 |
|
| |
| NTP.CONF(5) |
NTPsec |
NTP.CONF(5) |
ntp.conf - Network Time Protocol (NTP) daemon configuration file
format
The ntp.conf configuration file is read at
initial startup by the ntpd(8) daemon in order to specify the
synchronization sources, modes, and other related information. Usually, it
is installed in the /etc directory, but could be
installed elsewhere (see the daemon’s -c
command line option).
The file format is similar to other UNIX configuration files.
Comments begin with a ‘#’ character and extend to the end of
the line; blank lines are ignored. Configuration commands consist of an
initial keyword followed by a list of arguments, some of which may be
optional, separated by whitespace. Commands may not be continued over
multiple lines. Arguments may be host names, host addresses written in
numeric, dotted-quad form, integers, floating point numbers (when specifying
times in seconds) and text strings.
Configuration files may have inclusion lines. The syntax is
includefile followed by whitespace followed by a
file or directory name. The configuration is evaluated as though the text of
the file - or all files of the directory with the extension
".conf" - were textually spliced in at the point of the include.
Relative paths will work, even when the -c option changes the config
directory root.
The rest of this page describes the configuration and control
options. The "Notes on Configuring NTP and Setting up an NTP
Subnet" page (available as part of the HTML documentation provided
under /usr/share/doc/ntp) contains an extended
discussion of these options. In addition to the discussion of general
Configuration Options, there are sections describing the following
supported functionality and the options used to control it:
•Authentication Support
•NTS Support
•Monitoring Support
•Access Control Support
•Automatic NTP Configuration Options
•Reference Clock Support
•Miscellaneous Options
Following these is a section describing Miscellaneous
Options. While there is a rich set of options available, the only
required option is one or more pool,
server, peer, or
broadcast commands.
Following is a description of the configuration commands in NTPv4.
There are two classes of commands, association commands that configure a
persistent association with a remote server or peer or reference clock, and
auxiliary commands that specify environment variables that control various
related operations.
Only those options applicable to each command are listed below.
Use of options not listed may not be caught as an error, but may result in
some weird and even destructive behavior.
In contexts where a host name is expected, a
-4 or --ipv4 qualifier
preceding the host name forces DNS resolution to the IPv4 namespace, while a
-6 or --ipv6 qualifier
forces DNS resolution to the IPv6 namespace.
In these commands, an address can be any of (a) an IPV4
address in a.b.c.d format, (b) an IPV6 address in [a:b:c:d:e:f:g:h] format,
(c) a link-local IPV6 address with an interface specified in
[a:b:c:d:e:f:g:h]%device format, or (d) a DNS hostname.
pool address
[burst] [iburst]
[version version]
[prefer] [minpoll
minpoll] [maxpoll maxpoll]
[preempt]
server address
[key key] [burst]
[iburst] [version
version] [prefer]
[minpoll minpoll]
[maxpoll maxpoll]
peer address
[key key] [version
version] [prefer]
[minpoll minpoll]
[maxpoll maxpoll]
unpeer [address | associd |
clock clocktype [unit
unitnum]]
These four commands specify the time server name or
address to be used and the mode in which to operate. The address can be
either a DNS name or an IP address in dotted-quad notation. If it is a
refclock, it can be clock followed by a type-unit pair
as in the refclock directive; a missing unit clause is
interpreted as unit 0.
pool
For server addresses, this command mobilizes a persistent
client mode association with a number of remote servers. In this mode the
local clock can synchronized to the remote server, but the remote server can
never be synchronized to the local clock.
server
For server addresses, this command mobilizes a persistent
client mode association with the specified remote server or local radio clock.
In this mode the local clock can synchronized to the remote server, but the
remote server can never be synchronized to the local clock.
peer
NTP peer mode has been removed for security reasons. peer
is now just an alias for the server keyword. See above.
unpeer
This command removes a previously configured association.
An address or association ID can be used to identify the association. Either
an IP address or DNS name can be used. This command is most useful when
supplied via ntpq runtime configuration commands
config and
config-from-file.
bias
Add the command argument, a floating-point value in
seconds, to the time offset (θ) computed for this server; this may
be useful if you are a client on a network connection such as an ADSL line
where there is a predictable asymmetry between upstream and downstream flight
times. One way you might see this is if you use a fixed set of others and one
has a stable offset that is an outlier from the others; in that case, you
might want to use bias to compensate out the
offset.
burst
When the server is reachable, send a burst of eight
packets instead of the usual one. The packet spacing is normally 2 s; however,
the spacing between the first and second packets can be changed with the
calldelay command to allow additional time for a modem or ISDN call to
complete; this is designed to improve timekeeping quality with the
server command.
iburst
When the server is unreachable, send a burst of six
packets instead of the usual one. The packet spacing is normally 2 s; however,
the spacing between the first and second packets can be changed with the
calldelay command to allow additional time for a modem or ISDN call to
complete; this is designed to speed the initial synchronization acquisition
with the server command, and when ntpd(8) is started
with the -q option.
key key
All packets sent to and received from the server or peer
are to include authentication fields encrypted using the specified key
identifier with values from 1 to 65535, inclusive. The default is to include
no encryption field.
minpoll minpoll,
maxpoll maxpoll
These options specify the minimum and maximum poll
intervals for NTP messages, as a power of 2 in seconds. The maximum poll
interval defaults to 10 (1,024 s), but can be increased by the maxpoll
option to an upper limit of 17 (36.4 h). The minimum poll interval defaults to
6 (64 s), but can be decreased by the minpoll option to a lower limit
of 0 (1 s).
mode option
Pass the option to a reference
clock driver. This option is valid only with refclock addresses.
noselect
Marks the server as unused, except for display purposes.
The server is discarded by the selection algorithm.
prefer
Marks the server as preferred. All other things being
equal, this host will be chosen for synchronization among a set of correctly
operating hosts. See the "Mitigation Rules and the prefer Keyword"
page for further information.
true
Mark the association to assume truechimer status; that
is, always survive the selection and clustering algorithms. This option can be
used with any association but is most useful for reference clocks with large
jitter on the serial port and precision pulse-per-second (PPS) signals.
Caution: this option defeats the algorithms designed to cast out falsetickers
and can allow these sources to set the system clock. This option is valid only
with the server command.
version version
Specifies the version number to be used for outgoing NTP
packets. Versions 1-4 are the choices, with version 4 the default.
mdnstries number
If we are participating in mDNS, after we have synched
for the first time we attempt to register with the mDNS system. If that
registration attempt fails, we try again at one minute intervals for up to
number times. After all, ntpd may be starting
before mDNS. The default value for mdnstries is
5.
The following declarations control MAC authentication:
controlkey key
Specifies the key identifier to use with the ntpq(1)
utility, which uses the standard protocol defined in RFC 5905. The key
argument is the key identifier for a trusted key, where the value can be in
the range 1 to 65,535, inclusive.
keys keyfile
Specifies the complete path and location of the key file
containing the keys and key identifiers used by ntpd(8), and ntpq(1) when
operating with symmetric-key cryptography. This is the same operation as the
-k command line option.
trustedkey key...
Specifies the key identifiers which are trusted for the
purposes of authenticating servers with symmetric key cryptography, as well as
keys used by the ntpq(1) program. Multiple keys on the same line should be
separated by spaces. Key ranges can be specified as (first ... last). The
spaces around the ... are necessary. Multiple
trustedkey lines are supported and trusted keys can
also be specified on the command line.
The MAC authentication procedures require that both the local and
remote servers share the same key id, key type, and key text. The easiest
way to do this is to copy the whole line. Different keys should be used for
each server-client pair. The key_id arguments are integers with
values from 1 to 65,535.
The following command controls NTS authentication. It overrides
normal TLS protocol negotiation, which is not usually necessary.
nts [enable|disable]
[mintls version]
[maxtls version]
[tlsciphersuites name]
[tlsecdhcurves name]
The options are as follows:
cert file
Present the certificate (chain) in file as our
certificate. + Note that there is no checking on the certificate. In
particular, it may have expired or may not cover the host name used to get to
this server or may not be signed by a CA that is in the clients root-server
collection.
key file
Read the private key to our certificate from
file.
ca location
Use the file, or directory, specified by location
to validate NTS-KE server certificates instead of the system default root
certificates. If a directory is specified, it must have files named with their
hash, as created by openssl rehash.
cookie location
Use the file (or directory) specified by location
to store the keys used to make and decode cookies. The default is
/var/lib/ntp/nts-keys.
enable
Enable NTS-KE server. When enabled,
cert and key are
required.
disable
Disable NTS-KE server.
mintls string
Set the lowest allowable TLS version to negotiate. Will
be useful in the wake of a TLS compromise. Reasonable values are TLS1.3
if your system supports it. TLS 1.3 was first supported in OpenSSL version
1.1.1.
maxtls string
Set the highest allowable TLS version to negotiate. By
setting mintls and maxtls
equal, you can force the TLS version for testing. Format is as for
mintls.
tlsciphersuites string
An OpenSSL ciphersuite list to configure the allowed
ciphersuites for TLS 1.3. A single NULL cipher disables encryption and use of
certificates. This sets the ciphers used by both the client and server sides.
+ The server picks the cipher. The default is client preference. Specifying
ciphersuites also switches to server preference.
tlsecdhcurves string
An OpenSSL ecdhcurves list to configure the allowed
ecdhcurves for TLS 1.3. A single NULL ecdhcurves disables encryption and use
of certificates.
aead string
Specify the crypto algorithm to be used on the wire. The
choices come from RFC 5297. The only options supported are AES_SIV_CMAC_256,
AES_SIV_CMAC_384, and AES_SIV_CMAC_512. This slot is dual use. It is the
server default if the remote client doesn’t request a valid choice and
it is also the preference passed to the remote client if the server command
doesn’t specify a preference. The default is AES_SIV_CMAC_256.
The following options of the server
command configure NTS (as a client).
nts
Use Network Time Security (NTS) for authentication.
Normally, this is all you have to do to activate the client side of NTS. + The
hostname following the server command is used as the
address of the NTS key exchange server (NTS-KE) rather than the address of a
NTP server. The NTS-KE exchange defaults to using the same IP address for the
NTP server. + Note that the server hostname must match
the name on the NTS-KE server’s certificate.
noval
Do not validate the server certificate.
ca location
Use the file, or directory, specified by location
to validate the NTS-KE server certificate, overriding the site default. Do not
use any other CA. If a directory is specified, it must have files named with
their hash, as created by openssl rehash.
aead string
Specify the preferred crypto algorithm to be used on the
wire. The only options supported are AES_SIV_CMAC_256, AES_SIV_CMAC_384, and
AES_SIV_CMAC_512. The server may ignore the request. See the
aead option above. + The same
aead algorithms are also used to encrypt cookies. The
default is AES_SIV_CMAC_256. There is no config file option to change it, but
you can change it by editing the saved cookie key file, probably
/var/lib/ntp/nts-keys. Adjust the L: slot to be 48 or 64 and
adjust the I: slots to have the right number of bytes. Then restart the
server. (All old cookies held by clients will be rejected so their next 8 NTP
requests will be ignored. They should recover by retrying NTS-KE to get fresh
cookies.)
ntpd(8) includes a comprehensive monitoring facility suitable for
continuous, long term recording of server and client timekeeping
performance. See the statistics command below for a
listing and example of each type of statistics currently supported.
Statistic files are managed using file generation sets and scripts in the
./scripts directory of this distribution. Using these facilities and UNIX
cron(8) jobs, the data can be automatically summarized and archived for
retrospective analysis.
statistics name...
Enables writing of statistics records. Currently, ten
kinds of name statistics are supported.
clockstats
Enables recording of clock driver statistics information.
Each update received from a clock driver appends a line of the following form
to the file generation set named clockstats:
| 49213 525.624 SPECTRACOM(1) 93 226
00:08:29.606 |
| Item |
Units |
Description |
| 49213 |
MJD |
modified Julian day number |
| 525.624 |
s |
time of day (s) past midnight UTC |
| SPECTRACOM(1) |
|
receiver identifier (Spectracom unit
1) |
| 93 226 00:08:29.606 |
|
timecode (format varies by refclock) |
The first two fields show the date (Modified Julian Day) and time
(seconds and fraction past UTC midnight). The next normally shows clock type
and unit (but if you are running in strict Classic compatibility mode it
will show the magic clock address in dotted-quad notation). The final field
is the last timecode received from the clock in decoded ASCII format, where
meaningful. For some clock drivers, a good deal of additional information
can be gathered and displayed as well. See information specific to each
clock for further details.
loopstats
Enables recording of loop filter statistics information.
Each update of the local clock outputs a line of the following form to the
file generation set named loopstats:
| 50935 75440.031 0.000006019 13.778190
0.000351733 0.0133806 |
| Item |
Units |
Description |
| 50935 |
MJD |
date |
| 75440.031 |
s |
time past midnight |
| 0.000006019 |
s |
clock offset |
| 13.778 |
PPM |
drift (frequency offset) |
| 0.000351733 |
s |
RMS jitter |
| 0.013380 |
PPM |
RMS frequency jitter (aka wander) |
| 6 |
log2 s |
clock discipline loop time constant |
The first two fields show the date (Modified Julian Day) and time
(seconds and fraction past UTC midnight). The next five fields show time
offset (seconds), frequency offset (parts per million - PPM), RMS jitter
(seconds), Allan deviation (PPM) and clock discipline time constant.
ntsstats
Enables recording of NTS statistics counters on a
periodic basis. Each hour a line of the following form is appended to the file
generation set named ntsstats:
| 60209 77147.187 3600 1320 1239 0 2895 2895
11 4104 0 2897 2885 10 0 0 2 0 |
| Item |
Units |
Description |
| 60209 |
MJD |
date |
| 77147.187 |
s |
time past midnight |
| 3600 |
s |
time since reset |
| 1320 |
packets |
client requests sent |
| 1239 |
packets |
client responses received good |
| 0 |
packets |
client responses received bad |
| 2895 |
packets |
server responses sent |
| 2895 |
packets |
server requests received good |
| 11 |
packets |
server requests received bad |
| 4104 |
packets |
cookies made |
| 0 |
packets |
cookie decodes not server |
| 2897 |
packets |
cookie decodes total |
| 2885 |
packets |
cookie decodes current |
| 10 |
packets |
cookie decodes 1-2 days |
| 0 |
packets |
cookie decodes 2-3 days |
| 0 |
packets |
cookie decodes 3-10 days |
| 2 |
packets |
cookie decodes too old |
| 0 |
packets |
cookie decodes error |
These counters are also available via ntpq's nts
command.
ntskestats
Enables recording of NTS-KE statistics counters on a
periodic basis. Each hour a line of the following form is appended to the file
generation set named ntskestats:
| 60209 77147.187 3600 10 2.914 0.026 2 3.218
0.004 0 0.000 0.000 0 0 |
| Item |
Units |
Description |
| 60209 |
MJD |
date |
| 77147.187 |
s |
time past midnight |
| 3600 |
s |
time since reset |
| 10 |
requests |
server requests good |
| 2.914 |
seconds |
server good wall clock time |
| 0.026 |
seconds |
server good CPU time |
| 2 |
requests |
server requests no-TLS |
| 3.218 |
seconds |
server no-TLS wall clock time |
| 0.004 |
seconds |
server no-TLS CPU time |
| 0 |
requests |
server requests bad |
| 0.000 |
seconds |
server bad wall clock time |
| 0.000 |
seconds |
server bad CPU time |
| 0 |
requests |
client requests good |
| 0 |
requests |
client requests bad |
These counters are also available via ntpq's nts
command.
There are two types of failures for NTS-KE server processing. The
no-TLS slots are for the path when the TLS connection doesn’t
get setup. The bad slots are for the path when the TLS connection
does get setup but there is an error during the NTS-KE exchange.
Both are typically caused by bad guys probing for servers to
abuse. A no-TLS event would be caused by a bad guy using unencrypted
SMTP while a bad event would be caused by SMTP over TLS.
protostats
Record significant peer and system events. Each
significant event appends one line to the protostats
file set:
| 49213 525.624 128.4.1.1 963a 8a
message |
| Item |
Units |
Description |
| 49213 |
MJD |
date |
| 525.624 |
s |
time past midnight |
| 128.4.1.1 |
IP |
source address
(0.0.0.0 for system) |
| 963a |
code |
status word |
| 8a |
code |
event message code |
| message |
text |
event message |
The event message code and message field are described on
the "Event Messages and Status Words" page.
peerstats
Enables recording of peer statistics information. This
includes statistics records of all peers of an NTP server and of special
signals, where present and configured. Each valid update appends a line of the
following form to the current element of a file generation set named
peerstats:
| 48773 10847.650 SPECTRACOM(4) 9714
-0.001605376 0.000000000 0.001424877 0.000958674 |
| Item |
Units |
Description |
| 48773 |
MJD |
date |
| 10847.650 |
s |
time past midnight |
| SPECTRACOM(4) |
|
clock name (unit) or source address |
| 9714 |
hex |
status word |
| -0.001605376 |
s |
clock offset |
| 0.000000000 |
s |
roundtrip delay |
| 0.001424877 |
s |
dispersion |
| 0.000958674 |
s |
RMS jitter |
The first two fields show the date (Modified Julian Day) and time
(seconds and fraction past UTC midnight). The third field shows the
reference clock type and unit number (but if you are running in the peer
address in dotted-quad notation instead) The fourth field is a status word,
encoded in hex in the format described in Appendix A of the NTP
specification RFC 1305. The final four fields show the offset, delay,
dispersion and RMS jitter, all in seconds.
rawstats
Enables recording of raw-timestamp statistics
information. This includes statistics records of all peers of an NTP server
and of special signals, where present and configured. Each NTP message
received from a peer or clock driver appends a line of the following form to
the file generation set named rawstats:
| 59786 36302.768 2610:20:6f15:15::27
2604:a880:1:20::17:5001 3867818701.119346355 3867818701.152009264
3867818701.152010426 3867818702.768490825 0 3 4 1 13 -29 0.000244 0.000488
.NIST. 0 1 2000 |
| Item |
Units |
Description |
| 59786 |
MJD |
date |
| 36302.768 |
s |
time past midnight |
| 2610:20:6f15:15::27 |
IP |
source address |
| 2604:a880:1:20::17:5001 |
IP |
destination address |
| 3867818701.119346355 |
NTP s |
origin timestamp |
| 3867818701.152009264 |
NTP s |
receive timestamp |
| 3867818701.152010426 |
NTP s |
transmit timestamp |
| 3867818702.768490825 |
NTP s |
destination timestamp |
| 0 |
0: OK, 1: insert pending, 2: delete
pending, 3: not synced |
leap warning indicator |
| 3 |
4 was current in 2012 |
NTP version |
| 4 |
3: client, 4: server, 6: ntpq |
mode |
| 1 |
1-15, 16: not synced |
stratum |
| 13 |
log2 seconds |
poll |
| -29 |
log2 seconds |
precision |
| 0.000244 |
seconds |
total roundtrip delay from the remote
server to the primary reference clock |
| 0.000488 |
seconds |
total dispersion from the remote server to
the primary reference clock |
| .NIST. |
IP or text |
refid, association ID |
| 0 |
integer |
lost packets since last response |
| 1 |
integer |
dropped packets since last request |
| 2000 |
hex integer |
0 if packet accecpted, BOGON flag if packet
is discarded |
The first two fields show the date (Modified Julian Day) and time
(seconds and fraction past UTC midnight). The next two fields show the
remote IP Address followed by the local address. The next four fields show
the originate, receive, transmit and final NTP timestamps in order. The
timestamp values are as received and before processing by the various data
smoothing and mitigation algorithms.
A packet that is accecpted is logged. At most the first dropped
packet per request is logged. That avoids DDoSing the log file.
The BOGON flags are decoded here
<decode.html#flash>.
sysstats
Enables recording of ntpd statistics counters on a
periodic basis. Each hour a line of the following form is appended to the file
generation set named sysstats:
| 59935 82782.547 3600 36082754 31287166
26510580 4779042 113 19698 1997 428 4773352 0 366120 |
| Item |
Units |
Description |
| 59935 |
MJD |
date |
| 82782.547 |
s |
time past midnight |
| 3600 |
s |
time since reset |
| 36082754 |
# |
packets received |
| 31287166 |
# |
packets processed |
| 26510580 |
# |
current version |
| 4779042 |
# |
old version(s) |
| 113 |
# |
access denied |
| 19698 |
# |
bad length or format |
| 1997 |
# |
bad authentication |
| 428 |
# |
declined |
| 4773352 |
# |
rate exceeded |
| 0 |
# |
kiss-o'-death packets sent |
| 366120 |
# |
NTPv1 packets received |
The first two fields show the date (Modified Julian Day) and time
(seconds and fraction past UTC midnight). The remaining ten fields show the
statistics counter values accumulated since the last generated line.
usestats
Enables recording of ntpd resource usage statistics. Each
hour a line of the following form is appended to the file generation set named
usestats:
| 57570 83399.541 3600 0.902 1.451 164 0 0 0
2328 64226 1 0 4308 |
| Item |
Units |
Description |
| 57570 |
MJD |
date |
| 83399.541 |
s |
time past midnight |
| 3600 |
s |
time since reset |
| 0.902 |
s |
ru_utime: CPU seconds - user mode |
| 1.451 |
s |
ru_stime: CPU seconds - system |
| 164 |
# |
ru_minflt: page faults - reclaim/soft (no
I/O) |
| 0 |
# |
ru_majflt: page faults - I/O |
| 0 |
# |
ru_nswap: process swapped out |
| 0 |
# |
ru_inblock: file blocks in |
| 2328 |
# |
ru_oublock: file blocks out |
| 64226 |
# |
ru_nvcsw: context switches, wait |
| 1 |
# |
ru_nivcsw: context switches, preempts |
| 0 |
# |
ru_nsignals: signals |
| 4308 |
# |
ru_maxrss: resident set size,
kilobytes |
The first two fields show the date (Modified Julian Day) and time
(seconds and fraction past UTC midnight). The ru_ tags are the names from
the rusage struct. See man getrusage for details.
(The NetBSD and FreeBSD man pages have more details.) The maxrss column is
the high water mark since the process was started. The remaining fields show
the values used since the last report.
statsdir directory_path
Indicates the full path of a directory where statistics
files should be created (see below). This keyword allows the (otherwise
constant) filegen filename prefix to be modified for file generation
sets, which is useful for handling statistics logs.
filegen name
[file filename] [type
typename] [link |
nolink] [enable |
disable]
Configures setting of the generation file set name.
Generation file sets provide a means for handling files that are continuously
growing during the lifetime of a server. Server statistics are a typical
example for such files. Generation file sets provide access to a set of files
used to store the actual data. At any time at most one element of the set is
being written to. The type given specifies when and how data will be directed
to a new element of the set. This way, information stored in elements of a
file set that are currently unused are available for administrative operations
without the risk of disturbing the operation of ntpd. (Most important: they
can be removed to free space for new data produced.)
Note that this command can be sent from the ntpq(1) program
running at a remote location.
name
This is the type of the statistics records, as shown in
the statistics command.
file filename
This is the file name for the statistics records.
Filenames of set members are built from three concatenated elements
prefix, filename and suffix:
| Attribute |
Description |
| prefix |
This is a constant filename path. It is not
subject to modifications via the filegen option. It is defined by
the server, usually specified as a compile-time constant. It may, however,
be configurable for individual file generation sets via other commands.
For example, the prefix used with loopstats and peerstats
generation can be configured using the statsdir option explained
above. |
| filename |
This string is directly concatenated to the
prefix mentioned above (no intervening ‘/’). This can be
modified using the file argument to the filegen statement. No
.. elements are allowed in this component to
prevent filenames referring to parts outside the filesystem hierarchy
denoted by prefix. |
| suffix |
This part is reflects individual elements
of a file set. It is generated according to the type of a file set. |
type typename
A file generation set is characterized by its type. The
following types are supported: // The following are tables only because indent
lists cannot be // nested more than 2 deep.
| Attribute |
Description |
| none |
The file set is actually a single plain
file. |
| pid |
One element of file set is used per
incarnation of a ntpd server. This type does not perform any changes to
file set members during runtime, however it provides an easy way of
separating files belonging to different ntpd(8) server incarnations. The
set member filename is built by appending a ‘.’ to
concatenated prefix and filename strings, and appending the decimal
representation of the process ID of the ntpd(8) server process. |
| day |
One file generation set element is created
per day. A day is defined as the period between 00:00 and 24:00 UTC. The
file set member suffix consists of a ‘.’ and a day
specification in the form YYYYMMdd. YYYY is a 4-digit year
number (e.g., 1992). MM is a two digit month number. dd is a
two digit day number. Thus, all information written at 10 December 1992
would end up in a file named prefix filename.19921210. |
| week |
Any file set member contains data related
to a certain week of a year. The term week is defined by computing
day-of-year modulo 7. Elements of such a file generation set are
distinguished by appending the following suffix to the file set filename
base: A dot, a 4-digit year number, the letter W, and a 2-digit
week number. For example, information from January, 10th 1992 would end up
in a file with suffix 1992W1. |
| month |
One generation file set element is
generated per month. The file name suffix consists of a dot, a 4-digit
year number, and a 2-digit month. |
| year |
One generation file element is generated
per year. The filename suffix consists of a dot and a 4 digit year
number. |
| age |
This type of file generation sets changes
to a new element of the file set every 24 hours of server operation. The
filename suffix consists of a dot, the letter a, and an 8-digit
number. This number is taken to be the number of seconds the server is
running at the start of the corresponding 24-hour period. |
link | nolink
It is convenient to be able to access the current element
of a file generation set by a fixed name. This feature is enabled by
specifying link and disabled using
nolink. If link is specified, a hard link from the
current file set element to a file without suffix is created. When there is
already a file with this name and the number of links of this file is one, it
is renamed appending a dot, the letter C, and the pid of the ntpd
server process. When the number of links is greater than one, the file is
unlinked. This allows the current file to be accessed by a constant
name.
enable |
disable
Enables or disables the recording function. Information
is only written to a file generation by specifying
enable; output is prevented by specifying
disable.
The ntpd(8) daemon implements a general purpose address/mask based
restriction list. The list contains address/match entries sorted first by
increasing address values and then by increasing mask values. A match occurs
when the bitwise AND of the mask and the packet source address is equal to
the bitwise AND of the mask and address in the list. The list is searched in
order with the last match found defining the restriction flags associated
with the entry. Additional information and examples can be found in the
"Notes on Configuring NTP and Setting up a NTP Subnet" page
(available as part of the HTML documentation).
The restriction facility was implemented in conformance with the
access policies for the original NSFnet backbone time servers. Later the
facility was expanded to deflect cryptographic and clogging attacks. While
this facility may be useful for keeping unwanted or broken or malicious
clients from congesting innocent servers, it should not be considered an
alternative to the NTP authentication facilities. Source address based
restrictions are easily circumvented by a determined cracker.
Clients can be denied service because they are explicitly included
in the restrict list created by the restrict command or implicitly as the
result of cryptographic or rate limit violations. Cryptographic violations
include certificate or identity verification failures; rate limit violations
generally result from defective NTP implementations that send packets at
abusive rates. Some violations cause denied service only for the offending
packet, others cause denied service for a timed period and others cause the
denied service for an indefinite period. When a client or network is denied
access for an indefinite period, the only way at present to remove the
restrictions is by restarting the server.
Ordinarily, packets denied service are simply dropped with no
further action except incrementing statistics counters. Sometimes a more
proactive response is needed, such as a server message that explicitly
requests the client to stop sending and leave a message for the system
operator. A special packet format has been created for this purpose called
the "kiss-of-death" (KoD) packet. KoD packets have the leap bits
set unsynchronized and stratum set to zero and the reference identifier
field set to a four-byte ASCII code. If the noserve
or notrust flag of the matching restrict list entry
is set, the code is "DENY"; if the limited
flag is set and the rate limit is exceeded, the code is "RATE".
Finally, if a cryptographic violation occurs, the code is
"CRYP".
A client receiving a KoD performs a set of sanity checks to
minimize security exposure, then updates the stratum and reference
identifier peer variables, sets the access denied (BOGON4) bit in the peer
flash variable and sends a message to the log. As long as the BOGON4 bit is
set, the client will send no further packets to the server. The only way at
present to recover from this condition is to restart the protocol at both
the client and server. This happens automatically at the client when the
association times out. It will happen at the server only if the server
operator cooperates.
limit [average
average] [burst burst]
[kod kod]
Set the parameters of the limited facility which
protects the server from client abuse. Internally, each MRU
<ntpq.html#mrulist> slot contains a score in units of packets per
second. It is updated each time a packet arrives from that IP Address. The
score decays exponentially at the burst rate and is bumped by
1.0/burst when a packet arrives.
average average
Specify the allowed average rate for response packets in
packets per second. The default is 1.0
burst burst
Specify the allowed burst size if the bursts are far
enough apart to keep the average rate below average. The default is
20.0
kod kod
Specify the allowed average rate for KoD packets in
packets per second. The default is 0.5
restrict address[/cidr]
[mask mask] [flag
...]
The address argument expressed in dotted-quad (for
IPv4) or :-delimited (for IPv6) form is the address of a host or network.
Alternatively, the address argument can be a valid host DNS name. The
mask argument expressed in IPv4 or IPv6 numeric address form defaults
to all mask bits on, meaning that the address is treated as the address
of an individual host. Instead of an explicit mask, the
address/cidr may be specified in CIDR notation. A default entry
(address 0.0.0.0, mask
0.0.0.0) is always included and is always the first
entry in the list. Note that text string default, with no mask option,
may be used to indicate the default entry. In the current implementation,
flag always restricts access, i.e., an entry with no flags indicates
that free access to the server is to be given. The flags are not orthogonal,
in that more restrictive flags will often make less restrictive ones
redundant. The flags can generally be classed into two categories, those which
restrict time service and those which restrict informational queries and
attempts to do a run-time reconfiguration of the server. One or more of the
following flags may be specified:
flake
Discard received NTP packets with probability 0.1; that
is, on average drop one packet in ten. This flag is for testing and amusement.
The name comes from Bob Braden’s flakeway, which once did a
similar thing for early Internet testing.
ignore
Deny packets of all kinds, including ntpq(1)
queries.
kod
If this flag is set when an access violation occurs, a
kiss-o'-death (KoD) packet is sent. KoD packets are rate limited.
limited
Deny service if the packet spacing violates the lower
limits specified in the limit command. A history of clients is kept
using the monitoring capability of ntpd(8). Thus, monitoring is always active
as long as there is a restriction entry with the limited flag.
mssntp
Enable Microsoft Windows MS-SNTP authentication using
Active Directory services. Note: Potential users should be aware that
these services involve a TCP connection to another process that
could potentially block, denying services to other users. Therefore,
this flag should be used only for a dedicated server with no clients
other than MS-SNTP.
nomodify
Deny ntpq(1) queries which attempt to modify the state of
the server (i.e., run time reconfiguration). Queries which return information
are permitted.
nomrulist
Do not accept MRU-list requests. These can be expensive
to service and may generate a high volume of response traffic.
nopeer
Deny packets which would result in mobilizing a new
association; this includes symmetric active packets when a configured
association does not exist. That used to happen when the remote client used
the peer command in its config file. We don’t
support that mode. It used to include pool servers, but they now poke a
hole in any restrictions.
noquery
Deny ntpq(1) queries. Time service is not affected.
noserve
Deny all packets except ntpq(1) and queries.
notrust
Deny service unless the packet is cryptographically
authenticated.
ntpport
This is a match algorithm modifier, rather than a
restriction flag. Its presence causes the restriction entry to be matched if
the source port in the packet is the standard NTP UDP port (123). Both
ntpport and non-ntpport may be
specified. The ntpport is considered more specific and
is sorted later in the list.
version
Deny packets that do not match the current NTP
version.
Note: A second restrict line with the same address/mask does not
replace the first one. The flags are merged. Thus:
restrict bob X
restrict bob Y
is the same as
Default restriction list entries with the flags ignore, interface,
ntpport, for each of the local host’s interface addresses are
inserted into the table at startup to prevent the server from attempting to
synchronize to its own time. A default entry is also always present. It has
noquery to avoid packet length amplification which
can be used for DDoS with a forged return address and
limited to avoid DDoS reflections.
unrestrict address[/cidr]
[mask mask] [flag
...]
Like a restrict command, but
turns off the specified flags rather than turning them on (expected to be
useful mainly with ntpq :config). An unrestrict with no flags specified
removes any rule with matching address and mask. Use only on an address/mask
or CIDR-format address mentioned in a previous
restrict statement.
Note: unrestrict default will not do
anything; you can’t remove the builtin defaults. If you want to
remove them, use unrestrict default noquery limited
to turn off those flags.
For a detailed description of manycast operation, see the
"Server Discovery" page (available as part of the HTML
documentation).
tos [ceiling
ceiling | floor floor |
minclock minclock |
minsane minsane]
This command affects the clock selection and clustering
algorithms. It can be used to select the quality and quantity of peers used to
synchronize the system clock and is most useful in manycast mode. The
variables operate as follows:
ceiling ceiling
Peers with strata above ceiling will be discarded
if there are at least minclock peers remaining. This value defaults to
15, but can be changed to any number from 1 to 15.
floor floor
Peers with strata below floor will be discarded if
there are at least minclock peers remaining. This value defaults to 1,
but can be changed to any number from 1 to 15.
minclock minclock
The clustering algorithm repeatedly casts out outlier
associations until no more than minclock associations remain. This
value defaults to 3, but can be changed to any number from 1 to the number of
configured sources.
minsane minsane
This is the minimum number of candidates available to the
clock selection algorithm in order to produce one or more truechimers for the
clustering algorithm. If fewer than this number are available, the clock is
undisciplined and allowed to run free. The default is 1 for legacy purposes.
However, according to principles of Byzantine agreement, minsane should
be at least 4 in order to detect and discard a single falseticker.
For a detailed description of reference-clock configuration, see
the "Reference Clock Drivers" page (available as part of the HTML
documentation provided in /usr/share/doc/ntp).
refclock drivername
[unit u] [prefer]
[subtype int] [mode
int] [minpoll int]
[maxpoll int] [time1
sec] [time2 sec]
[stratum int] [refid
string] [path filename]
[ppspath filename]
[baud number] [flag1
{0 | 1}]
[flag2 {0 |
1}] [flag3
{0 | 1}]
[flag4 {0 |
1}]
This command is used to configure reference clocks. The
required drivername argument is the shortname of a driver type (e.g.,
shm, nmea,
generic; see the Reference Clock Drivers
<refclock.html> page for a full list. The options are interpreted as
follows:
unit
The 0-origin unit number of the device; this modifies the
devicename. If not specified, defaults to zero.
prefer
Marks the reference clock as preferred. All other things
being equal, this host will be chosen for synchronization among a set of
correctly operating hosts and clocks. See the "Mitigation Rules and the
prefer Keyword" page (available as part of the HTML documentation
provided in /usr/share/doc/ntp) for further
information.
subtype int
Some drivers (notably the generic and jjy drivers)
support multiple device types. This option selects among them in a
driver-dependent way.
mode int
Specifies a mode number which is interpreted in a
device-specific fashion. For instance, it selects a dialing protocol in the
ACTS driver and a sentence mix in the nmea driver.
minpoll int;
maxpoll int
These options specify the minimum and maximum polling
interval for reference clock messages, as a power of 2 in seconds. For most
directly connected reference clocks, both minpoll and maxpoll
default to 6 (64 sec). For modem reference clocks, minpoll defaults to
10 (17.1 min) and maxpoll defaults to 14 (4.5 hours). The allowable
range is 0 (1 sec) to 17 (36.4 hours) inclusive.
time1 sec
Specifies a constant to be added to the time offset
produced by the driver, a fixed-point decimal number in seconds. Each
"g" on the end of the constant adds the number of seconds in a
10-bit GPS era; each "G" adds the number of seconds in a 13-bit GPS
era. This is used as a calibration constant to adjust the nominal time offset
of a particular clock to agree with an external standard, such as a precision
PPS signal. It also provides a way to correct a systematic error or bias due
to era wraparound from a GPS device, serial port or operating system
latencies, different cable lengths or receiver internal delay. The specified
offset is in addition to the propagation delay provided by other means, such
as internal DIP switches. Where a calibration for an individual system and
driver is available, an approximate correction is noted in the driver
documentation pages. Note: To facilitate calibration when more than one radio
clock or PPS signal is supported, a special calibration feature is available.
It takes the form of an argument to the enable command
described in "Miscellaneous Options" page and operates as described
in the "Reference Clock Drivers" page.
time2 secs
Specifies a fixed-point decimal number in seconds, which
is interpreted in a driver-dependent way. See the descriptions of specific
drivers in the "Reference Clock Drivers" page.
stratum int
Specifies the stratum number assigned to the driver, an
integer between 0 and 15. This number overrides the default stratum number
ordinarily assigned by the driver itself, usually zero.
refid string
Specifies an ASCII string of from one to four characters
which defines the reference identifier used by the driver. This string
overrides the default identifier ordinarily assigned by the driver
itself.
path filepath
Overrides the default device location for this
refclock.
ppspath filepath
Overrides the default PPS device location (if any) for
this driver.
baud number
Overrides the defaults baud rate for this driver.
flag1 {0 | 1};
flag2 {0 | 1};
flag3 {0 | 1};
flag4 {0 | 1}
These four flags are used for customizing the clock
driver. The interpretation of these values, and whether they are used at all,
is a function of the particular clock driver. However, by convention
flag4 is used to enable recording monitoring data to
the clockstats file configured with the filegen command. Further
information on the filegen command can be found in "Monitoring
Options".
driftfile driftfile
This command specifies the complete path and name of the
file used to record the frequency of the local clock oscillator; this is the
same operation as the -f command line option. If the
file exists, it is read at startup to set the initial frequency and then
updated once per hour with the current frequency computed by the daemon. If
the file name is specified, but the file itself does not exist,
ntpd starts with an initial frequency of zero and
creates the file when writing it for the first time. If this command is not
given, the daemon will always start with an initial frequency of zero.
The file format consists of a single line containing a single
floating point number, which records the frequency offset measured in
parts-per-million (PPM). The file is updated by first writing the current
drift value into a temporary file and then renaming this file to replace the
old version; this implies that ntpd(8) must have write permission for the
directory the drift file is located in, and that file system links, symbolic
or otherwise, should be avoided.
enable [auth |
calibrate | kernel |
monitor | ntp |
stats]; disable
[auth | calibrate |
kernel | monitor |
ntp | stats]
Provides a way to enable or disable various server
options. Flags not mentioned are unaffected. Note that all of these flags can
be controlled remotely using the ntpq(1) utility program.
auth
Enables the server to synchronize with unconfigured peers
only if the peer has been correctly authenticated. The default for this flag
is enable.
calibrate
Enables the calibrate feature for reference clocks. The
default for this flag is disable.
kernel
Enables the kernel time discipline, if available. The
default for this flag is enable if support is
available, otherwise disable.
monitor
Enables the monitoring facility. See the ntpq(1) program
and the monlist command for further information. The default for this flag is
enable.
ntp
Enables time and frequency discipline. In effect, this
switch opens and closes the feedback loop, which is useful for testing. The
default for this flag is enable.
stats
Enables the statistics facility. See the "Monitoring
Options" section for further information. The default for this flag is
disable.
includefile includefile
This command allows additional configuration commands to
be included from a separate file. Include files may be nested to a depth of
five; upon reaching the end of any include file, command processing resumes in
the previous configuration file. Relative pathnames are evaluated not with
respect to the current working directory but with respect to the directory
name of the last pushed file in the stack. This option is useful for sites
that run ntpd(8) on multiple hosts, with (mostly) common options (e.g., a
restriction list).
interface [listen
| ignore | drop]
[all | ipv4 |
ipv6 | wildcard |
name | address[/prefixlen]]
This command controls which network addresses
ntpd opens, and whether the input is dropped without
processing. The first parameter determines the action on addresses which match
the second parameter. That parameter specifies a class of addresses, or a
specific interface name, or an address. In the address case, prefixlen
determines how many bits must match for this rule to apply.
ignore prevents opening matching addresses,
drop causes ntpd to open the
address and drop all received packets without examination. Multiple
interface commands can be used. The last rule which
matches a particular address determines the action for it.
interface commands are disabled if any of the
-I,
--interface,-L, or
--novirtualips command-line options are used. If none
of those options are used, and no interface actions
are specified in the configuration file, all available network addresses are
opened. The nic command is an alias for
interface.
leapfile leapfile
This command loads the NIST leap seconds file and
initializes the leapsecond values for the next leap second time, expiration
time and TAI offset. The file can be obtained using
ntpleapfetch.
The leapfile is scanned when ntpd
processes the leapfile directive or when
ntpd detects that leapfile has changed.
ntpd checks once a day to see if the leapfile
has changed.
leapsmearinterval interval
This experimental option is only available if ntpd
was built with the --enable-leap-smear option, It
specifies the interval over which a leap second correction will be applied.
Recommended values for this option are between 7200 (2 hours) and 86400 (24
hours). DO NOT USE THIS OPTION ON PUBLIC-ACCESS SERVERS! See
<http://bugs.ntp.org/2855> for more information.
logconfig configkeyword
This command controls the amount and type of output
written to the system syslog(3) facility or the alternate log file. By
default, all output is turned on. All configkeyword keywords can be
prefixed with ‘=’, ‘ ’ and
‘-’, where ‘=’ sets the syslog(3) priority
mask, ‘’ adds and ‘-’
removes messages. syslog(3) messages can be controlled in four classes
(clock,peer,sys and sync). Within these classes four types of messages can be
controlled: informational messages (info), event messages (events), statistics
messages (statistics) and status messages (status).
Configuration keywords are formed by concatenating the message
class with the event class. The all prefix can be used instead of a
message class. A message class may also be followed by the all
keyword to enable/disable all messages of the respective message class.
Thus, a minimal log configuration could look like this:
logconfig =syncstatus +sysevents
This would just list the synchronizations state of ntpd(8) and the
major system events. For a simple reference server, the following minimum
message configuration could be useful:
logconfig =syncall +clockall
This configuration will list all clock information and
synchronization information. All other events and messages about peers,
system events and so on is suppressed.
logfile logfile
This command specifies the location of an alternate log
file to be used instead of the default system syslog(3) facility; this
is the same operation as the -l command line option.
If your ntpd runs for a long time, you probably want to use
logrotate or newsyslog to switch to a new log file occasionally. SIGHUP will
reopen the log file.
mru [maxdepth
count | maxmem kilobytes |
mindepth count |
maxage seconds |
minage seconds |
initalloc count |
initmem kilobytes |
incalloc count |
incmem kilobytes]
Controls size limits of the monitoring facility Most
Recently Used (MRU) list of client addresses, which is also used by the rate
control facility.
maxdepth count,
maxmem kilobytes
Equivalent upper limits on the size of the MRU list, in
terms of entries or kilobytes. The actual limit will be up to
incalloc entries or incmem
kilobytes larger. As with all of the mru options
offered in units of entries or kilobytes, if both
maxdepth and maxmem are used,
the last one used controls. The default is 1024 kilobytes.
mindepth count
The lower limit on the MRU list size. When the MRU list
has fewer than mindepth entries, existing entries are
never removed to make room for newer ones, regardless of their age. The
default is 600 entries.
maxage seconds,
minage seconds
If an address is not in the list, there are several
possible ways to find a slot for it.
1.If the list has fewer than
mindepth entries, a slot is allocated from the free
list; this is the normal case for a server without a lot of clients. If
clients come and go, for example, laptops going between home and work, the
default setup shows only the long term average.
2.If the age of the oldest slot is greater than
maxage, the oldest slot is recycled (default 3600
seconds).
3.If the freelist is not empty, a slot is allocated from
the free list.
4.If the freelist is empty but not full (see maxmem),
more memory is allocated (see incmem) and, a new slot is used.
5.If the age of the oldest slot is more than
minage, the oldest slot is recycled (default 64
seconds).
6.Otherwise, no slot is available.
initalloc count,
initmem kilobytes
Initial memory allocation at the time the monitoring
facility is first enabled, in terms of entries or kilobytes. The default is 4
kilobytes.
incalloc count,
incmem kilobytes
Size of additional memory allocations when growing the
MRU list, in entries or kilobytes. The default is 4 kilobytes.
nonvolatile threshold
Specify the threshold in seconds to write the
frequency file, with a default of 1e-7 (0.1 PPM). The frequency file is
inspected each hour. If the difference between the current frequency and the
last value written exceeds the threshold, the file is written, and the
threshold becomes the new threshold value. If the
threshold is not exceeded, it is reduced by half; this is intended to reduce
the frequency of unnecessary file writes for embedded systems with nonvolatile
memory.
phone dial ...
This command is used in conjunction with the ACTS modem
driver (type modem) or the JJY driver (type jjy). For ACTS, the arguments
consist of a maximum of 10 telephone numbers used to dial USNO, NIST or
European time services. For the jjy driver in modes 100-180, the argument is
one telephone number used to dial the telephone JJY service. The Hayes command
ATDT is normally prepended to the number, which can contain other modem
control codes as well.
reset [allpeers] [auth] [ctl] [io] [mem] [sys]
[timer]
Reset one or more groups of counters maintained by ntpd
and exposed by ntpq.
setvar variable
[default]
This command adds a system variable. These variables can
be used to distribute additional information such as the access policy. If the
variable of the form name=value is followed by the
default keyword, the variable will be listed as part
of the default system variables (ntpq(1) rv command). These additional
variables serve informational purposes only. They are not related to the
protocol other that they can be listed. The known protocol variables will
always override any variables defined via the setvar
mechanism. There are three special variables that contain the names of all
variable of the same group. The sys_var_list holds the
names of all system variables. The peer_var_list holds
the names of all peer variables and the clock_var_list
holds the names of the reference clock variables.
tinker [allan
allan | dispersion dispersion |
freq freq | huffpuff
huffpuff | panic panic |
step step | stepback
stepback | stepfwd stepfwd |
stepout stepout]
This command can be used to alter several system
variables in very exceptional circumstances. It should occur in the
configuration file before any other configuration options. The default values
of these variables have been carefully optimized for a wide range of network
speeds and reliability expectations. In general, they interact in intricate
ways that are hard to predict, and some combinations can result in some very
nasty behavior. Very rarely is it necessary to change the default values; but,
some folks cannot resist twisting the knobs anyway, and this command is for
them. Emphasis added: twisters are on their own and can expect no help from
the support group.
The variables operate as follows:
allan allan
The argument becomes the new value for the minimum Allan
intercept, which is a parameter of the PLL/FLL clock discipline algorithm. The
value in log2 seconds defaults to 11 (2048 s), which is also the lower
limit.
dispersion dispersion
The argument becomes the new value for the dispersion
increase rate, normally .000015 s/s.
freq freq
The argument becomes the initial value of the frequency
offset in parts-per-million; this overrides the value in the frequency file,
if present, and avoids the initial training state if it is not.
huffpuff huffpuff
The argument becomes the new value for the experimental
huff-n'-puff filter span, which determines the most recent interval the
algorithm will search for a minimum delay. The lower limit is 900 s (15 m),
but a more reasonable value is 7200 (2 hours). There is no default since the
filter is not enabled unless this command is given.
panic panic
The argument is the panic threshold, normally 1000 s. If
set to zero, the panic sanity check is disabled, and a clock offset of any
value will be accepted.
step step
The argument is the step threshold, which by default is
0.128 sec. It can be set to any positive number in seconds. If set to zero,
step adjustments will never occur. Note: The kernel time discipline is
disabled if the step threshold is set to zero or greater than the
default.
stepback stepback
The argument is the step threshold for the backward
direction, which by default is 0.128 sec. It can be set to any positive number
in seconds. If both the forward and backward step thresholds are set to zero,
step adjustments will never occur. Note: The kernel time discipline is
disabled if each direction of step threshold are either set to zero or greater
than .5 second.
stepfwd stepfwd
As for stepback, but for the forward direction.
stepout stepout
The argument is the stepout timeout, which by default is
900 s. It can be set to any positive number in seconds. If set to zero, the
stepout pulses will not be suppressed.
rlimit [memlock
megabytes | stacksize 4kPages |
filenum filedescriptors]
memlock megabytes
Ignored for backward compatibility.
stacksize 4kPages
Specifies the maximum size of the process stack on
systems with the mlockall() function. Defaults to 50
4k pages.
filenum filedescriptors
Specifies the maximum number of file descriptors ntpd may
have open at once. Defaults to the system default.
/etc/ntp.conf
the default name of the configuration file
ntp.keys
private keys
ntpd(8), ntpq(1).
In addition to the manual pages provided, comprehensive
documentation is available on the world wide web at
<https://www.ntpsec.org>. A snapshot of this documentation is
available in HTML format in /usr/share/doc/ntp.
The syntax checking is not picky; some combinations of ridiculous
and even hilarious options and modes may not be detected.
 Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.
|
