1 /* -*- Mode: Text -*- */
3 autogen definitions options;
7 // We want the synopsis to be "/etc/ntp.conf" but we need the prog-name
8 // to be ntp.conf - the latter is also how autogen produces the output
10 prog-name = "ntp.conf";
11 file-path = "/etc/ntp.conf";
12 prog-title = "Network Time Protocol (NTP) daemon configuration file format";
14 /* explain: Additional information whenever the usage routine is invoked */
15 explain = <<- _END_EXPLAIN
19 ds-type = 'DESCRIPTION';
21 ds-text = <<- _END_PROG_MDOC_DESCRIP
24 configuration file is read at initial startup by the
26 daemon in order to specify the synchronization sources,
27 modes and other related information.
28 Usually, it is installed in the
31 but could be installed elsewhere
36 The file format is similar to other
41 character and extend to the end of the line;
42 blank lines are ignored.
43 Configuration commands consist of an initial keyword
44 followed by a list of arguments,
45 some of which may be optional, separated by whitespace.
46 Commands may not be continued over multiple lines.
47 Arguments may be host names,
48 host addresses written in numeric, dotted-quad form,
49 integers, floating point numbers (when specifying times in seconds)
52 The rest of this page describes the configuration and control options.
54 .Qq Notes on Configuring NTP and Setting up an NTP Subnet
56 (available as part of the HTML documentation
58 .Pa /usr/share/doc/ntp )
59 contains an extended discussion of these options.
60 In addition to the discussion of general
61 .Sx Configuration Options ,
62 there are sections describing the following supported functionality
63 and the options used to control it:
64 .Bl -bullet -offset indent
66 .Sx Authentication Support
68 .Sx Monitoring Support
70 .Sx Access Control Support
72 .Sx Automatic NTP Configuration Options
74 .Sx Reference Clock Support
76 .Sx Miscellaneous Options
79 Following these is a section describing
80 .Sx Miscellaneous Options .
81 While there is a rich set of options available,
82 the only required option is one or more
90 .Sh Configuration Support
91 Following is a description of the configuration commands in
93 These commands have the same basic functions as in NTPv3 and
94 in some cases new functions and new arguments.
96 classes of commands, configuration commands that configure a
97 persistent association with a remote server or peer or reference
98 clock, and auxiliary commands that specify environmental variables
99 that control various related operations.
100 .Ss Configuration Commands
101 The various modes are determined by the command keyword and the
102 type of the required IP address.
103 Addresses are classed by type as
104 (s) a remote server or peer (IPv4 class A, B and C), (b) the
105 broadcast address of a local interface, (m) a multicast address (IPv4
106 class D), or (r) a reference clock address (127.127.x.x).
108 only those options applicable to each command are listed below.
110 of options not listed may not be caught as an error, but may result
111 in some weird and even destructive behavior.
113 If the Basic Socket Interface Extensions for IPv6 (RFC-2553)
114 is detected, support for the IPv6 address family is generated
115 in addition to the default support of the IPv4 address family.
116 In a few cases, including the reslist billboard generated
117 by ntpdc, IPv6 addresses are automatically generated.
118 IPv6 addresses can be identified by the presence of colons
120 in the address field.
121 IPv6 addresses can be used almost everywhere where
122 IPv4 addresses can be used,
123 with the exception of reference clock addresses,
124 which are always IPv4.
126 Note that in contexts where a host name is expected, a
129 the host name forces DNS resolution to the IPv4 namespace,
132 qualifier forces DNS resolution to the IPv6 namespace.
133 See IPv6 references for the
134 equivalent classes for that address family.
135 .Bl -tag -width indent
136 .It Xo Ic pool Ar address
139 .Op Cm version Ar version
141 .Op Cm minpoll Ar minpoll
142 .Op Cm maxpoll Ar maxpoll
144 .It Xo Ic server Ar address
145 .Op Cm key Ar key \&| Cm autokey
148 .Op Cm version Ar version
150 .Op Cm minpoll Ar minpoll
151 .Op Cm maxpoll Ar maxpoll
153 .It Xo Ic peer Ar address
154 .Op Cm key Ar key \&| Cm autokey
155 .Op Cm version Ar version
157 .Op Cm minpoll Ar minpoll
158 .Op Cm maxpoll Ar maxpoll
160 .It Xo Ic broadcast Ar address
161 .Op Cm key Ar key \&| Cm autokey
162 .Op Cm version Ar version
164 .Op Cm minpoll Ar minpoll
167 .It Xo Ic manycastclient Ar address
168 .Op Cm key Ar key \&| Cm autokey
169 .Op Cm version Ar version
171 .Op Cm minpoll Ar minpoll
172 .Op Cm maxpoll Ar maxpoll
177 These five commands specify the time server name or address to
178 be used and the mode in which to operate.
182 either a DNS name or an IP address in dotted-quad notation.
183 Additional information on association behavior can be found in the
184 .Qq Association Management
186 (available as part of the HTML documentation
188 .Pa /usr/share/doc/ntp ) .
189 .Bl -tag -width indent
191 For type s addresses, this command mobilizes a persistent
192 client mode association with a number of remote servers.
193 In this mode the local clock can synchronized to the
194 remote server, but the remote server can never be synchronized to
197 For type s and r addresses, this command mobilizes a persistent
198 client mode association with the specified remote server or local
200 In this mode the local clock can synchronized to the
201 remote server, but the remote server can never be synchronized to
208 For type s addresses (only), this command mobilizes a
209 persistent symmetric-active mode association with the specified
211 In this mode the local clock can be synchronized to
212 the remote peer or the remote peer can be synchronized to the local
214 This is useful in a network of servers where, depending on
215 various failure scenarios, either the local or remote peer may be
216 the better source of time.
217 This command should NOT be used for type
220 For type b and m addresses (only), this
221 command mobilizes a persistent broadcast mode association.
223 commands can be used to specify multiple local broadcast interfaces
224 (subnets) and/or multiple multicast groups.
226 broadcast messages go only to the interface associated with the
227 subnet specified, but multicast messages go to all interfaces.
228 In broadcast mode the local server sends periodic broadcast
229 messages to a client population at the
231 specified, which is usually the broadcast address on (one of) the
232 local network(s) or a multicast address assigned to NTP.
234 has assigned the multicast group address IPv4 224.0.1.1 and
235 IPv6 ff05::101 (site local) exclusively to
236 NTP, but other nonconflicting addresses can be used to contain the
237 messages within administrative boundaries.
239 specification applies only to the local server operating as a
240 sender; for operation as a broadcast client, see the
246 .It Ic manycastclient
247 For type m addresses (only), this command mobilizes a
248 manycast client mode association for the multicast address
250 In this case a specific address must be supplied which
251 matches the address used on the
254 the designated manycast servers.
255 The NTP multicast address
256 224.0.1.1 assigned by the IANA should NOT be used, unless specific
257 means are taken to avoid spraying large areas of the Internet with
258 these messages and causing a possibly massive implosion of replies
262 command specifies that the local server
263 is to operate in client mode with the remote servers that are
264 discovered as the result of broadcast/multicast messages.
266 client broadcasts a request message to the group address associated
269 and specifically enabled
270 servers respond to these messages.
271 The client selects the servers
272 providing the best time and continues as with the
275 The remaining servers are discarded as if never
280 .Bl -tag -width indent
282 All packets sent to and received from the server or peer are to
283 include authentication fields encrypted using the autokey scheme
285 .Sx Authentication Options .
287 when the server is reachable, send a burst of eight packets
288 instead of the usual one.
289 The packet spacing is normally 2 s;
290 however, the spacing between the first and second packets
291 can be changed with the calldelay command to allow
292 additional time for a modem or ISDN call to complete.
293 This is designed to improve timekeeping quality
296 command and s addresses.
298 When the server is unreachable, send a burst of eight packets
299 instead of the usual one.
300 The packet spacing is normally 2 s;
301 however, the spacing between the first two packets can be
302 changed with the calldelay command to allow
303 additional time for a modem or ISDN call to complete.
304 This is designed to speed the initial synchronization
307 command and s addresses and when
313 All packets sent to and received from the server or peer are to
314 include authentication fields encrypted using the specified
316 identifier with values from 1 to 65534, inclusive.
318 default is to include no encryption field.
319 .It Cm minpoll Ar minpoll
320 .It Cm maxpoll Ar maxpoll
321 These options specify the minimum and maximum poll intervals
322 for NTP messages, as a power of 2 in seconds
324 interval defaults to 10 (1,024 s), but can be increased by the
326 option to an upper limit of 17 (36.4 h).
328 minimum poll interval defaults to 6 (64 s), but can be decreased by
331 option to a lower limit of 4 (16 s).
333 Marks the server as unused, except for display purposes.
334 The server is discarded by the selection algroithm.
336 Marks the server as preferred.
337 All other things being equal,
338 this host will be chosen for synchronization among a set of
339 correctly operating hosts.
341 .Qq Mitigation Rules and the prefer Keyword
343 (available as part of the HTML documentation
345 .Pa /usr/share/doc/ntp )
346 for further information.
348 This option is used only with broadcast server and manycast
350 It specifies the time-to-live
353 use on broadcast server and multicast server and the maximum
355 for the expanding ring search with manycast
357 Selection of the proper value, which defaults to
358 127, is something of a black art and should be coordinated with the
359 network administrator.
360 .It Cm version Ar version
361 Specifies the version number to be used for outgoing NTP
363 Versions 1-4 are the choices, with version 4 the
366 .Ss Auxiliary Commands
367 .Bl -tag -width indent
368 .It Ic broadcastclient
369 This command enables reception of broadcast server messages to
370 any local interface (type b) address.
371 Upon receiving a message for
372 the first time, the broadcast client measures the nominal server
373 propagation delay using a brief client/server exchange with the
374 server, then enters the broadcast client mode, in which it
375 synchronizes to succeeding broadcast messages.
377 to avoid accidental or malicious disruption in this mode, both the
378 server and client should operate using symmetric-key or public-key
379 authentication as described in
380 .Sx Authentication Options .
381 .It Ic manycastserver Ar address ...
382 This command enables reception of manycast client messages to
383 the multicast group address(es) (type m) specified.
385 address is required, but the NTP multicast address 224.0.1.1
386 assigned by the IANA should NOT be used, unless specific means are
387 taken to limit the span of the reply and avoid a possibly massive
388 implosion at the original sender.
389 Note that, in order to avoid
390 accidental or malicious disruption in this mode, both the server
391 and client should operate using symmetric-key or public-key
392 authentication as described in
393 .Sx Authentication Options .
394 .It Ic multicastclient Ar address ...
395 This command enables reception of multicast server messages to
396 the multicast group address(es) (type m) specified.
398 a message for the first time, the multicast client measures the
399 nominal server propagation delay using a brief client/server
400 exchange with the server, then enters the broadcast client mode, in
401 which it synchronizes to succeeding multicast messages.
403 in order to avoid accidental or malicious disruption in this mode,
404 both the server and client should operate using symmetric-key or
405 public-key authentication as described in
406 .Sx Authentication Options .
407 .It Ic mdnstries Ar number
408 If we are participating in mDNS,
409 after we have synched for the first time
410 we attempt to register with the mDNS system.
411 If that registration attempt fails,
412 we try again at one minute intervals for up to
417 may be starting before mDNS.
418 The default value for
422 .Sh Authentication Support
423 Authentication support allows the NTP client to verify that the
424 server is in fact known and trusted and not an intruder intending
425 accidentally or on purpose to masquerade as that server.
427 specification RFC-1305 defines a scheme which provides
428 cryptographic authentication of received NTP packets.
430 this was done using the Data Encryption Standard (DES) algorithm
431 operating in Cipher Block Chaining (CBC) mode, commonly called
433 Subsequently, this was replaced by the RSA Message Digest
434 5 (MD5) algorithm using a private key, commonly called keyed-MD5.
435 Either algorithm computes a message digest, or one-way hash, which
436 can be used to verify the server has the correct private key and
439 NTPv4 retains the NTPv3 scheme, properly described as symmetric key
440 cryptography and, in addition, provides a new Autokey scheme
441 based on public key cryptography.
442 Public key cryptography is generally considered more secure
443 than symmetric key cryptography, since the security is based
444 on a private value which is generated by each server and
446 With Autokey all key distribution and
447 management functions involve only public values, which
448 considerably simplifies key distribution and storage.
449 Public key management is based on X.509 certificates,
450 which can be provided by commercial services or
451 produced by utility programs in the OpenSSL software library
452 or the NTPv4 distribution.
454 While the algorithms for symmetric key cryptography are
455 included in the NTPv4 distribution, public key cryptography
456 requires the OpenSSL software library to be installed
457 before building the NTP distribution.
458 Directions for doing that
459 are on the Building and Installing the Distribution page.
461 Authentication is configured separately for each association
472 configuration commands as described in
473 .Sx Configuration Options
476 options described below specify the locations of the key files,
477 if other than default, which symmetric keys are trusted
478 and the interval between various operations, if other than default.
480 Authentication is always enabled,
481 although ineffective if not configured as
483 If a NTP packet arrives
484 including a message authentication
485 code (MAC), it is accepted only if it
486 passes all cryptographic checks.
488 checks require correct key ID, key value
491 been modified in any way or replayed
492 by an intruder, it will fail one or more
493 of these checks and be discarded.
494 Furthermore, the Autokey scheme requires a
495 preliminary protocol exchange to obtain
496 the server certificate, verify its
497 credentials and initialize the protocol
501 flag controls whether new associations or
502 remote configuration commands require cryptographic authentication.
503 This flag can be set or reset by the
507 commands and also by remote
508 configuration commands sent by a
512 If this flag is enabled, which is the default
513 case, new broadcast client and symmetric passive associations and
514 remote configuration commands must be cryptographically
515 authenticated using either symmetric key or public key cryptography.
517 flag is disabled, these operations are effective
518 even if not cryptographic
520 It should be understood
521 that operating with the
523 flag disabled invites a significant vulnerability
524 where a rogue hacker can
525 masquerade as a falseticker and seriously
526 disrupt system timekeeping.
528 important to note that this flag has no purpose
529 other than to allow or disallow
530 a new association in response to new broadcast
531 and symmetric active messages
532 and remote configuration commands and, in particular,
533 the flag has no effect on
534 the authentication process itself.
536 An attractive alternative where multicast support is available
537 is manycast mode, in which clients periodically troll
538 for servers as described in the
539 .Sx Automatic NTP Configuration Options
541 Either symmetric key or public key
542 cryptographic authentication can be used in this mode.
543 The principle advantage
544 of manycast mode is that potential servers need not be
545 configured in advance,
546 since the client finds them during regular operation,
547 and the configuration
548 files for all clients can be identical.
550 The security model and protocol schemes for
551 both symmetric key and public key
552 cryptography are summarized below;
553 further details are in the briefings, papers
554 and reports at the NTP project page linked from
555 .Li http://www.ntp.org/ .
556 .Ss Symmetric-Key Cryptography
557 The original RFC-1305 specification allows any one of possibly
558 65,534 keys, each distinguished by a 32-bit key identifier, to
559 authenticate an association.
560 The servers and clients involved must
561 agree on the key and key identifier to
562 authenticate NTP packets.
564 related information are specified in a key
567 which must be distributed and stored using
568 secure means beyond the scope of the NTP protocol itself.
569 Besides the keys used
570 for ordinary NTP associations,
571 additional keys can be used as passwords for the
579 is first started, it reads the key file specified in the
581 configuration command and installs the keys
584 individual keys must be activated with the
588 allows, for instance, the installation of possibly
589 several batches of keys and
590 then activating or deactivating each batch
592 .Xr ntpdc 1ntpdcmdoc .
593 This also provides a revocation capability that can be used
594 if a key becomes compromised.
597 command selects the key used as the password for the
601 command selects the key used as the password for the
604 .Ss Public Key Cryptography
605 NTPv4 supports the original NTPv3 symmetric key scheme
606 described in RFC-1305 and in addition the Autokey protocol,
607 which is based on public key cryptography.
608 The Autokey Version 2 protocol described on the Autokey Protocol
609 page verifies packet integrity using MD5 message digests
610 and verifies the source with digital signatures and any of several
611 digest/signature schemes.
612 Optional identity schemes described on the Identity Schemes
613 page and based on cryptographic challenge/response algorithms
615 Using all of these schemes provides strong security against
616 replay with or without modification, spoofing, masquerade
617 and most forms of clogging attacks.
619 .\" The cryptographic means necessary for all Autokey operations
620 .\" is provided by the OpenSSL software library.
621 .\" This library is available from http://www.openssl.org/
622 .\" and can be installed using the procedures outlined
623 .\" in the Building and Installing the Distribution page.
625 .\" the configure and build
626 .\" process automatically detects the library and links
627 .\" the library routines required.
629 The Autokey protocol has several modes of operation
630 corresponding to the various NTP modes supported.
631 Most modes use a special cookie which can be
632 computed independently by the client and server,
633 but encrypted in transmission.
634 All modes use in addition a variant of the S-KEY scheme,
635 in which a pseudo-random key list is generated and used
637 These schemes are described along with an executive summary,
638 current status, briefing slides and reading list on the
639 .Sx Autonomous Authentication
642 The specific cryptographic environment used by Autokey servers
643 and clients is determined by a set of files
644 and soft links generated by the
645 .Xr ntp-keygen 1ntpkeygenmdoc
647 This includes a required host key file,
648 required certificate file and optional sign key file,
649 leapsecond file and identity scheme files.
651 digest/signature scheme is specified in the X.509 certificate
652 along with the matching sign key.
653 There are several schemes
654 available in the OpenSSL software library, each identified
655 by a specific string such as
656 .Cm md5WithRSAEncryption ,
657 which stands for the MD5 message digest with RSA
659 The current NTP distribution supports
660 all the schemes in the OpenSSL library, including
661 those based on RSA and DSA digital signatures.
663 NTP secure groups can be used to define cryptographic compartments
664 and security hierarchies.
665 It is important that every host
666 in the group be able to construct a certificate trail to one
667 or more trusted hosts in the same group.
669 host runs the Autokey protocol to obtain the certificates
670 for all hosts along the trail to one or more trusted hosts.
671 This requires the configuration file in all hosts to be
672 engineered so that, even under anticipated failure conditions,
673 the NTP subnet will form such that every group host can find
674 a trail to at least one trusted host.
675 .Ss Naming and Addressing
676 It is important to note that Autokey does not use DNS to
677 resolve addresses, since DNS can't be completely trusted
678 until the name servers have synchronized clocks.
679 The cryptographic name used by Autokey to bind the host identity
680 credentials and cryptographic values must be independent
681 of interface, network and any other naming convention.
682 The name appears in the host certificate in either or both
683 the subject and issuer fields, so protection against
684 DNS compromise is essential.
686 By convention, the name of an Autokey host is the name returned
689 system call or equivalent in other systems.
691 model, there are no provisions to allow alternate names or aliases.
692 However, this is not to say that DNS aliases, different names
693 for each interface, etc., are constrained in any way.
695 It is also important to note that Autokey verifies authenticity
696 using the host name, network address and public keys,
697 all of which are bound together by the protocol specifically
698 to deflect masquerade attacks.
699 For this reason Autokey
700 includes the source and destinatino IP addresses in message digest
701 computations and so the same addresses must be available
702 at both the server and client.
703 For this reason operation
704 with network address translation schemes is not possible.
705 This reflects the intended robust security model where government
706 and corporate NTP servers are operated outside firewall perimeters.
708 A specific combination of authentication scheme (none,
709 symmetric key, public key) and identity scheme is called
710 a cryptotype, although not all combinations are compatible.
711 There may be management configurations where the clients,
712 servers and peers may not all support the same cryptotypes.
713 A secure NTPv4 subnet can be configured in many ways while
714 keeping in mind the principles explained above and
716 Note however that some cryptotype
717 combinations may successfully interoperate with each other,
718 but may not represent good security practice.
720 The cryptotype of an association is determined at the time
721 of mobilization, either at configuration time or some time
722 later when a message of appropriate cryptotype arrives.
727 configuration command and no
731 subcommands are present, the association is not
732 authenticated; if the
734 subcommand is present, the association is authenticated
735 using the symmetric key ID specified; if the
737 subcommand is present, the association is authenticated
740 When multiple identity schemes are supported in the Autokey
741 protocol, the first message exchange determines which one is used.
742 The client request message contains bits corresponding
743 to which schemes it has available.
744 The server response message
745 contains bits corresponding to which schemes it has available.
746 Both server and client match the received bits with their own
747 and select a common scheme.
749 Following the principle that time is a public value,
750 a server responds to any client packet that matches
751 its cryptotype capabilities.
752 Thus, a server receiving
753 an unauthenticated packet will respond with an unauthenticated
754 packet, while the same server receiving a packet of a cryptotype
755 it supports will respond with packets of that cryptotype.
756 However, unconfigured broadcast or manycast client
757 associations or symmetric passive associations will not be
758 mobilized unless the server supports a cryptotype compatible
759 with the first packet received.
760 By default, unauthenticated associations will not be mobilized
761 unless overridden in a decidedly dangerous way.
763 Some examples may help to reduce confusion.
764 Client Alice has no specific cryptotype selected.
765 Server Bob has both a symmetric key file and minimal Autokey files.
766 Alice's unauthenticated messages arrive at Bob, who replies with
767 unauthenticated messages.
768 Cathy has a copy of Bob's symmetric
769 key file and has selected key ID 4 in messages to Bob.
770 Bob verifies the message with his key ID 4.
772 same key and the message is verified, Bob sends Cathy a reply
773 authenticated with that key.
774 If verification fails,
775 Bob sends Cathy a thing called a crypto-NAK, which tells her
777 She can see the evidence using the
781 Denise has rolled her own host key and certificate.
782 She also uses one of the identity schemes as Bob.
783 She sends the first Autokey message to Bob and they
784 both dance the protocol authentication and identity steps.
785 If all comes out okay, Denise and Bob continue as described above.
787 It should be clear from the above that Bob can support
788 all the girls at the same time, as long as he has compatible
789 authentication and identity credentials.
790 Now, Bob can act just like the girls in his own choice of servers;
791 he can run multiple configured associations with multiple different
792 servers (or the same server, although that might not be useful).
793 But, wise security policy might preclude some cryptotype
794 combinations; for instance, running an identity scheme
795 with one server and no authentication with another might not be wise.
797 The cryptographic values used by the Autokey protocol are
798 incorporated as a set of files generated by the
799 .Xr ntp-keygen 1ntpkeygenmdoc
800 utility program, including symmetric key, host key and
801 public certificate files, as well as sign key, identity parameters
802 and leapseconds files.
803 Alternatively, host and sign keys and
804 certificate files can be generated by the OpenSSL utilities
805 and certificates can be imported from public certificate
807 Note that symmetric keys are necessary for the
812 The remaining files are necessary only for the
815 Certificates imported from OpenSSL or public certificate
816 authorities have certian limitations.
817 The certificate should be in ASN.1 syntax, X.509 Version 3
818 format and encoded in PEM, which is the same format
820 The overall length of the certificate encoded
821 in ASN.1 must not exceed 1024 bytes.
822 The subject distinguished
823 name field (CN) is the fully qualified name of the host
824 on which it is used; the remaining subject fields are ignored.
825 The certificate extension fields must not contain either
826 a subject key identifier or a issuer key identifier field;
827 however, an extended key usage field for a trusted host must
830 Other extension fields are ignored.
831 .Ss Authentication Commands
832 .Bl -tag -width indent
833 .It Ic autokey Op Ar logsec
834 Specifies the interval between regenerations of the session key
835 list used with the Autokey protocol.
836 Note that the size of the key
837 list for each association depends on this interval and the current
839 The default value is 12 (4096 s or about 1.1 hours).
840 For poll intervals above the specified interval, a session key list
841 with a single entry will be regenerated for every message
843 .It Ic controlkey Ar key
844 Specifies the key identifier to use with the
846 utility, which uses the standard
847 protocol defined in RFC-1305.
851 the key identifier for a trusted key, where the value can be in the
852 range 1 to 65,534, inclusive.
856 .Op Cm randfile Ar file
861 .Op Cm iffpar Ar file
863 .Op Cm pw Ar password
865 This command requires the OpenSSL library.
866 It activates public key
867 cryptography, selects the message digest and signature
868 encryption scheme and loads the required private and public
869 values described above.
870 If one or more files are left unspecified,
871 the default names are used as described above.
872 Unless the complete path and name of the file are specified, the
873 location of a file is relative to the keys directory specified
878 Following are the subcommands:
879 .Bl -tag -width indent
881 Specifies the location of the required host public certificate file.
882 This overrides the link
883 .Pa ntpkey_cert_ Ns Ar hostname
884 in the keys directory.
886 Specifies the location of the optional GQ parameters file.
889 .Pa ntpkey_gq_ Ns Ar hostname
890 in the keys directory.
892 Specifies the location of the required host key file.
895 .Pa ntpkey_key_ Ns Ar hostname
896 in the keys directory.
897 .It Cm iffpar Ar file
898 Specifies the location of the optional IFF parameters file.This
900 .Pa ntpkey_iff_ Ns Ar hostname
901 in the keys directory.
903 Specifies the location of the optional leapsecond file.
904 This overrides the link
906 in the keys directory.
908 Specifies the location of the optional MV parameters file.
911 .Pa ntpkey_mv_ Ns Ar hostname
912 in the keys directory.
913 .It Cm pw Ar password
914 Specifies the password to decrypt files containing private keys and
916 This is required only if these files have been
918 .It Cm randfile Ar file
919 Specifies the location of the random seed file used by the OpenSSL
921 The defaults are described in the main text above.
923 Specifies the location of the optional sign key file.
926 .Pa ntpkey_sign_ Ns Ar hostname
927 in the keys directory.
929 not found, the host key is also the sign key.
931 .It Ic keys Ar keyfile
932 Specifies the complete path and location of the MD5 key file
933 containing the keys and key identifiers used by
938 when operating with symmetric key cryptography.
939 This is the same operation as the
942 .It Ic keysdir Ar path
943 This command specifies the default directory path for
944 cryptographic keys, parameters and certificates.
946 .Pa /usr/local/etc/ .
947 .It Ic requestkey Ar key
948 Specifies the key identifier to use with the
950 utility program, which uses a
951 proprietary protocol specific to this implementation of
955 argument is a key identifier
956 for the trusted key, where the value can be in the range 1 to
958 .It Ic revoke Ar logsec
959 Specifies the interval between re-randomization of certain
960 cryptographic values used by the Autokey scheme, as a power of 2 in
962 These values need to be updated frequently in order to
963 deflect brute-force attacks on the algorithms of the scheme;
964 however, updating some values is a relatively expensive operation.
965 The default interval is 16 (65,536 s or about 18 hours).
967 intervals above the specified interval, the values will be updated
968 for every message sent.
969 .It Ic trustedkey Ar key ...
970 Specifies the key identifiers which are trusted for the
971 purposes of authenticating peers with symmetric key cryptography,
972 as well as keys used by the
977 The authentication procedures require that both the local
978 and remote servers share the same key and key identifier for this
979 purpose, although different keys can be used with different
983 arguments are 32-bit unsigned
984 integers with values from 1 to 65,534.
987 The following error codes are reported via the NTP control
988 and monitoring protocol trap mechanism.
989 .Bl -tag -width indent
991 .Pq bad field format or length
992 The packet has invalid version, length or format.
995 The packet timestamp is the same or older than the most recent received.
996 This could be due to a replay or a server clock time step.
999 The packet filestamp is the same or older than the most recent received.
1000 This could be due to a replay or a key file generation error.
1002 .Pq bad or missing public key
1003 The public key is missing, has incorrect format or is an unsupported type.
1005 .Pq unsupported digest type
1006 The server requires an unsupported digest/signature scheme.
1008 .Pq mismatched digest types
1011 .Pq bad signature length
1012 The signature length does not match the current public key.
1014 .Pq signature not verified
1015 The message fails the signature check.
1016 It could be bogus or signed by a
1017 different private key.
1019 .Pq certificate not verified
1020 The certificate is invalid or signed with the wrong key.
1022 .Pq certificate not verified
1023 The certificate is not yet valid or has expired or the signature could not
1026 .Pq bad or missing cookie
1027 The cookie is missing, corrupted or bogus.
1029 .Pq bad or missing leapseconds table
1030 The leapseconds table is missing, corrupted or bogus.
1032 .Pq bad or missing certificate
1033 The certificate is missing, corrupted or bogus.
1035 .Pq bad or missing identity
1036 The identity key is missing, corrupt or bogus.
1038 .Sh Monitoring Support
1040 includes a comprehensive monitoring facility suitable
1041 for continuous, long term recording of server and client
1042 timekeeping performance.
1046 for a listing and example of each type of statistics currently
1048 Statistic files are managed using file generation sets
1051 directory of this distribution.
1053 these facilities and
1056 jobs, the data can be
1057 automatically summarized and archived for retrospective analysis.
1058 .Ss Monitoring Commands
1059 .Bl -tag -width indent
1060 .It Ic statistics Ar name ...
1061 Enables writing of statistics records.
1062 Currently, eight kinds of
1064 statistics are supported.
1065 .Bl -tag -width indent
1067 Enables recording of clock driver statistics information.
1069 received from a clock driver appends a line of the following form to
1070 the file generation set named
1073 49213 525.624 127.127.4.1 93 226 00:08:29.606 D
1076 The first two fields show the date (Modified Julian Day) and time
1077 (seconds and fraction past UTC midnight).
1078 The next field shows the
1079 clock address in dotted-quad notation.
1080 The final field shows the last
1081 timecode received from the clock in decoded ASCII format, where
1083 In some clock drivers a good deal of additional information
1084 can be gathered and displayed as well.
1085 See information specific to each
1086 clock for further details.
1088 This option requires the OpenSSL cryptographic software library.
1090 enables recording of cryptographic public key protocol information.
1091 Each message received by the protocol module appends a line of the
1092 following form to the file generation set named
1095 49213 525.624 127.127.4.1 message
1098 The first two fields show the date (Modified Julian Day) and time
1099 (seconds and fraction past UTC midnight).
1100 The next field shows the peer
1101 address in dotted-quad notation, The final message field includes the
1102 message type and certain ancillary information.
1104 .Sx Authentication Options
1105 section for further information.
1107 Enables recording of loop filter statistics information.
1109 update of the local clock outputs a line of the following form to
1110 the file generation set named
1113 50935 75440.031 0.000006019 13.778190 0.000351733 0.0133806
1116 The first two fields show the date (Modified Julian Day) and
1117 time (seconds and fraction past UTC midnight).
1118 The next five fields
1119 show time offset (seconds), frequency offset (parts per million -
1120 PPM), RMS jitter (seconds), Allan deviation (PPM) and clock
1121 discipline time constant.
1123 Enables recording of peer statistics information.
1125 statistics records of all peers of a NTP server and of special
1126 signals, where present and configured.
1127 Each valid update appends a
1128 line of the following form to the current element of a file
1129 generation set named
1132 48773 10847.650 127.127.4.1 9714 -0.001605376 0.000000000 0.001424877 0.000958674
1135 The first two fields show the date (Modified Julian Day) and
1136 time (seconds and fraction past UTC midnight).
1138 show the peer address in dotted-quad notation and status,
1140 The status field is encoded in hex in the format
1141 described in Appendix A of the NTP specification RFC 1305.
1142 The final four fields show the offset,
1143 delay, dispersion and RMS jitter, all in seconds.
1145 Enables recording of raw-timestamp statistics information.
1147 includes statistics records of all peers of a NTP server and of
1148 special signals, where present and configured.
1150 received from a peer or clock driver appends a line of the
1151 following form to the file generation set named
1154 50928 2132.543 128.4.1.1 128.4.1.20 3102453281.584327000 3102453281.58622800031 02453332.540806000 3102453332.541458000
1157 The first two fields show the date (Modified Julian Day) and
1158 time (seconds and fraction past UTC midnight).
1160 show the remote peer or clock address followed by the local address
1161 in dotted-quad notation.
1162 The final four fields show the originate,
1163 receive, transmit and final NTP timestamps in order.
1165 values are as received and before processing by the various data
1166 smoothing and mitigation algorithms.
1168 Enables recording of ntpd statistics counters on a periodic basis.
1170 hour a line of the following form is appended to the file generation
1174 50928 2132.543 36000 81965 0 9546 56 71793 512 540 10 147
1177 The first two fields show the date (Modified Julian Day) and time
1178 (seconds and fraction past UTC midnight).
1179 The remaining ten fields show
1180 the statistics counter values accumulated since the last generated
1182 .Bl -tag -width indent
1183 .It Time since restart Cm 36000
1184 Time in hours since the system was last rebooted.
1185 .It Packets received Cm 81965
1186 Total number of packets received.
1187 .It Packets processed Cm 0
1188 Number of packets received in response to previous packets sent
1189 .It Current version Cm 9546
1190 Number of packets matching the current NTP version.
1191 .It Previous version Cm 56
1192 Number of packets matching the previous NTP version.
1193 .It Bad version Cm 71793
1194 Number of packets matching neither NTP version.
1195 .It Access denied Cm 512
1196 Number of packets denied access for any reason.
1197 .It Bad length or format Cm 540
1198 Number of packets with invalid length, format or port number.
1199 .It Bad authentication Cm 10
1200 Number of packets not verified as authentic.
1201 .It Rate exceeded Cm 147
1202 Number of packets discarded due to rate limitation.
1204 .It Cm statsdir Ar directory_path
1205 Indicates the full path of a directory where statistics files
1206 should be created (see below).
1208 the (otherwise constant)
1210 filename prefix to be modified for file generation sets, which
1211 is useful for handling statistics logs.
1212 .It Cm filegen Ar name Xo
1213 .Op Cm file Ar filename
1214 .Op Cm type Ar typename
1215 .Op Cm link | nolink
1216 .Op Cm enable | disable
1218 Configures setting of generation file set name.
1220 file sets provide a means for handling files that are
1221 continuously growing during the lifetime of a server.
1222 Server statistics are a typical example for such files.
1223 Generation file sets provide access to a set of files used
1224 to store the actual data.
1225 At any time at most one element
1226 of the set is being written to.
1227 The type given specifies
1228 when and how data will be directed to a new element of the set.
1229 This way, information stored in elements of a file set
1230 that are currently unused are available for administrational
1231 operations without the risk of disturbing the operation of ntpd.
1232 (Most important: they can be removed to free space for new data
1235 Note that this command can be sent from the
1236 .Xr ntpdc 1ntpdcmdoc
1237 program running at a remote location.
1238 .Bl -tag -width indent
1240 This is the type of the statistics records, as shown in the
1243 .It Cm file Ar filename
1244 This is the file name for the statistics records.
1246 members are built from three concatenated elements
1251 .Bl -tag -width indent
1253 This is a constant filename path.
1254 It is not subject to
1255 modifications via the
1258 It is defined by the
1259 server, usually specified as a compile-time constant.
1261 however, be configurable for individual file generation sets
1263 For example, the prefix used with
1267 generation can be configured using the
1269 option explained above.
1271 This string is directly concatenated to the prefix mentioned
1272 above (no intervening
1274 This can be modified using
1275 the file argument to the
1281 allowed in this component to prevent filenames referring to
1282 parts outside the filesystem hierarchy denoted by
1285 This part is reflects individual elements of a file set.
1287 generated according to the type of a file set.
1289 .It Cm type Ar typename
1290 A file generation set is characterized by its type.
1292 types are supported:
1293 .Bl -tag -width indent
1295 The file set is actually a single plain file.
1297 One element of file set is used per incarnation of a ntpd
1299 This type does not perform any changes to file set
1300 members during runtime, however it provides an easy way of
1301 separating files belonging to different
1303 server incarnations.
1304 The set member filename is built by appending a
1311 appending the decimal representation of the process ID of the
1315 One file generation set element is created per day.
1317 defined as the period between 00:00 and 24:00 UTC.
1319 member suffix consists of a
1321 and a day specification in
1325 is a 4-digit year number (e.g., 1992).
1327 is a two digit month number.
1329 is a two digit day number.
1330 Thus, all information written at 10 December 1992 would end up
1333 .Ar filename Ns .19921210 .
1335 Any file set member contains data related to a certain week of
1337 The term week is defined by computing day-of-year
1339 Elements of such a file generation set are
1340 distinguished by appending the following suffix to the file set
1341 filename base: A dot, a 4-digit year number, the letter
1343 and a 2-digit week number.
1344 For example, information from January,
1345 10th 1992 would end up in a file with suffix
1346 .No . Ns Ar 1992W1 .
1348 One generation file set element is generated per month.
1350 file name suffix consists of a dot, a 4-digit year number, and
1353 One generation file element is generated per year.
1355 suffix consists of a dot and a 4 digit year number.
1357 This type of file generation sets changes to a new element of
1358 the file set every 24 hours of server operation.
1360 suffix consists of a dot, the letter
1362 and an 8-digit number.
1363 This number is taken to be the number of seconds the server is
1364 running at the start of the corresponding 24-hour period.
1365 Information is only written to a file generation by specifying
1367 output is prevented by specifying
1370 .It Cm link | nolink
1371 It is convenient to be able to access the current element of a file
1372 generation set by a fixed name.
1373 This feature is enabled by
1378 If link is specified, a
1379 hard link from the current file set element to a file without
1381 When there is already a file with this name and
1382 the number of links of this file is one, it is renamed appending a
1385 and the pid of the ntpd server process.
1387 number of links is greater than one, the file is unlinked.
1389 allows the current file to be accessed by a constant name.
1390 .It Cm enable \&| Cm disable
1391 Enables or disables the recording function.
1395 .Sh Access Control Support
1398 daemon implements a general purpose address/mask based restriction
1400 The list contains address/match entries sorted first
1401 by increasing address values and and then by increasing mask values.
1402 A match occurs when the bitwise AND of the mask and the packet
1403 source address is equal to the bitwise AND of the mask and
1404 address in the list.
1405 The list is searched in order with the
1406 last match found defining the restriction flags associated
1408 Additional information and examples can be found in the
1409 .Qq Notes on Configuring NTP and Setting up a NTP Subnet
1411 (available as part of the HTML documentation
1413 .Pa /usr/share/doc/ntp ) .
1415 The restriction facility was implemented in conformance
1416 with the access policies for the original NSFnet backbone
1418 Later the facility was expanded to deflect
1419 cryptographic and clogging attacks.
1420 While this facility may
1421 be useful for keeping unwanted or broken or malicious clients
1422 from congesting innocent servers, it should not be considered
1423 an alternative to the NTP authentication facilities.
1424 Source address based restrictions are easily circumvented
1425 by a determined cracker.
1427 Clients can be denied service because they are explicitly
1428 included in the restrict list created by the restrict command
1429 or implicitly as the result of cryptographic or rate limit
1431 Cryptographic violations include certificate
1432 or identity verification failure; rate limit violations generally
1433 result from defective NTP implementations that send packets
1435 Some violations cause denied service
1436 only for the offending packet, others cause denied service
1437 for a timed period and others cause the denied service for
1438 an indefinate period.
1439 When a client or network is denied access
1440 for an indefinate period, the only way at present to remove
1441 the restrictions is by restarting the server.
1442 .Ss The Kiss-of-Death Packet
1443 Ordinarily, packets denied service are simply dropped with no
1444 further action except incrementing statistics counters.
1446 more proactive response is needed, such as a server message that
1447 explicitly requests the client to stop sending and leave a message
1448 for the system operator.
1449 A special packet format has been created
1450 for this purpose called the "kiss-of-death" (KoD) packet.
1451 KoD packets have the leap bits set unsynchronized and stratum set
1452 to zero and the reference identifier field set to a four-byte
1458 flag of the matching restrict list entry is set,
1459 the code is "DENY"; if the
1461 flag is set and the rate limit
1462 is exceeded, the code is "RATE".
1463 Finally, if a cryptographic violation occurs, the code is "CRYP".
1465 A client receiving a KoD performs a set of sanity checks to
1466 minimize security exposure, then updates the stratum and
1467 reference identifier peer variables, sets the access
1468 denied (TEST4) bit in the peer flash variable and sends
1469 a message to the log.
1470 As long as the TEST4 bit is set,
1471 the client will send no further packets to the server.
1472 The only way at present to recover from this condition is
1473 to restart the protocol at both the client and server.
1475 happens automatically at the client when the association times out.
1476 It will happen at the server only if the server operator cooperates.
1477 .Ss Access Control Commands
1478 .Bl -tag -width indent
1480 .Op Cm average Ar avg
1481 .Op Cm minimum Ar min
1482 .Op Cm monitor Ar prob
1484 Set the parameters of the
1486 facility which protects the server from
1490 subcommand specifies the minimum average packet
1493 subcommand specifies the minimum packet spacing.
1494 Packets that violate these minima are discarded
1495 and a kiss-o'-death packet returned if enabled.
1497 minimum average and minimum are 5 and 2, respectively.
1498 The monitor subcommand specifies the probability of discard
1499 for packets that overflow the rate-control window.
1500 .It Xo Ic restrict address
1506 argument expressed in
1507 dotted-quad form is the address of a host or network.
1510 argument can be a valid host DNS name.
1513 argument expressed in dotted-quad form defaults to
1514 .Cm 255.255.255.255 ,
1517 is treated as the address of an individual host.
1518 A default entry (address
1522 is always included and is always the first entry in the list.
1523 Note that text string
1525 with no mask option, may
1526 be used to indicate the default entry.
1527 In the current implementation,
1530 restricts access, i.e., an entry with no flags indicates that free
1531 access to the server is to be given.
1532 The flags are not orthogonal,
1533 in that more restrictive flags will often make less restrictive
1535 The flags can generally be classed into two
1536 categories, those which restrict time service and those which
1537 restrict informational queries and attempts to do run-time
1538 reconfiguration of the server.
1539 One or more of the following flags
1541 .Bl -tag -width indent
1543 Deny packets of all kinds, including
1546 .Xr ntpdc 1ntpdcmdoc
1549 If this flag is set when an access violation occurs, a kiss-o'-death
1550 (KoD) packet is sent.
1551 KoD packets are rate limited to no more than one
1553 If another KoD packet occurs within one second after the
1554 last one, the packet is dropped.
1556 Deny service if the packet spacing violates the lower limits specified
1557 in the discard command.
1558 A history of clients is kept using the
1559 monitoring capability of
1560 .Xr ntpd 1ntpdmdoc .
1561 Thus, monitoring is always active as
1562 long as there is a restriction entry with the
1566 Declare traps set by matching hosts to be low priority.
1568 number of traps a server can maintain is limited (the current limit
1570 Traps are usually assigned on a first come, first served
1571 basis, with later trap requestors being denied service.
1573 modifies the assignment algorithm by allowing low priority traps to
1574 be overridden by later requests for normal priority traps.
1579 .Xr ntpdc 1ntpdcmdoc
1580 queries which attempt to modify the state of the
1581 server (i.e., run time reconfiguration).
1582 Queries which return
1583 information are permitted.
1588 .Xr ntpdc 1ntpdcmdoc
1590 Time service is not affected.
1592 Deny packets which would result in mobilizing a new association.
1594 includes broadcast and symmetric active packets when a configured
1595 association does not exist.
1598 associations, so if you want to use servers from a
1600 directive and also want to use
1602 by default, you'll want a
1603 .Cm "restrict source ..." line as well that does
1609 Deny all packets except
1612 .Xr ntpdc 1ntpdcmdoc
1615 Decline to provide mode 6 control message trap service to matching
1617 The trap service is a subsystem of the ntpdq control message
1618 protocol which is intended for use by remote event logging programs.
1620 Deny service unless the packet is cryptographically authenticated.
1622 This is actually a match algorithm modifier, rather than a
1624 Its presence causes the restriction entry to be
1625 matched only if the source port in the packet is the standard NTP
1635 is considered more specific and
1636 is sorted later in the list.
1638 Deny packets that do not match the current NTP version.
1641 Default restriction list entries with the flags ignore, interface,
1642 ntpport, for each of the local host's interface addresses are
1643 inserted into the table at startup to prevent the server
1644 from attempting to synchronize to its own time.
1645 A default entry is also always present, though if it is
1646 otherwise unconfigured; no flags are associated
1647 with the default entry (i.e., everything besides your own
1648 NTP server is unrestricted).
1650 .Sh Automatic NTP Configuration Options
1652 Manycasting is a automatic discovery and configuration paradigm
1654 It is intended as a means for a multicast client
1655 to troll the nearby network neighborhood to find cooperating
1656 manycast servers, validate them using cryptographic means
1657 and evaluate their time values with respect to other servers
1658 that might be lurking in the vicinity.
1659 The intended result is that each manycast client mobilizes
1660 client associations with some number of the "best"
1661 of the nearby manycast servers, yet automatically reconfigures
1662 to sustain this number of servers should one or another fail.
1664 Note that the manycasting paradigm does not coincide
1665 with the anycast paradigm described in RFC-1546,
1666 which is designed to find a single server from a clique
1667 of servers providing the same service.
1668 The manycast paradigm is designed to find a plurality
1669 of redundant servers satisfying defined optimality criteria.
1671 Manycasting can be used with either symmetric key
1672 or public key cryptography.
1673 The public key infrastructure (PKI)
1674 offers the best protection against compromised keys
1675 and is generally considered stronger, at least with relatively
1677 It is implemented using the Autokey protocol and
1678 the OpenSSL cryptographic library available from
1679 .Li http://www.openssl.org/ .
1680 The library can also be used with other NTPv4 modes
1681 as well and is highly recommended, especially for broadcast modes.
1683 A persistent manycast client association is configured
1684 using the manycastclient command, which is similar to the
1685 server command but with a multicast (IPv4 class
1690 The IANA has designated IPv4 address 224.1.1.1
1691 and IPv6 address FF05::101 (site local) for NTP.
1692 When more servers are needed, it broadcasts manycast
1693 client messages to this address at the minimum feasible rate
1694 and minimum feasible time-to-live (TTL) hops, depending
1695 on how many servers have already been found.
1696 There can be as many manycast client associations
1697 as different group address, each one serving as a template
1698 for a future ephemeral unicast client/server association.
1700 Manycast servers configured with the
1702 command listen on the specified group address for manycast
1704 Note the distinction between manycast client,
1705 which actively broadcasts messages, and manycast server,
1706 which passively responds to them.
1707 If a manycast server is
1708 in scope of the current TTL and is itself synchronized
1709 to a valid source and operating at a stratum level equal
1710 to or lower than the manycast client, it replies to the
1711 manycast client message with an ordinary unicast server message.
1713 The manycast client receiving this message mobilizes
1714 an ephemeral client/server association according to the
1715 matching manycast client template, but only if cryptographically
1716 authenticated and the server stratum is less than or equal
1717 to the client stratum.
1718 Authentication is explicitly required
1719 and either symmetric key or public key (Autokey) can be used.
1720 Then, the client polls the server at its unicast address
1721 in burst mode in order to reliably set the host clock
1722 and validate the source.
1723 This normally results
1724 in a volley of eight client/server at 2-s intervals
1725 during which both the synchronization and cryptographic
1726 protocols run concurrently.
1727 Following the volley,
1728 the client runs the NTP intersection and clustering
1729 algorithms, which act to discard all but the "best"
1730 associations according to stratum and synchronization
1732 The surviving associations then continue
1733 in ordinary client/server mode.
1735 The manycast client polling strategy is designed to reduce
1736 as much as possible the volume of manycast client messages
1737 and the effects of implosion due to near-simultaneous
1738 arrival of manycast server messages.
1739 The strategy is determined by the
1740 .Ic manycastclient ,
1744 configuration commands.
1745 The manycast poll interval is
1746 normally eight times the system poll interval,
1747 which starts out at the
1749 value specified in the
1750 .Ic manycastclient ,
1751 command and, under normal circumstances, increments to the
1753 value specified in this command.
1754 Initially, the TTL is
1755 set at the minimum hops specified by the ttl command.
1756 At each retransmission the TTL is increased until reaching
1757 the maximum hops specified by this command or a sufficient
1758 number client associations have been found.
1759 Further retransmissions use the same TTL.
1761 The quality and reliability of the suite of associations
1762 discovered by the manycast client is determined by the NTP
1763 mitigation algorithms and the
1767 values specified in the
1769 configuration command.
1772 candidate servers must be available and the mitigation
1773 algorithms produce at least
1775 survivors in order to synchronize the clock.
1776 Byzantine agreement principles require at least four
1777 candidates in order to correctly discard a single falseticker.
1778 For legacy purposes,
1783 For manycast service
1785 should be explicitly set to 4, assuming at least that
1786 number of servers are available.
1790 servers are found, the manycast poll interval is immediately
1795 servers are found when the TTL has reached the maximum hops,
1796 the manycast poll interval is doubled.
1797 For each transmission
1798 after that, the poll interval is doubled again until
1799 reaching the maximum of eight times
1801 Further transmissions use the same poll interval and
1803 Note that while all this is going on,
1804 each client/server association found is operating normally
1805 it the system poll interval.
1807 Administratively scoped multicast boundaries are normally
1808 specified by the network router configuration and,
1809 in the case of IPv6, the link/site scope prefix.
1810 By default, the increment for TTL hops is 32 starting
1811 from 31; however, the
1813 configuration command can be
1814 used to modify the values to match the scope rules.
1816 It is often useful to narrow the range of acceptable
1817 servers which can be found by manycast client associations.
1818 Because manycast servers respond only when the client
1819 stratum is equal to or greater than the server stratum,
1820 primary (stratum 1) servers fill find only primary servers
1821 in TTL range, which is probably the most common objective.
1822 However, unless configured otherwise, all manycast clients
1823 in TTL range will eventually find all primary servers
1824 in TTL range, which is probably not the most common
1825 objective in large networks.
1828 command can be used to modify this behavior.
1829 Servers with stratum below
1835 command are strongly discouraged during the selection
1836 process; however, these servers may be temporally
1837 accepted if the number of servers within TTL range is
1841 The above actions occur for each manycast client message,
1842 which repeats at the designated poll interval.
1843 However, once the ephemeral client association is mobilized,
1844 subsequent manycast server replies are discarded,
1845 since that would result in a duplicate association.
1846 If during a poll interval the number of client associations
1849 all manycast client prototype associations are reset
1850 to the initial poll interval and TTL hops and operation
1851 resumes from the beginning.
1852 It is important to avoid
1853 frequent manycast client messages, since each one requires
1854 all manycast servers in TTL range to respond.
1855 The result could well be an implosion, either minor or major,
1856 depending on the number of servers in range.
1857 The recommended value for
1861 It is possible and frequently useful to configure a host
1862 as both manycast client and manycast server.
1863 A number of hosts configured this way and sharing a common
1864 group address will automatically organize themselves
1865 in an optimum configuration based on stratum and
1866 synchronization distance.
1867 For example, consider an NTP
1868 subnet of two primary servers and a hundred or more
1870 With two exceptions, all servers
1871 and clients have identical configuration files including both
1875 commands using, for instance, multicast group address
1877 The only exception is that each primary server
1878 configuration file must include commands for the primary
1879 reference source such as a GPS receiver.
1881 The remaining configuration files for all secondary
1882 servers and clients have the same contents, except for the
1884 command, which is specific for each stratum level.
1885 For stratum 1 and stratum 2 servers, that command is
1887 For stratum 3 and above servers the
1889 value is set to the intended stratum number.
1890 Thus, all stratum 3 configuration files are identical,
1891 all stratum 4 files are identical and so forth.
1893 Once operations have stabilized in this scenario,
1894 the primary servers will find the primary reference source
1895 and each other, since they both operate at the same
1896 stratum (1), but not with any secondary server or client,
1897 since these operate at a higher stratum.
1899 servers will find the servers at the same stratum level.
1900 If one of the primary servers loses its GPS receiver,
1901 it will continue to operate as a client and other clients
1902 will time out the corresponding association and
1903 re-associate accordingly.
1905 Some administrators prefer to avoid running
1907 continuously and run either
1913 In either case the servers must be
1914 configured in advance and the program fails if none are
1915 available when the cron job runs.
1917 application of manycast is with
1920 The program wakes up, scans the local landscape looking
1921 for the usual suspects, selects the best from among
1922 the rascals, sets the clock and then departs.
1923 Servers do not have to be configured in advance and
1924 all clients throughout the network can have the same
1926 .Ss Manycast Interactions with Autokey
1927 Each time a manycast client sends a client mode packet
1928 to a multicast group address, all manycast servers
1929 in scope generate a reply including the host name
1931 The manycast clients then run
1932 the Autokey protocol, which collects and verifies
1933 all certificates involved.
1934 Following the burst interval
1935 all but three survivors are cast off,
1936 but the certificates remain in the local cache.
1937 It often happens that several complete signing trails
1938 from the client to the primary servers are collected in this way.
1940 About once an hour or less often if the poll interval
1941 exceeds this, the client regenerates the Autokey key list.
1942 This is in general transparent in client/server mode.
1943 However, about once per day the server private value
1944 used to generate cookies is refreshed along with all
1945 manycast client associations.
1947 cryptographic values including certificates is refreshed.
1948 If a new certificate has been generated since
1949 the last refresh epoch, it will automatically revoke
1950 all prior certificates that happen to be in the
1952 At the same time, the manycast
1953 scheme starts all over from the beginning and
1954 the expanding ring shrinks to the minimum and increments
1955 from there while collecting all servers in scope.
1956 .Ss Manycast Options
1957 .Bl -tag -width indent
1960 .Cm ceiling Ar ceiling |
1961 .Cm cohort { 0 | 1 } |
1962 .Cm floor Ar floor |
1963 .Cm minclock Ar minclock |
1964 .Cm minsane Ar minsane
1967 This command affects the clock selection and clustering
1969 It can be used to select the quality and
1970 quantity of peers used to synchronize the system clock
1971 and is most useful in manycast mode.
1972 The variables operate
1974 .Bl -tag -width indent
1975 .It Cm ceiling Ar ceiling
1976 Peers with strata above
1978 will be discarded if there are at least
1981 This value defaults to 15, but can be changed
1982 to any number from 1 to 15.
1983 .It Cm cohort Bro 0 | 1 Brc
1984 This is a binary flag which enables (0) or disables (1)
1985 manycast server replies to manycast clients with the same
1987 This is useful to reduce implosions where
1988 large numbers of clients with the same stratum level
1990 The default is to enable these replies.
1991 .It Cm floor Ar floor
1992 Peers with strata below
1994 will be discarded if there are at least
1997 This value defaults to 1, but can be changed
1998 to any number from 1 to 15.
1999 .It Cm minclock Ar minclock
2000 The clustering algorithm repeatedly casts out outlier
2001 associations until no more than
2003 associations remain.
2004 This value defaults to 3,
2005 but can be changed to any number from 1 to the number of
2007 .It Cm minsane Ar minsane
2008 This is the minimum number of candidates available
2009 to the clock selection algorithm in order to produce
2010 one or more truechimers for the clustering algorithm.
2011 If fewer than this number are available, the clock is
2012 undisciplined and allowed to run free.
2014 for legacy purposes.
2015 However, according to principles of
2016 Byzantine agreement,
2018 should be at least 4 in order to detect and discard
2019 a single falseticker.
2021 .It Cm ttl Ar hop ...
2022 This command specifies a list of TTL values in increasing
2023 order, up to 8 values can be specified.
2024 In manycast mode these values are used in turn
2025 in an expanding-ring search.
2026 The default is eight
2027 multiples of 32 starting at 31.
2029 .Sh Reference Clock Support
2030 The NTP Version 4 daemon supports some three dozen different radio,
2031 satellite and modem reference clocks plus a special pseudo-clock
2032 used for backup or when no other clock source is available.
2033 Detailed descriptions of individual device drivers and options can
2035 .Qq Reference Clock Drivers
2037 (available as part of the HTML documentation
2039 .Pa /usr/share/doc/ntp ) .
2040 Additional information can be found in the pages linked
2041 there, including the
2042 .Qq Debugging Hints for Reference Clock Drivers
2044 .Qq How To Write a Reference Clock Driver
2046 (available as part of the HTML documentation
2048 .Pa /usr/share/doc/ntp ) .
2049 In addition, support for a PPS
2050 signal is available as described in the
2051 .Qq Pulse-per-second (PPS) Signal Interfacing
2053 (available as part of the HTML documentation
2055 .Pa /usr/share/doc/ntp ) .
2057 drivers support special line discipline/streams modules which can
2058 significantly improve the accuracy using the driver.
2061 .Qq Line Disciplines and Streams Drivers
2063 (available as part of the HTML documentation
2065 .Pa /usr/share/doc/ntp ) .
2067 A reference clock will generally (though not always) be a radio
2068 timecode receiver which is synchronized to a source of standard
2069 time such as the services offered by the NRC in Canada and NIST and
2071 The interface between the computer and the timecode
2072 receiver is device dependent, but is usually a serial port.
2074 device driver specific to each reference clock must be selected and
2075 compiled in the distribution; however, most common radio, satellite
2076 and modem clocks are included by default.
2077 Note that an attempt to
2078 configure a reference clock when the driver has not been compiled
2079 or the hardware port has not been appropriately configured results
2080 in a scalding remark to the system log file, but is otherwise non
2083 For the purposes of configuration,
2086 reference clocks in a manner analogous to normal NTP peers as much
2088 Reference clocks are identified by a syntactically
2089 correct but invalid IP address, in order to distinguish them from
2091 Reference clock addresses are of the form
2093 .Li 127.127. Ar t . Ar u ,
2098 denoting the clock type and
2101 number in the range 0-3.
2102 While it may seem overkill, it is in fact
2103 sometimes useful to configure multiple reference clocks of the same
2104 type, in which case the unit numbers must be unique.
2108 command is used to configure a reference
2111 argument in that command
2112 is the clock address.
2118 options are not used for reference clock support.
2121 option is added for reference clock support, as
2125 option can be useful to
2126 persuade the server to cherish a reference clock with somewhat more
2127 enthusiasm than other reference clocks or peers.
2129 information on this option can be found in the
2130 .Qq Mitigation Rules and the prefer Keyword
2131 (available as part of the HTML documentation
2133 .Pa /usr/share/doc/ntp )
2140 meaning only for selected clock drivers.
2141 See the individual clock
2142 driver document pages for additional information.
2146 command is used to provide additional
2147 information for individual clock drivers and normally follows
2148 immediately after the
2153 argument specifies the clock address.
2158 options can be used to
2159 override the defaults for the device.
2160 There are two optional
2161 device-dependent time offsets and four flags that can be included
2166 The stratum number of a reference clock is by default zero.
2169 daemon adds one to the stratum of each
2170 peer, a primary server ordinarily displays an external stratum of
2172 In order to provide engineered backups, it is often useful to
2173 specify the reference clock stratum as greater than zero.
2176 option is used for this purpose.
2178 involving both a reference clock and a pulse-per-second (PPS)
2179 discipline signal, it is useful to specify the reference clock
2180 identifier as other than the default, depending on the driver.
2183 option is used for this purpose.
2185 these options apply to all clock drivers.
2186 .Ss Reference Clock Commands
2187 .Bl -tag -width indent
2190 .Li 127.127. Ar t . Ar u
2194 .Op Cm minpoll Ar int
2195 .Op Cm maxpoll Ar int
2197 This command can be used to configure reference clocks in
2199 The options are interpreted as follows:
2200 .Bl -tag -width indent
2202 Marks the reference clock as preferred.
2203 All other things being
2204 equal, this host will be chosen for synchronization among a set of
2205 correctly operating hosts.
2207 .Qq Mitigation Rules and the prefer Keyword
2209 (available as part of the HTML documentation
2211 .Pa /usr/share/doc/ntp )
2212 for further information.
2214 Specifies a mode number which is interpreted in a
2215 device-specific fashion.
2216 For instance, it selects a dialing
2217 protocol in the ACTS driver and a device subtype in the
2220 .It Cm minpoll Ar int
2221 .It Cm maxpoll Ar int
2222 These options specify the minimum and maximum polling interval
2223 for reference clock messages, as a power of 2 in seconds
2225 most directly connected reference clocks, both
2229 default to 6 (64 s).
2230 For modem reference clocks,
2232 defaults to 10 (17.1 m) and
2234 defaults to 14 (4.5 h).
2235 The allowable range is 4 (16 s) to 17 (36.4 h) inclusive.
2239 .Li 127.127. Ar t . Ar u
2243 .Op Cm stratum Ar int
2244 .Op Cm refid Ar string
2246 .Op Cm flag1 Cm 0 \&| Cm 1
2247 .Op Cm flag2 Cm 0 \&| Cm 1
2248 .Op Cm flag3 Cm 0 \&| Cm 1
2249 .Op Cm flag4 Cm 0 \&| Cm 1
2251 This command can be used to configure reference clocks in
2253 It must immediately follow the
2255 command which configures the driver.
2256 Note that the same capability
2257 is possible at run time using the
2258 .Xr ntpdc 1ntpdcmdoc
2260 The options are interpreted as
2262 .Bl -tag -width indent
2264 Specifies a constant to be added to the time offset produced by
2265 the driver, a fixed-point decimal number in seconds.
2267 as a calibration constant to adjust the nominal time offset of a
2268 particular clock to agree with an external standard, such as a
2269 precision PPS signal.
2270 It also provides a way to correct a
2271 systematic error or bias due to serial port or operating system
2272 latencies, different cable lengths or receiver internal delay.
2274 specified offset is in addition to the propagation delay provided
2275 by other means, such as internal DIPswitches.
2277 for an individual system and driver is available, an approximate
2278 correction is noted in the driver documentation pages.
2279 Note: in order to facilitate calibration when more than one
2280 radio clock or PPS signal is supported, a special calibration
2281 feature is available.
2282 It takes the form of an argument to the
2284 command described in
2285 .Sx Miscellaneous Options
2286 page and operates as described in the
2287 .Qq Reference Clock Drivers
2289 (available as part of the HTML documentation
2291 .Pa /usr/share/doc/ntp ) .
2292 .It Cm time2 Ar secs
2293 Specifies a fixed-point decimal number in seconds, which is
2294 interpreted in a driver-dependent way.
2295 See the descriptions of
2296 specific drivers in the
2297 .Qq Reference Clock Drivers
2299 (available as part of the HTML documentation
2301 .Pa /usr/share/doc/ntp ) .
2302 .It Cm stratum Ar int
2303 Specifies the stratum number assigned to the driver, an integer
2305 This number overrides the default stratum number
2306 ordinarily assigned by the driver itself, usually zero.
2307 .It Cm refid Ar string
2308 Specifies an ASCII string of from one to four characters which
2309 defines the reference identifier used by the driver.
2311 overrides the default identifier ordinarily assigned by the driver
2314 Specifies a mode number which is interpreted in a
2315 device-specific fashion.
2316 For instance, it selects a dialing
2317 protocol in the ACTS driver and a device subtype in the
2320 .It Cm flag1 Cm 0 \&| Cm 1
2321 .It Cm flag2 Cm 0 \&| Cm 1
2322 .It Cm flag3 Cm 0 \&| Cm 1
2323 .It Cm flag4 Cm 0 \&| Cm 1
2324 These four flags are used for customizing the clock driver.
2326 interpretation of these values, and whether they are used at all,
2327 is a function of the particular clock driver.
2331 is used to enable recording monitoring
2334 file configured with the
2337 Further information on the
2339 command can be found in
2340 .Sx Monitoring Options .
2343 .Sh Miscellaneous Options
2344 .Bl -tag -width indent
2345 .It Ic broadcastdelay Ar seconds
2346 The broadcast and multicast modes require a special calibration
2347 to determine the network delay between the local and remote
2349 Ordinarily, this is done automatically by the initial
2350 protocol exchanges between the client and server.
2352 the calibration procedure may fail due to network or server access
2353 controls, for example.
2354 This command specifies the default delay to
2355 be used under these circumstances.
2356 Typically (for Ethernet), a
2357 number between 0.003 and 0.007 seconds is appropriate.
2359 when this command is not used is 0.004 seconds.
2360 .It Ic calldelay Ar delay
2361 This option controls the delay in seconds between the first and second
2362 packets sent in burst or iburst mode to allow additional time for a modem
2363 or ISDN call to complete.
2364 .It Ic driftfile Ar driftfile
2365 This command specifies the complete path and name of the file used to
2366 record the frequency of the local clock oscillator.
2370 command line option.
2371 If the file exists, it is read at
2372 startup in order to set the initial frequency and then updated once per
2373 hour with the current frequency computed by the daemon.
2375 specified, but the file itself does not exist, the starts with an initial
2376 frequency of zero and creates the file when writing it for the first time.
2377 If this command is not given, the daemon will always start with an initial
2380 The file format consists of a single line containing a single
2381 floating point number, which records the frequency offset measured
2382 in parts-per-million (PPM).
2383 The file is updated by first writing
2384 the current drift value into a temporary file and then renaming
2385 this file to replace the old version.
2388 must have write permission for the directory the
2389 drift file is located in, and that file system links, symbolic or
2390 otherwise, should be avoided.
2391 .It Ic dscp Ar value
2392 This option specifies the Differentiated Services Control Point (DSCP) value,
2393 a 6-bit code. The default value is 46, signifying Expedited Forwarding.
2396 .Cm auth | Cm bclient |
2397 .Cm calibrate | Cm kernel |
2398 .Cm mode7 | Cm monitor |
2399 .Cm ntp | Cm stats |
2400 .Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early
2405 .Cm auth | Cm bclient |
2406 .Cm calibrate | Cm kernel |
2407 .Cm mode7 | Cm monitor |
2408 .Cm ntp | Cm stats |
2409 .Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early
2412 Provides a way to enable or disable various server options.
2413 Flags not mentioned are unaffected.
2414 Note that all of these flags
2415 can be controlled remotely using the
2416 .Xr ntpdc 1ntpdcmdoc
2418 .Bl -tag -width indent
2420 Enables the server to synchronize with unconfigured peers only if the
2421 peer has been correctly authenticated using either public key or
2422 private key cryptography.
2423 The default for this flag is
2426 Enables the server to listen for a message from a broadcast or
2427 multicast server, as in the
2429 command with default
2431 The default for this flag is
2434 Enables the calibrate feature for reference clocks.
2439 Enables the kernel time discipline, if available.
2440 The default for this
2443 if support is available, otherwise
2446 Enables processing of NTP mode 7 implementation-specific requests
2447 which are used by the deprecated
2448 .Xr ntpdc 1ntpdcmdoc
2450 The default for this flag is disable.
2451 This flag is excluded from runtime configuration using
2452 .Xr ntpq 1ntpqmdoc .
2455 program provides the same capabilities as
2456 .Xr ntpdc 1ntpdcmdoc
2457 using standard mode 6 requests.
2459 Enables the monitoring facility.
2461 .Xr ntpdc 1ntpdcmdoc
2465 command or further information.
2467 default for this flag is
2470 Enables time and frequency discipline.
2471 In effect, this switch opens and
2472 closes the feedback loop, which is useful for testing.
2477 Enables the statistics facility.
2479 .Sx Monitoring Options
2480 section for further information.
2481 The default for this flag is
2483 .It Cm unpeer_crypto_early
2486 receives an autokey packet that fails TEST9,
2488 the association is immediately cleared.
2489 This is almost certainly a feature,
2490 but if, in spite of the current recommendation of not using autokey,
2495 you are seeing this sort of DoS attack
2496 disabling this flag will delay
2497 tearing down the association until the reachability counter
2501 file for evidence of any of these attacks.
2503 default for this flag is
2505 .It Cm unpeer_crypto_nak_early
2508 receives a crypto-NAK packet that
2509 passes the duplicate packet and origin timestamp checks
2510 the association is immediately cleared.
2511 While this is generally a feature
2512 as it allows for quick recovery if a server key has changed,
2513 a properly forged and appropriately delivered crypto-NAK packet
2514 can be used in a DoS attack.
2515 If you have active noticable problems with this type of DoS attack
2516 then you should consider
2517 disabling this option.
2520 file for evidence of any of these attacks.
2522 default for this flag is
2524 .It Cm unpeer_digest_early
2527 receives what should be an authenticated packet
2528 that passes other packet sanity checks but
2529 contains an invalid digest
2530 the association is immediately cleared.
2531 While this is generally a feature
2532 as it allows for quick recovery,
2533 if this type of packet is carefully forged and sent
2534 during an appropriate window it can be used for a DoS attack.
2535 If you have active noticable problems with this type of DoS attack
2536 then you should consider
2537 disabling this option.
2540 file for evidence of any of these attacks.
2542 default for this flag is
2545 .It Ic includefile Ar includefile
2546 This command allows additional configuration commands
2547 to be included from a separate file.
2549 be nested to a depth of five; upon reaching the end of any
2550 include file, command processing resumes in the previous
2552 This option is useful for sites that run
2554 on multiple hosts, with (mostly) common options (e.g., a
2556 .It Ic leapsmearinterval Ar seconds
2557 This EXPERIMENTAL option is only available if
2560 .Cm --enable-leap-smear
2564 It specifies the interval over which a leap second correction will be applied.
2565 Recommended values for this option are between
2566 7200 (2 hours) and 86400 (24 hours).
2567 .Sy DO NOT USE THIS OPTION ON PUBLIC-ACCESS SERVERS!
2568 See http://bugs.ntp.org/2855 for more information.
2569 .It Ic logconfig Ar configkeyword
2570 This command controls the amount and type of output written to
2573 facility or the alternate
2576 By default, all output is turned on.
2579 keywords can be prefixed with
2595 messages can be controlled in four
2604 Within these classes four types of messages can be
2605 controlled: informational messages
2623 Configuration keywords are formed by concatenating the message class with
2627 prefix can be used instead of a message class.
2629 message class may also be followed by the
2631 keyword to enable/disable all
2632 messages of the respective message class.Thus, a minimal log configuration
2633 could look like this:
2635 logconfig =syncstatus +sysevents
2638 This would just list the synchronizations state of
2640 and the major system events.
2641 For a simple reference server, the
2642 following minimum message configuration could be useful:
2644 logconfig =syncall +clockall
2647 This configuration will list all clock information and
2648 synchronization information.
2649 All other events and messages about
2650 peers, system events and so on is suppressed.
2651 .It Ic logfile Ar logfile
2652 This command specifies the location of an alternate log file to
2653 be used instead of the default system
2656 This is the same operation as the -l command line option.
2657 .It Ic setvar Ar variable Op Cm default
2658 This command adds an additional system variable.
2660 variables can be used to distribute additional information such as
2662 If the variable of the form
2669 variable will be listed as part of the default system variables
2675 These additional variables serve
2676 informational purposes only.
2677 They are not related to the protocol
2678 other that they can be listed.
2679 The known protocol variables will
2680 always override any variables defined via the
2683 There are three special variables that contain the names
2684 of all variable of the same group.
2688 the names of all system variables.
2692 the names of all peer variables and the
2694 holds the names of the reference clock variables.
2697 .Cm allan Ar allan |
2698 .Cm dispersion Ar dispersion |
2700 .Cm huffpuff Ar huffpuff |
2701 .Cm panic Ar panic |
2703 .Cm stepback Ar stepback |
2704 .Cm stepfwd Ar stepfwd |
2705 .Cm stepout Ar stepout
2708 This command can be used to alter several system variables in
2709 very exceptional circumstances.
2710 It should occur in the
2711 configuration file before any other configuration options.
2713 default values of these variables have been carefully optimized for
2714 a wide range of network speeds and reliability expectations.
2716 general, they interact in intricate ways that are hard to predict
2717 and some combinations can result in some very nasty behavior.
2719 rarely is it necessary to change the default values; but, some
2720 folks cannot resist twisting the knobs anyway and this command is
2722 Emphasis added: twisters are on their own and can expect
2723 no help from the support group.
2725 The variables operate as follows:
2726 .Bl -tag -width indent
2727 .It Cm allan Ar allan
2728 The argument becomes the new value for the minimum Allan
2729 intercept, which is a parameter of the PLL/FLL clock discipline
2731 The value in log2 seconds defaults to 7 (1024 s), which is also the lower
2733 .It Cm dispersion Ar dispersion
2734 The argument becomes the new value for the dispersion increase rate,
2735 normally .000015 s/s.
2737 The argument becomes the initial value of the frequency offset in
2739 This overrides the value in the frequency file, if
2740 present, and avoids the initial training state if it is not.
2741 .It Cm huffpuff Ar huffpuff
2742 The argument becomes the new value for the experimental
2743 huff-n'-puff filter span, which determines the most recent interval
2744 the algorithm will search for a minimum delay.
2746 900 s (15 m), but a more reasonable value is 7200 (2 hours).
2748 is no default, since the filter is not enabled unless this command
2750 .It Cm panic Ar panic
2751 The argument is the panic threshold, normally 1000 s.
2753 the panic sanity check is disabled and a clock offset of any value will
2756 The argument is the step threshold, which by default is 0.128 s.
2758 be set to any positive number in seconds.
2759 If set to zero, step
2760 adjustments will never occur.
2761 Note: The kernel time discipline is
2762 disabled if the step threshold is set to zero or greater than the
2764 .It Cm stepback Ar stepback
2765 The argument is the step threshold for the backward direction,
2766 which by default is 0.128 s.
2768 be set to any positive number in seconds.
2769 If both the forward and backward step thresholds are set to zero, step
2770 adjustments will never occur.
2771 Note: The kernel time discipline is
2773 each direction of step threshold are either
2774 set to zero or greater than .5 second.
2775 .It Cm stepfwd Ar stepfwd
2776 As for stepback, but for the forward direction.
2777 .It Cm stepout Ar stepout
2778 The argument is the stepout timeout, which by default is 900 s.
2780 be set to any positive number in seconds.
2781 If set to zero, the stepout
2782 pulses will not be suppressed.
2786 .Cm memlock Ar Nmegabytes |
2787 .Cm stacksize Ar N4kPages
2788 .Cm filenum Ar Nfiledescriptors
2791 .Bl -tag -width indent
2792 .It Cm memlock Ar Nmegabytes
2793 Specify the number of megabytes of memory that should be
2794 allocated and locked.
2795 Probably only available under Linux, this option may be useful
2796 when dropping root (the
2799 The default is 32 megabytes on non-Linux machines, and -1 under Linux.
2800 -1 means "do not lock the process into memory".
2801 0 means "lock whatever memory the process wants into memory".
2802 .It Cm stacksize Ar N4kPages
2803 Specifies the maximum size of the process stack on systems with the
2806 Defaults to 50 4k pages (200 4k pages in OpenBSD).
2807 .It Cm filenum Ar Nfiledescriptors
2808 Specifies the maximum number of file descriptors ntpd may have open at once. Defaults to the system default.
2810 .It Xo Ic trap Ar host_address
2811 .Op Cm port Ar port_number
2812 .Op Cm interface Ar interface_address
2814 This command configures a trap receiver at the given host
2815 address and port number for sending messages with the specified
2816 local interface address.
2817 If the port number is unspecified, a value
2819 If the interface address is not specified, the
2820 message is sent with a source address of the local interface the
2821 message is sent through.
2822 Note that on a multihomed host the
2823 interface used may vary from time to time with routing changes.
2825 The trap receiver will generally log event messages and other
2826 information from the server in a log file.
2828 programs may also request their own trap dynamically, configuring a
2829 trap receiver will ensure that no messages are lost when the server
2832 This command specifies a list of TTL values in increasing order, up to 8
2833 values can be specified.
2834 In manycast mode these values are used in turn in
2835 an expanding-ring search.
2836 The default is eight multiples of 32 starting at
2839 _END_PROG_MDOC_DESCRIP;
2845 ds-text = <<- _END_MDOC_FILES
2846 .Bl -tag -width /etc/ntp.drift -compact
2847 .It Pa /etc/ntp.conf
2848 the default name of the configuration file
2853 .It Pa ntpkey_ Ns Ar host
2856 Diffie-Hellman agreement parameters
2862 ds-type = 'SEE ALSO';
2864 ds-text = <<- _END_MDOC_SEE_ALSO
2865 .Xr ntpd 1ntpdmdoc ,
2866 .Xr ntpdc 1ntpdcmdoc ,
2869 In addition to the manual pages provided,
2870 comprehensive documentation is available on the world wide web
2872 .Li http://www.ntp.org/ .
2873 A snapshot of this documentation is available in HTML format in
2874 .Pa /usr/share/doc/ntp .
2877 .%T Network Time Protocol (Version 4)
2886 ds-text = <<- _END_MDOC_BUGS
2887 The syntax checking is not picky; some combinations of
2888 ridiculous and even hilarious options and modes may not be
2892 .Pa ntpkey_ Ns Ar host
2893 files are really digital
2895 These should be obtained via secure directory
2896 services when they become universally available.
2903 ds-text = <<- _END_MDOC_NOTES
2904 This document was derived from FreeBSD.