Steve Kostecke wrote:
On 2006-06-07, Richard B. Gilbert <[EMAIL PROTECTED]> wrote:
[EMAIL PROTECTED] wrote:
Steve Kostecke said:
[EMAIL PROTECTED] wrote:
That simple configuration is all you really need in almost all
cases.
Your sample configuration is a _very_ bad example.
Fine, please post what you consider to be a minimal configuration.
driftfile /var/ntp/ntp.drift
restrict default notrust nomodify
server <ip-address> iburst
restrict <ip-address> <ip mask> nomodify #Address of server above.
The restrict statements say by default trust no one to give you correct
time and allow no one to modify your ntpd parameters and to trust your
chosen server for time.
This minimal configuration will not work at all for NTP >= 4.2.
The meaning of notrust changed between NTP 4.1.x and NTP 4.2:
* In 4.1 (and earlier) notrust meant "Don't trust this host/subnet
for time".
* In 4.2 (and later) notrust means "Ignore all NTP packets that
are not cryptographically authenticated." This forces remote
time servers to authenticate themselves to your (client) ntpd.
See ConfiguringAutokey for information about configuring NTP
Authentication.
Then someone forgot to update the html documentation that shipped with
V4.2. ntpd.html says "For example, the <tt>notrust</tt> flag indicates
that hosts matching this entry, while treated normally in other
respects, shouldn't be trusted to provide synchronization even if
otherwise so enabled." If we can't believe the documentation, what can
we believe?
I hope that all involved have learned that changing the semantics of a
keyword like this is an EXTREMELY poor idea!
Since you have a new release in the works, perhaps the html documenation
should be checked and updated as necessary. Running a spell checker
against the html documentation shows that it is littered with
typographical and spelling errors; e.g. "certian" instead of "certain".
_______________________________________________
questions mailing list
[email protected]
https://lists.ntp.isc.org/mailman/listinfo/questions
