ntp.conf4 File
Purpose
Controls the operation and behaviour of the Network Time Protocol (NTP) ntpd daemon.
Description
The ntp.conf file is a basic configuration file controlling the ntpd daemon.
Configuration Options
There are two classes of commands, configuration commands that configure an association with a remote server, peer or reference clock, and auxiliary commands that specify environmental variables that control various related operations:
Configuration Commands
There are two classes of commands, configuration commands that configure an association with a remote server, peer or reference clock, and auxiliary commands that specify environmental variables that control various related operations:
server address [options ...]
peer address [options ...]
broadcast address [options ...]
manycastclient address [options ...]These four
commands specify the time server name or address to be used and the
mode in which to operate. The address can be either a DNS name or
an IP address in dotted-quad notation. Additional information on association
behavior can be found in the Association Management page.
| Command | Description |
|---|---|
| server | For type s and r addresses (only), this command normally mobilizes a persistent client mode association with the specified remote server or local reference clock. If the preempt flag is specified, a peerutable association is mobilized instead. In client mode the client clock can synchronize to the remote server or local reference clock, but the remote server can never be synchronized to the client clock. This command should NOT be used for type b or m addresses. |
| peer | For type s addresses (only), this command mobilizes a persistent symmetric-active mode association with the specified remote peer. In this mode the local clock can be synchronized to the remote peer or the remote peer can be synchronized to the local clock. This is useful in a network of servers where, depending on various failure scenarios, either the local or remote peer may be the better source of time. This command should NOT be used for type b, m or r addresses. |
| broadcast | For type b and m addresses (only), this command mobilizes a persistent broadcast mode association. Multiple commands can be used to specify multiple local broadcast interfaces (subnets) and/or multiple multicast groups. Note that local broadcast messages go only to the interface associated with the subnet specified, but multicast messages go to all interfaces. In broadcast mode the local server sends periodic broadcast messages to a client population at the address specified, which is usually the broadcast address on (one of) the local network(s) or a multicast address assigned to NTP. The IANA has assigned the multicast group address IPv4 224.0.1.1 and IPv6 ff05::101 (site local) exclusively to NTP, but other nonconflicting addresses can be used to contain the messages within administrative boundaries. Ordinarily, this specification applies only to the local server operating as a sender; for operation as a broadcast client, see the broadcastclient or multicastclient commands below. |
| manycastclient | For type m addresses (only), this command mobilizes a preemptable manycast client mode association for the multicast group address specified. In this mode a specific address must be supplied which matches the address used on the manycastserver command for the designated manycast servers. The NTP multicast address 224.0.1.1 assigned by the IANA should NOT be used, unless specific means are taken to avoid spraying large areas of the Internet with these messages and causing a possibly massive implosion of replies at the sender. The manycastclient command specifies that the host is to operate in client mode with the remote servers that are discovered as the result of broadcast/multicast messages. The client broadcasts a request message to the group address associated with the specified address and specifically enabled servers respond to these messages. The client selects the servers providing the best time and continues as with the server command. The remaining servers are discarded. |
Command options
| Command | Options |
|---|---|
| autokey | All packets sent to and received from the server or peer are to include authentication fields encrypted using the autokey scheme described in the Authentication Options page. This option is valid with all commands. |
| burst | When the server is reachable, send a burst of eight packets instead of the usual one. The packet spacing is normally 2 s; however, the spacing between the first and second packets can be changed with the calldelay command to allow additional time for a modem or ISDN call to complete. This option is valid with only the server command and is a recommended option with this command when the maxpoll option is 11 or greater. |
| iburst | When the server is unreachable, send a burst of eight packets instead of the usual one. The packet spacing is normally 2 s; however, the spacing between the first and second packets can be changed with the calldelay command to allow additional time for a modem or ISDN call to complete. This option is valid with only the server command and is a recommended option with this command. |
| key key | All packets sent to and received from the server or peer are to include authentication fields encrypted using the specified key identifier with values from 1 to 65534, inclusive. The default is to include no encryption field. This option is valid with all commands. |
| minpoll minpollmaxpoll maxpoll | These options specify the minimum and maximum poll intervals for NTP messages, in seconds as a power of two. The maximum poll interval defaults to 10 (1,024 s), but can be increased by the maxpoll option to an upper limit of 17 (36.4 h). The minimum poll interval defaults to 6 (64 s), but can be decreased by the minpoll option to a lower limit of 4 (16s). These option are valid only with the server and peer commands. |
| noselect | Marks the server as unused, except for display purposes. The server is discarded by the selection algorithm. This option is valid only with the server and peer commands. |
| preempt | Specifies the association as preemptable rather than the default persistent. This option is valid only with the server command. |
| prefer | Marks the server as preferred. All other things being equal, this host will be chosen for synchronization among a set of correctly operating hosts. See the Mitigation Rules and the prefer Keyword page for further information. This option is valid only with the server and peer commands. |
| true | Force the association to assume truechimer status;
that is, always survive the selection and clustering algorithms. This
option can be used with any association, but is most useful for reference
clocks with large jitter on the serial port and precision pulse-per-second
(PPS) signals. Note: This option defeats the algorithms designed to
cast out falsetickers and can allow these sources to set the system
clock. This option is valid only with the server and peer commands.
|
| ttl ttl | This option is used only with broadcast server and manycast client modes. It specifies the time-to-live ttl to use on broadcast server and multicast server and the maximum ttl for the expanding ring search with manycast client packets. Selection of the proper value, which defaults to 127, is something of a black art and should be coordinated with the network administrator. |
| version version | Specifies the version number to be used for outgoing NTP packets. Versions 1-4 are the choices, with version 4 the default. This option is valid only with the server, peer and broadcast commands. |
Auxiliary Commands
| Command | Decription |
|---|---|
| broadcastclient [novolley] | This command enables reception of broadcast server messages
to any local interface (type b) address. Ordinarily, upon receiving
a message for the first time, the broadcast client measures the nominal
server propagation delay using a brief client/server exchange with
the server, after which it continues in listen-only mode. If the novolley
keyword is present, the exchange is not used and the value specified
in the broadcastdelay command is used or, if the broadcastdelay command is not used, the default 4.0 ms. Note: In order to avoid
accidental or malicious disruption in this mode, both the server and
client should operate using symmetric key or public key authentication
as described in the Authentication Options page. Note that the novolley keyword is incompatible with public key authentication.
|
| manycastserver address [...] | This command enables reception of manycast client messages
to the multicast group address(es) (type m) specified. At least one
address is required. The NTP multicast address 224.0.1.1 assigned
by the IANA should NOT be used, unless specific means are taken to
limit the span of the reply and avoid a possibly massive implosion
at the original sender. Note: In order to avoid accidental or malicious
disruption in this mode, both the server and client should operate
using symmetric key or public key authentication as described in the
Authentication Options page.
|
| multicastclient address [...] | This command enables reception of multicast server messages
to the multicast group address(es) (type m) specified. Upon receiving
a message for the first time, the multicast client measures the nominal
server propagation delay using a brief client/server exchange with
the server, then enters the broadcast client mode, in which it synchronizes
to succeeding multicast messages. Note: In order to avoid accidental
or malicious disruption in this mode, both the server and client should
operate using symmetric key or public key authentication.
Note
that, |
Configuration access control options
The ntpd daemon implements a general purpose address/mask based restriction list. The list contains address/match entries sorted first by increasing address values and then by increasing mask values. A match occurs when the bitwise AND of the mask and the packet source address is equal to the bitwise AND of the mask and address in the list. The list is searched in order with the last match found defining the restriction flags associated with the entry.
While this facility may be useful for keeping unwanted or broken or malicious clients from congesting innocent servers, it should not be considered an alternative to the NTP authentication facilities. Source address based restrictions are easily circumvented by a determined cracker.
Clients can be denied service because they are explicitly included in the restrict list created by the restrict command or implicitly as the result of cryptographic or rate limit violations. Cryptographic violations include certificate or identity verification failure; rate limit violations generally result from defective NTP implementations that send packets at abusive rates. Some violations cause denied service only for the offending packet, others cause denied service for a timed period and others cause the denied service for an indefinite period. When a client or network is denied access for an indefinite period, the only way at present to remove the restrictions is by restarting the server.
| Command | Description |
|---|---|
| discard [ average avg ][ minimum min ] [ monitor prob ] | Set the parameters of the limited facility which protects the server from client abuse. The average subcommand specifies the minimum average packet spacing, while the minimum subcommand specifies the minimum packet spacing. Packets that violate these minima are discarded and a kiss-o'-death packet returned if enabled. The default minimum average and minimum are 5 and 2, respectively. The monitor subcommand specifies the probability of discard for packets that overflow the rate-control window. |
| restrict address [mask mask] [flag][...] | The address argument expressed in dotted-quad form is the address of a host or network. Alternatively, the address argument can be a valid host DNS name. The mask argument expressed in dotted-quad form defaults to 255.255.255.255, meaning that the address is treated as the address of an individual host. A default entry (address 0.0.0.0, mask 0.0.0.0) is always included and is always the first entry in the list. Note that text string default, with no mask option, may be used to indicate the default entry. |
In the current implementation, flag always restricts access, therefore, an entry with no flags indicates that free access to the server is to be given. The flags are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags can generally be classed into two categories, those which restrict time service and those which restrict informational queries and attempts to do run-time reconfiguration of the server. One or more of the following flags may be specified:
| Flags | Description |
|---|---|
| ignore | Deny packets of all kinds, including ntpq and ntpdc queries. |
| kod | If this flag is set when an access violation occurs, a kiss-o'-death (KoD) packet is sent. KoD packets are rate limited to no more than one per second. If another KoD packet occurs within one second after the last one, the packet is dropped. |
| limited | Deny service if the packet spacing violates the lower limits specified in the discard command. A history of clients is kept using the monitoring capability of the ntpd command. Monitoring is always active as long as there is a restriction entry with the limited flag. |
| lowpriotrap | Declare traps set by matching hosts to be low priority. The number of traps a server can maintain is limited (the current limit is 3). Traps are usually assigned on a first come, first served basis, with later trap requestors being denied service. This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps. |
| nomodify | Deny ntpq and ntpdc queries which attempt to modify the state of the server (i.e., run time reconfiguration). Queries which return information are permitted. |
| noquery | Deny ntpq and ntpdc queries. Time service is not affected. |
| nopeer | Deny packets which would result in mobilizing a new association. This includes broadcast, symmetric-active and manycast client packets when a configured association does not exist. |
| noserve | Deny all packets except ntpq and ntpdc queries. |
| notrap | Decline to provide mode 6 control message trap service to matching hosts. The trap service is a subsystem of the ntpdq control message protocol which is intended for use by remote event logging programs. |
| notrust | Deny packets unless the packet is cryptographically authenticated. |
| ntpport | This is actually a match algorithm modifier, rather than a restriction flag. Its presence causes the restriction entry to be matched only if the source port in the packet is the standard NTP UDP port (123). Both ntpport and non-ntpport may be specified. The ntpport is considered more specific and is sorted later in the list. |
| version | Deny packets that do not match the current NTP version. |
Default restriction list entries with the flags ignore, interface, ntpport, for each of the local host's interface addresses are inserted into the table at startup to prevent the server from attempting to synchronize to its own time. A default entry is also always present, though if it is otherwise unconfigured; no flags are associated with the default entry (i.e., everything besides your own NTP server is unrestricted).
Configuration authentication options
Authentication support allows the NTP client to verify that the server is in fact known and trusted and not an intruder intending accidentally or on purpose to masquerade as that server. The NTPv3 specification RFC-1305 defines a scheme which provides cryptographic authentication of received NTP packets. Originally, this was done using the Data Encryption Standard (DES) algorithm operating in Cipher Block Chaining (CBC) mode, commonly called DES-CBC. Subsequently, this was replaced by the RSA Message Digest 5 (MD5) algorithm using a private key, commonly called keyed-MD5. Either algorithm computes a message digest, or one-way hash, which can be used to verify the server has the correct private key and key identifier.
NTPv4 retains the NTPv3 scheme, properly described as symmetric key cryptography, and, in addition, provides a new Autokey scheme based on public key cryptography. Public key cryptography is generally considered more secure than symmetric key cryptography, since the security is based on a private value which is generated by each host and never revealed. With the exception of the group key described later, all key distribution and management functions involve only public values, which considerably simplifies key distribution and storage. Public key management is based on X.509 certificates, which can be provided by commercial services or produced by utility programs in the OpenSSL software library or the NTPv4 distribution.
| Commands | Description |
|---|---|
| autokey [logsec] | Specifies the interval between regenerations of the session key list used with the Autokey protocol. Note that the size of the key list for each association depends on this interval and the current poll interval. The default value is 12 (4096 s or about 1.1 hours). For poll intervals above the specified interval, a session key list with a single entry will be regenerated for every message sent. |
| controlkey key | Specifies the key identifier to use with the ntpq utility, which uses the standard protocol defined in RFC-1305. The key argument is the key identifier for a trusted key, where the value can be in the range 1 to 65,534, inclusive. |
| crypto [cert file] [leap file] [randfile file] [host file] [sign file] [ident scheme] [iffpar file] [gqpar file] [mvpar file] [pw password] | This command requires the OpenSSL library. It activates public key cryptography, selects the message digest and signature encryption scheme and loads the required private and public values described above. If one or more files are left unspecified, the default names are used as described above. Unless the complete path and name of the file are specified, the location of a file is relative to the keys directory specified in the keysdir command or default /usr/local/ etc. |
Following are the sub commands.
| Subcommands | Description |
|---|---|
| cert file | Specifies the location of the required host public certificate
file. This overrides the link ntpkey_cert_hostname in the keys directory. |
| gqpar file | Specifies the location of the client GQ parameters file. This
overrides the link ntpkey_gq_hostname in the keys
directory. |
| host file | Specifies the location of the required host key file. This
overrides the link ntpkey_key_hostname in the keys
directory. |
| ident scheme | Requests the server identity scheme, which can be IFF, GQ or MV. This is used when the host will not be a server for a dependent client. |
| iffpar file | Specifies the location of the optional IFF parameters
file. This overrides the link ntpkey_iff_hostname in the keys directory. |
| leap file | Specifies the location of the client leapsecond
file. This overrides the link ntpkey_leap in the
keys directory. |
| mv | Requests the MV server identity scheme. |
| mvpar file | Specifies the location of the client MV parameters
file. This overrides the link ntpkey_mv_hostname in
the keys directory. |
| pw password | Specifies the password to decrypt files containing private keys and identity parameters. This is required only if these files have been encrypted. |
| randfile file | Specifies the location of the random seed file used by the OpenSSL library. The defaults are described in the main text above. |
| sign file | Specifies the location of the optional sign
key file. This overrides the link ntpkey_sign_hostname in the keys directory. If this file is not found, the host key
is also the sign key. |
| keys keyfile | Specifies the complete path and location of the MD5 key file containing the keys and key identifiers used by ntpd, ntpq and ntpdc when operating with symmetric key cryptography. This is the same operation as the -k command line option. |
| keysdir path | This command specifies the default directory path for cryptographic keys, parameters and certificates. The default is /usr/local/etc/. |
| requestkey key | Specifies the key identifier to use with the ntpdc utility program, which uses a proprietary protocol specific to this implementation of ntpd. The key argument is a key identifier for the trusted key, where the value can be in the range 1 to 65,534, inclusive. |
| revoke [logsec] | Specifies the interval between re-randomization of certain cryptographic values used by the Autokey scheme, as a power of 2 in seconds. These values need to be updated frequently in order to deflect brute-force attacks on the algorithms of the scheme; however, updating some values is a relatively expensive operation. The default interval is 16 (65,536 s or about 18 hours). For poll intervals above the specified interval, the values will be updated for every message sent |
| trustedkey key [...] | Specifies the key identifiers which are trusted for the purposes of authenticating peers with symmetric key cryptography, as well as keys used by the ntpqand ntpdc programs. The authentication procedures require that both the local and remote servers share the same key and key identifier for this purpose, although different keys can be used with different servers. The key arguments are 32-bit unsigned integers with values from 1 to 65,534. |
Configuration monitoring options
ntpd includes a comprehensive monitoring facility suitable for continuous, long term recording of server and client timekeeping performance. See the statistics command below for a listing and example of each type of statistics currently supported. Statistic files are managed using file generation sets and scripts in the ./scripts directory of this distribution. Using these facilities and UNIX cron jobs, the data can be automatically summarized and archived for retrospective analysis.
| Commands | Description |
|---|---|
| statistics name [...] | Enables writing of statistics records. Currently, six kinds of namestatistics are supported. |
| clockstats | Enables recording of clock driver statistics information. Each update received from a clock
driver appends a line of the following form to the file generation set named clockstats:
|
| cryptostats | This option requires the OpenSSL cryptographic software library. It enables recording of
cryptographic public key protocol information. Each message received by the protocol module appends
a line of the following form to the file generation set named cryptostats:
|
| loopstats | Enables recording of loop filter statistics information. Each update of the
local clock outputs a line of the following form to the file generation set named loopstats:
|
| peerstats | Enables recording of peer statistics information. This includes statistics
records of all peers of a NTP server and of special signals, where present and configured. Each
valid update appends a line of the following form to the current element of a file generation set
named peerstats:
|
| rawstats | Enables recording of raw-timestamp statistics information. This includes
statistics records of all peers of a NTP server and of special signals, where present and
configured. Each NTP message received from a peer or clock driver appends a line of the following
form to the file generation set named rawstats:
|
| sysstats | Enables recording of ntpd statistics counters on a periodic basis. Each hour a
line of the following form is appended to the file generation set named sysstats:
|
| timingstats | ONLY available when the deamon is compiled with process time debugging support
(--enable-debug-timing - costs performance). Enables recording of ntpd processing time information
for various selected code paths:
|
| statsdir directory_path | Indicates the full path of a directory where statistics files should be created (see below). This keyword allows the (otherwise constant) filegen filename prefix to be modified for file generation sets, which is useful for handling statistics logs. |
| filegen name [file filename] [type typename] [link | nolink] [enable | disable] | Configures setting of generation file set name. Generation file sets provide a
means for handling files that are continuously growing during the lifetime of a server. Server
statistics are a typical example for such files. Generation file sets provide access to a set of
files used to store the actual data. At any time at most one element of the set is being written to.
The type given specifies when and how data will be directed to a new element of the set. This way,
information stored in elements of a file set that are currently unused are available for
administrative operations without the risk of disturbing the operation of ntpd. (Most important:
they can be removed to free space for new data produced.) Note: Note that this command can be sent
from the ntpdc program running at a remote location.
|
| Commands | Description |
|---|---|
| filegen name [file filename] [type typename] [link | nolink] [enable | disable] |
|
Miscellaneous configuration options
| Commands | Options |
|---|---|
| broadcastdelay seconds | The broadcast and multicast modes require a special calibration to determine the network delay between the local and remote servers. Ordinarily, this is done automatically by the initial protocol exchanges between the client and server. In some cases, the calibration procedure may fail due to network or server access controls, for example. This command specifies the default delay to be used under these circumstances. Typically (for Ethernet), a number between 0.003 and 0.007 seconds is appropriate. The default when this command is not used is 0.004 seconds. |
| calldelay delay | This option controls the delay in seconds between the first and second packets sent in burst or iburst mode to allow additional time for a modem or ISDN call to complete. |
| driftfile driftfile [ minutes [ tolerance ]] | This command specifies the complete path and name of the file used to record the frequency of
the local clock oscillator. This is the same operation as the -f command link e
option. If the file exists, it is read at startup in order to set the initial frequency and then
updated once per hour with the current frequency computed by the daemon. If the file name is
specified, but the file itself does not exist, the starts with an initial frequency of zero and
creates the file when writing it for the first time. If this command is not given, the daemon will
always start with an initial frequency of zero. The file format consists of a single line containing a single floating point number, which records the frequency offset measured in parts-per-million (PPM). The file is updated by first writing the current drift value into a temporary file and then renaming this file to replace the old version. This implies that ntpd must have write permission for the directory the drift file is located in, and that file system links, symbolic or otherwise, should be avoided. The two optional values determine how often the file is written, and are particuarly useful when is it desirable to avoid spinning up the disk unnecessarily. The parameter minutes is how often the file will be written. If omitted or less than 1, the interval will be 60 minutes (one hour). The parameter tolerance is the threshold to skip writing the new value. If the new value is within tolerance percent of the last value written (compared out to 3 decimal places), the write will be skipped. The default is 0.0, which means that the write will occur unless the current and previous values are the same. A tolerance of .1 equates roughly to a difference in the 2nd decimal place. |
| enable [ auth | bclient | calibrate | kernel | monitor | ntp | pps | stats disable [ auth | bclient | calibrate | kernel | monitor | ntp | pps | stats] | Provides a way to enable or disable various system options. Flags not
mentioned are unaffected. Note that all of these flags can be controlled remotely using the ntpdc
utility program.
|
| includefile includefile | This command allows additional configuration commands to be included from a separate file. Include files may be nested to a depth of five; upon reaching the end of any include file, command processing resumes in the previous configuration file. This option is useful for sites that run ntpd on multiple hosts, with (mostly) common options (e.g., a restriction list). |
| logconfig configkeyword | This command controls the amount and type of output written to the system
syslog facility or the alternate logfile log file. All configkeyword keywords can be prefixed with
=, + and -, where = sets the syslogmask, + adds and - removes messages. syslog messages can be
controlled in four classes (clock, peer, sys and sync). Within these classes four types of messages
can be controlled: informational messages (info), event messages (events), statistics messages
(statistics) and status messages (status). Configuration keywords are formed by concatenating the
message class with the event class. The all prefix can be used instead of a message class. A message
class may also be followed by the all keyword to enable/disable all messages of the respective
message class. By default, logconfig output is set to allsync.Thus, a minimal log configuration
could look like this: |
| logfile logfile | This command specifies the location of an alternate log file to be used instead of the default system syslog facility. This is the same operation as the -l command line option. |
| phone dial1 dial2 ... | This command is used in conjunction with the ACTS modem driver (type 18). The arguments consist of a maximum of 10 telephone numbers used to dial USNO, NIST or European time services. The Hayes command ATDT is normally prepended to the number, which can contain other modem control codes as well. |
| setvar variable [default] | This command adds an additional system variable. These variables can be used to distribute additional information such as the access policy. If the variable of the form name = value is followed by the default keyword, the variable will be listed as part of the default system variables (ntpq rv command). These additional variables serve informational purposes only. They are not related to the protocol other that they can be listed. The known protocol variables will always override any variables defined via the setvar mechanism. There are three special variables that contain the names of all variable of the same group. The sys_var_list holds the names of all system variables. The peer_var_list holds the names of all peer variables and the clock_var_list holds the names of the reference clock variables. |
| tinker [ allan allan | dispersion dispersion | freq freq | huffpuff huffpuff | panic panic | step step | stepout stepout ] | This command can be used to alter several system variables in very exceptional
circumstances. It should occur in the configuration file before any other configuration options. The
default values of these variables have been carefully optimized for a wide range of network speeds
and reliability expectations. In general, they interact in intricate ways that are hard to predict
and some combinations can result in some very nasty behavior. Very rarely is it necessary to change
the default values; but, some folks can't resist twisting the knobs anyway and this command is for
them. Emphasis added: twisters are on their own and can expect no help from the support group. The
variables operate as follows:
|
Files
/etc/ntp.conf
Specifies the path to the file.