Jailing {open,}ntpd
Mel Pilgrim
list_freebsd at bluerosetech.com
Thu Jun 28 12:02:13 UTC 2018
On 06/27/2018 23:08, Thomas Steen Rasmussen wrote:
> Anything that speaks to untrusted network clients belongs in a jail, but
> to my knowledge both ntpds are unjailable because they want to use some
> kernel system calls (to adjust time) which are not allowed in jails (as
> it should be).
>
> In my opinion adjusting the local bios/cmos clock and keeping it in sync
> with some upstream NTP source is a different task than serving NTP to
> untrusted network clients (like an ISP is expected to do).
>
> I'd love for one or both ntpds to have an option to only serve local
> time, without attempting to adjust the clock, if such a feature is
> possible.
>
> I'd then keep an ntpd running in the base system which takes care of
> keeping the system clock in-sync, and another in a jail which only reads
> the time and serves it to network clients, but doesn't try to adjust or
> speak to upsteam NTPs.
You can do this by configuring the jailed ntpd with the local clock
driver as a reference. Doing this for an ntpd serving the general
public would be evil. NTP Pool Project membership prohibits using the
local clock driver.
If your priority is something with a better security profile than an ISC
daemon, run OpenNTPD instead.
For the ISC ntpd, configure a reference clock with a server line that
has a magic number 127.127.0.0/16 address. The "Reference Clock
Support" section of ntp.conf(5) has more details. The local clock is
type 1.
OpenNTPD does not have reference clock support.
More information about the freebsd-jail
mailing list