On 2008-02-12, Nick Bright <[EMAIL PROTECTED]> wrote:
> The resolution ended up being to comment out:
>
> restrict default ignore
>
> from the default ntpd.conf
Unfortunately the one bit of information you did _not_ post was your
ntp.conf. So no one here would have seen that.
> After I commented out that line, I was able to get updates from the
> servers I had configured, as well as provide updates to client devices.
That's to be expected. 'restrict default ignore' tells ntpd to ignore
all NTP packets from any address by default (i.e. unless explicitly told
to allow an address/sub-net).
In the current versions of NTP (at the time this article was written)
there are no automatic exemptions for servers listed in ntp.conf. So you
have to include a relaxed restriction line for each remote time server,
and your authorized clients, when you use 'restrict default ignore'.
> For those coming upon this in a search engine result, please be advised
> that this may have security implications that I don't know about...
The default behavior of ntpd is (to the best of my recollection):
- Serve time to anyone who asks for it
- Allow anyone to query the server stats (you do want to know
those clocks that you are polling are synchronized, don't
you?)
- Block remote configuration messages unless (a) NTP
authentication has been disabled OR (b) the symmetric keys
have been configured AND the key-id / password information has
been distributed to the authorized users.
- Allow anyone to become a passive-symmetric peer
- Allow anyone to set a "monitor trap". ntpd sends (very
infrequent) status change messages to the trap clients. These
trap messages don't leak any more information than what is
also available through ntpq/ntpdc. As far we know there has
only been one trap client implemented.
as we know there has been only one implementaion
> For my application, the server is behind a hardware firewall in a
> fairly controlled network, so I'm not too concerned; but if you're
> running an internet server find out the proper command syntax for the
> most secure operation!
Version specific documentation for the ntpd access control options may
be found in the accopt.html file in the source tree for your version of
ntpd.
The distribution documentation for access control options may be found at
http://www.cis.udel.edu/~mills/ntp/html/accopt.html. This documentation
tracks the current developement version of the NTP Reference
Implementation.
The community supported NTP documentation includes a guide to setting
access control options. This guide contains a check-list for helping you
set the correct default restriction for your application. Please visit
http://support.ntp.org/Support/AccessRestrictions.
_______________________________________________
questions mailing list
questions@lists.ntp.org
https://lists.ntp.org/mailman/listinfo/questions
