ntpd v4.2 problem
Harlan Stenn
Harlan.Stenn at pfcs.com
Tue Nov 23 15:38:56 PST 2004
> The problem in the manual is different. You do not have any access
> control in your server, your server is worldwide open to other people
> changing your runtime configuration etc. (as it seems from your conf file)
Wrong - ntpd will never allow changes to itself without explicitly allowing
it (via a private key file, and mutually-agreed key numbersi and passwords).
> From ntp handbook page!
> ----
> If you only want to allow machines within your own network to
> synchronize their clocks with your server, but ensure they are not
> allowed to configure the server or used as peers to synchronize against, add
That line may be technically true, but it is alarmist and wrong.
> restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
See http://ntp.isc.org/Support/ConfRestrict for info about notrust.
Dave Mimlls changed the behavior of notrust between the 4.1 and 4.2
releases of ntp.
In 4.1, notrust means "do not trust this host/subnet for time".
In 4.2, notrust means "require crypto auth before believing this
host/subnet for time".
nomodify will block changes even with the correct key/password. But you
have to have the correct key and password first.
> But if you use notrust in this line no clients are able to connect. I am
> not sure why. That is why I asked about an ntpd pro having a look.
We'd appreciate more folks adding more info to ntp.isc.org.
H
More information about the freebsd-stable
mailing list