On Wed, 20 Oct 2004, Josh Close wrote:
> > Another good way to screw it up is to try to make it a little more secure
> > and end up forbidding your own ntp daemon from disciplining your own
> > clock! Been there too....
>
> How can I tell if I've done this? Can you post some examples of configs?
I *believe* (as I keep saying, I'm no ntp expert, I just like having an
accurate clock well enough to have plugged away until I got it right) that
if it can't reach its servers but is configured well enough to run then
when you do ntpq -p it will say it's sync'd to 127.0.0.1, i.e. to itself.
Or, looking at my config file, that's maybe 127.127.1.0. Look for a line
like
server 127.127.1.0 # local clock
which tells NTPD that it's OK to use the local clock.
Again, this is vague memory from the docs, so by all means check them out:
http://www.eecis.udel.edu/~mills/ntp/html/index.html The official docs are neither well organized nor newbie-friendly (again,
they're written for bigger fish with some technical background in the
problem being solved, very much in the spirit of unix and unix man
pages 8-O ), but there are some nicer-looking docs at
http://ntp.isc.org/bin/view/Support/WebHome that I wish I'd found when I first configured the silly thing. Those are
links from www.ntp.org, so by all means poke around.
Config file: mmm, OK, confession time. Currently I'm running Slack, not
Gentoo. I should maybe post something about that since I joined the list
to get help with the problem that ultimately led to the Slackware install,
but that's another thing. Just as long as you know this is a Slackware
10.0 sample config file that I've tweaked, not the Gentoo sample config.
This config is a work in progress, so it will change. Extra annotations
not in the config file are in [[]].
-----------------------------------------------------------------------
# Sample /etc/ntp.conf: Configuration file for ntpd.
#
# Dustin 10/17/04:
# * Set up timeservers
# * Set up as stratum 2 server
# * Broke out messages to a separate logfile
# * Note there are no man pages, but the html documentation is in
# /usr/doc/ntp-4.2.0/
#
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. The
# default stratum is usually 3, but in this case we elect to use stratum
# 0. Since the server line does not have the prefer keyword, this driver
# is never used for synchronization, unless no other other
# synchronization source is available. In case the local host is
# controlled by some external source, such as an external oscillator or
# another protocol, the prefer keyword would cause the local host to
# disregard all other synchronization sources, unless the kernel
# modifications are in use and declare an unsynchronized condition.
#
# Dustin 10/17/04 -- configure like we were in Gentoo, as a stratum 2
# server and contribute to the pool
#server 127.127.1.0 # local clock
#fudge 127.127.1.0 stratum 10
[.[.I'm guessing the point of that fudge is that if it can reach your
timeservers it will ignore such a low stratum clock, but if not then
it will at least keep running. I should play with this and see if
I want those lines uncommented.]]
# XXX.XXX.XXX.XXX, foo.edu -- closest server, and stratum 1
# Permission on file in email somewhere
server foo.edu
# XXX.XXX.XXX.XXX, bar.net -- closest open, no notification server
# These claim to be stratum 1--are they really OK to sync to?
server bar.net
# XXX.XXX.XXX.XXX, baz.net -- sister server at XXXXXXXXXXX
server baz.net
# XXX.XXX.XXX.XXX, gronk.org -- closest stratum 2 server
# I got no answer to my request, but the list just asked for notification
server gronk.org
[.[.Notice that I'm using hostnames, not IPs in the server lines. That is
nice for me if they change the IP of their timeservers, but really I
should change it to IPs and avoid all those useless DNS lookups. Plus
that way it won't hang on boot waiting for name resolution if the network
is unreachable. :-)]]
# Dustin 10/17/04 -- Separate out log messages
logfile /var/log/ntpd.log
#
# Drift file. Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
driftfile /etc/ntp/drift
multicastclient # listen on default 224.0.1.1
broadcastdelay 0.008
#
# Keys file. If you want to diddle your server at run time, make a
# keys file (mode 600 for sure) and define the key number to be
# used for making requests.
# PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
# systems might be able to reset your clock at will.
#
#keys /etc/ntp/keys
#trustedkey 65535
#requestkey 65535
#controlkey 65535
[.[.If you're not using authentication keys like that, you *cannot* use
"restrict notrust" no matter what docs you find on the web.]]
# Don't serve time or stats or trust anyone else by default (more secure)
#restrict default noquery notrust nomodify
# Trust ourselves. :-)
#restrict 127.0.0.1
[.[.That's the Slackware default config, just uncomment to use. It's
probably a good one if you're just a client, *EXCEPT* that "notrust"
is a nasty trap for the newbie. See below.]]
# Dustin 10/17/04 -- We're a pool.ntp.org server now, have to change
# these reasonable defaults and let the world sync to us
[.[.Urk!!! Looks like when I hurriedly copied stuff over from my old Gentoo
config I lost my default restrict lines for the rest of the world. Back
to the drawing board...I won't try to fix it here though because I'll have
to watch it after I change it to make sure it's working. But at the
*minimum* I need to turn on "nomodify" for the world!!! The line I'm
adding right now for testing is
restrict default nomodify
you can use more restrictions if you're not in the pool and allowing
the world to sync to you.]]
[.[."restrict" is probably the nastiest trap for the newbie, because the
meanings of the keywords just aren't obvious.]]
# Allow the chosen nameservers, but they can't modify my machine
# (but I can still sync to them)
restrict foo.edu nomodify
restrict bar.net nomodify
restrict baz.net nomodify
restrict gronk.org nomodify
[.[.IIRC what this is doing is saying that I'm just syncing to them as a
lower stratum server. If I didn't have nomodify turned on it would mean
I was trying to join them as a peer--you can have a bunch of peers of
the same stratum watching each other and trying to keep better time
collectively than any one is capable of separately. If I had a bunch of
servers of my own I'd do that, but obviously I can't do it with someone
else's timeservers. So "nomodify" seems to mean their servers can't
modify mine directly, not that my own ntpd can't modify my own clock.]]
# Now allow unrestricted connections from localhost, req'd I think
# so that the computer can update the clock
restrict 127.0.0.1
[.[.IIRC this one is very necessary. If you leave "nomodify" on for
localhost, then I seem to recall I found out the hard way that your own
ntpd can't change its own local clock. Kinda defeats the purpose....]]
-----------------------------------------------------------------------
OK, now the most annoying one: "notrust". I carefully read the docs I
found on the web, and nothing worked. The reason is that, following
common but very bad programming practice, the meaning of "notrust" was
recycled to a radically different meaning a few versions ago:
http://mailman.ntp.org/pipermail/questions/2004-July/004095.html There are lots of docs on the web that talk about the old meaning, so
reading the docs can actually be worse than total ignorance. The new
meaning is that "notrust" says to ignore everyone not cryptographically
authenticated. I'm guessing you don't want that, especially not before
you even have a basic working configuration.
As an aside, it's just plain cruelty for Patrick to suggest using it in
the ntp.conf comments--anyone who needs it probably knows to add it, and
anyone who doesn't know what it means probably can't use it anyway. I
kinda recall the Gentoo default config file suggesting it too, if so
that's also bad. I imagine all these distros just haven't gotten up to
speed on the meaning change yet. Without a working Gentoo install,
though, I can't emerge the latest ntp and check to see what is in there,
so I'm not submitting the bug report myself.
Dustin, currently Slacking out of necessity but who will probably be
running Gentoo again in the future
--
gentoo-user@gentoo.org mailing list