206<dd><p>The argument becomes the initial value of the frequency offset in
3207parts-per-million.
3208This overrides the value in the frequency file, if
3209present, and avoids the initial training state if it is not.
3210</p></dd>
3211<dt><code>huffpuff</code> <kbd>huffpuff</kbd></dt>
3212<dd><p>The argument becomes the new value for the experimental
3213huff-n&rsquo;-puff filter span, which determines the most recent interval
3214the algorithm will search for a minimum delay.
3215The lower limit is
3216900 s (15 m), but a more reasonable value is 7200 (2 hours).
3217There
3218is no default, since the filter is not enabled unless this command
3219is given.
3220</p></dd>
3221<dt><code>panic</code> <kbd>panic</kbd></dt>
3222<dd><p>The argument is the panic threshold, normally 1000 s.
3223If set to zero,
3224the panic sanity check is disabled and a clock offset of any value will
3225be accepted.
3226</p></dd>
3227<dt><code>step</code> <kbd>step</kbd></dt>
3228<dd><p>The argument is the step threshold, which by default is 0.128 s.
3229It can
3230be set to any positive number in seconds.
3231If set to zero, step
3232adjustments will never occur.
3233Note: The kernel time discipline is
3234disabled if the step threshold is set to zero or greater than the
3235default.
3236</p></dd>
3237<dt><code>stepback</code> <kbd>stepback</kbd></dt>
3238<dd><p>The argument is the step threshold for the backward direction,
3239which by default is 0.128 s.
3240It can
3241be set to any positive number in seconds.
3242If both the forward and backward step thresholds are set to zero, step
3243adjustments will never occur.
3244Note: The kernel time discipline is
3245disabled if
3246each direction of step threshold are either
3247set to zero or greater than .5 second.
3248</p></dd>
3249<dt><code>stepfwd</code> <kbd>stepfwd</kbd></dt>
3250<dd><p>As for stepback, but for the forward direction.
3251</p></dd>
3252<dt><code>stepout</code> <kbd>stepout</kbd></dt>
3253<dd><p>The argument is the stepout timeout, which by default is 900 s.
3254It can
3255be set to any positive number in seconds.
3256If set to zero, the stepout
3257pulses will not be suppressed.
3258</p></dd>
3259</dl>
3260</dd>
3261<dt><code>writevar</code> <kbd>assocID\ name</kbd> <kbd>=</kbd> <kbd>value</kbd> <kbd>[,...]</kbd></dt>
3262<dd><p>Write (create or update) the specified variables.
3263If the
3264<code>assocID</code>
3265is zero, the variablea re from the
3266system variables
3267name space, otherwise they are from the
3268peer variables
3269name space.
3270The
3271<code>assocID</code>
3272is required, as the same name can occur in both name spaces.
3273</p></dd>
3274<dt><code>trap</code> <kbd>host_address</kbd> <code>[<code>port</code> <kbd>port_number</kbd>]</code> <code>[<code>interface</code> <kbd>interface_address</kbd>]</code></dt>
3275<dd><p>This command configures a trap receiver at the given host
3276address and port number for sending messages with the specified
3277local interface address.
3278If the port number is unspecified, a value
3279of 18447 is used.
3280If the interface address is not specified, the
3281message is sent with a source address of the local interface the
3282message is sent through.
3283Note that on a multihomed host the
3284interface used may vary from time to time with routing changes.
3285</p></dd>
3286<dt><code>ttl</code> <kbd>hop</kbd> <kbd>...</kbd></dt>
3287<dd><p>This command specifies a list of TTL values in increasing order.
3288Up to 8 values can be specified.
3289In
3290<code>manycast</code>
3291mode these values are used in-turn in an expanding-ring search.
3292The default is eight multiples of 32 starting at 31.
3293</p>
3294<p>The trap receiver will generally log event messages and other
3295information from the server in a log file.
3296While such monitor
3297programs may also request their own trap dynamically, configuring a
3298trap receiver will ensure that no messages are lost when the server
3299is started.
3300</p></dd>
3301<dt><code>hop</code> <kbd>...</kbd></dt>
3302<dd><p>This command specifies a list of TTL values in increasing order, up to 8
3303values can be specified.
3304In manycast mode these values are used in turn in
3305an expanding-ring search.
3306The default is eight multiples of 32 starting at
330731.
3308</p></dd>
3309</dl>
3310
3311<p>This section was generated by <strong>AutoGen</strong>,
3312using the <code>agtexi-cmd</code> template and the option descriptions for the <code>ntp.conf</code> program.
3313This software is released under the NTP license, &lt;http://ntp.org/license&gt;.
3314</p>
3315<table class="menu" border="0" cellspacing="0">
3316<tr><td align="left" valign="top">&bull; <a href="#ntp_002econf-Files" accesskey="1">ntp.conf Files</a></td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Files
3317</td></tr>
3318<tr><td align="left" valign="top">&bull; <a href="#ntp_002econf-See-Also" accesskey="2">ntp.conf See Also</a></td><td>&nbsp;&nbsp;</td><td align="left" valign="top">See Also
3319</td></tr>
3320<tr><td align="left" valign="top">&bull; <a href="#ntp_002econf-Bugs" accesskey="3">ntp.conf Bugs</a></td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Bugs
3321</td></tr>
3322<tr><td align="left" valign="top">&bull; <a href="#ntp_002econf-Notes" accesskey="4">ntp.conf Notes</a></td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Notes
3323</td></tr>
3324</table>
3325
3326<hr>
3327<span id="ntp_002econf-Files"></span><div class="header">
3328<p>
3329Next: <a href="#ntp_002econf-See-Also" accesskey="n" rel="next">ntp.conf See Also</a>, Previous: <a href="#Miscellaneous-Options" accesskey="p" rel="prev">Miscellaneous Options</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> &nbsp; </p>
3330</div>
3331<span id="ntp_002econf-Files-1"></span><h4 class="subsection">1.1.8 ntp.conf Files</h4>
3332<dl compact="compact">
3333<dt><samp>/etc/ntp.conf</samp></dt>
3334<dd><p>the default name of the configuration file
3335</p></dd>
3336<dt><samp>ntp.keys</samp></dt>
3337<dd><p>private MD5 keys
3338</p></dd>
3339<dt><samp>ntpkey</samp></dt>
3340<dd><p>RSA private key
3341</p></dd>
3342<dt><samp>ntpkey_</samp><kbd>host</kbd></dt>
3343<dd><p>RSA public key
3344</p></dd>
3345<dt><samp>ntp_dh</samp></dt>
3346<dd><p>Diffie-Hellman agreement parameters
3347</p></dd>
3348</dl>
3349<hr>
3350<span id="ntp_002econf-See-Also"></span><div class="header">
3351<p>
3352Next: <a href="#ntp_002econf-Bugs" accesskey="n" rel="next">ntp.conf Bugs</a>, Previous: <a href="#ntp_002econf-Files" accesskey="p" rel="prev">ntp.conf Files</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> &nbsp; </p>
3353</div>
3354<span id="ntp_002econf-See-Also-1"></span><h4 class="subsection">1.1.9 ntp.conf See Also</h4>
3355<p><code>ntpd(1ntpdmdoc)</code>,
3356<code>ntpdc(1ntpdcmdoc)</code>,
3357<code>ntpq(1ntpqmdoc)</code>
3358</p>
3359<p>In addition to the manual pages provided,
3360comprehensive documentation is available on the world wide web
3361at
3362<code>http://www.ntp.org/</code>.
3363A snapshot of this documentation is available in HTML format in
3364<samp>/usr/share/doc/ntp</samp>.
3365<br>
3366</p>
3367<br>
3368<p>David L. Mills, <em>Network Time Protocol (Version 4)</em>, RFC5905
3369</p><hr>
3370<span id="ntp_002econf-Bugs"></span><div class="header">
3371<p>
3372Previous: <a href="#ntp_002econf-See-Also" accesskey="p" rel="prev">ntp.conf See Also</a>, Up: <a href="#ntp_002econf-Notes" accesskey="u" rel="up">ntp.conf Notes</a> &nbsp; </p>
3373</div>
3374<span id="ntp_002econf-Bugs-1"></span><h4 class="subsection">1.1.10 ntp.conf Bugs</h4>
3375<p>The syntax checking is not picky; some combinations of
3376ridiculous and even hilarious options and modes may not be
3377detected.
3378</p>
3379<p>The
3380<samp>ntpkey_</samp><kbd>host</kbd>
3381files are really digital
3382certificates.
3383These should be obtained via secure directory
3384services when they become universally available.
3385</p><hr>
3386<div class="header">
3387<p>
3388 &nbsp; </p>
3389</div>
3390<span id="ntp_002econf-Notes-1"></span><h4 class="subsection">1.1.11 ntp.conf Notes</h4>
3391<p>This document was derived from FreeBSD.
3392</p><hr>
3393
3394
3395
3396</body>
3397</html>
3398