Dennis, There is a fundamental misunderstanding of the notrust option, understandable because the documentation is buggy. The notrust option applies to clients attempting to retrieve time from your server. The options are to supply time whether or not authenticated or to require authentication. This is done primarily to discourage unwanted traffic and is intended for use by the national labs.
What you want is the nopeer option, which prevents broadcast, manycast and symmetric peers to mobilize associations and potentially synchronize your clock. By preventing mobilization, this prevents any attempt to synchronize your clock by any outside source. The misunderstanding is in both NTPv3 (xntpd) and NTPv4 (ntpd). The current documentation at ntp.org accurately describes these options. Dave Dennis Hilberg Jr wrote: > I forgot to include my ntp.conf. Here it is: > > > # Default restriction. > > restrict default kod nomodify notrap nopeer noquery > > # Allow free access to localhost. > > restrict 127.0.0.1 > > # Allow the local network access with the following modified restrictions. > > restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap nopeer > > # Synchronization servers. Include at least three, but no more than five. > > server bigben.cac.washington.edu iburst > server montpelier.ilan.caltech.edu iburst > server tick.ucla.edu iburst > server clock.xmission.com iburst > server clepsydra.dec.com iburst > > # Drift file location > > driftfile /etc/ntp/drift > > # Location of the log file > > logfile /var/log/ntp/ntp.log > > # NTP monitoring parameters > > statsdir /var/log/ntp/ > statistics loopstats peerstats clockstats > filegen loopstats file loopstats type day enable > filegen peerstats file peerstats type day enable > filegen clockstats file clockstats type day enable > > # Authentication parameters > > #keys /etc/ntp/keys > #trustedkey 2 3 4 > #controlkey 3 # To access the ntpq utility > #requestkey 2 # To access the ntpdc utility > > > "Dennis Hilberg Jr" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > | On one instance I noticed that in the output of 'ntpq -p' one of my > server's > | clients was flagged with the '+'. notrust under version 4.2 and later now > | means "Ignore all NTP packets that are not cryptographically > authenticated" > | instead of the 4.1 and earlier versions where it meant "Don't trust this > | host/subnet for time." How do I specify with version 4.2 and later that I > | only want the five server entries in the ntp.conf to be trusted for > | synchronization? Or is this automatic, and that particular 'ntpq -p' > output > | a fluke? > | > | Thanks! > | > | > > _______________________________________________ questions mailing list [email protected] https://lists.ntp.isc.org/mailman/listinfo/questions
