2 .Dt NTP_CONF 5 File Formats
4 .\" EDIT THIS FILE WITH CAUTION (ntp.mdoc)
6 .\" It has been AutoGen-ed January 20, 2016 at 04:18:07 AM by AutoGen 5.18.5
7 .\" From the definitions ntp.conf.def
8 .\" and the template file agmdoc-cmd.tpl
11 .Nd Network Time Protocol (NTP) daemon configuration file format
15 .Op Fl \-option\-name Ar value
17 All arguments must be options.
22 configuration file is read at initial startup by the
24 daemon in order to specify the synchronization sources,
25 modes and other related information.
26 Usually, it is installed in the
29 but could be installed elsewhere
34 The file format is similar to other
39 character and extend to the end of the line;
40 blank lines are ignored.
41 Configuration commands consist of an initial keyword
42 followed by a list of arguments,
43 some of which may be optional, separated by whitespace.
44 Commands may not be continued over multiple lines.
45 Arguments may be host names,
46 host addresses written in numeric, dotted\-quad form,
47 integers, floating point numbers (when specifying times in seconds)
50 The rest of this page describes the configuration and control options.
52 .Qq Notes on Configuring NTP and Setting up an NTP Subnet
54 (available as part of the HTML documentation
56 .Pa /usr/share/doc/ntp )
57 contains an extended discussion of these options.
58 In addition to the discussion of general
59 .Sx Configuration Options ,
60 there are sections describing the following supported functionality
61 and the options used to control it:
62 .Bl -bullet -offset indent
64 .Sx Authentication Support
66 .Sx Monitoring Support
68 .Sx Access Control Support
70 .Sx Automatic NTP Configuration Options
72 .Sx Reference Clock Support
74 .Sx Miscellaneous Options
77 Following these is a section describing
78 .Sx Miscellaneous Options .
79 While there is a rich set of options available,
80 the only required option is one or more
88 .Sh Configuration Support
89 Following is a description of the configuration commands in
91 These commands have the same basic functions as in NTPv3 and
92 in some cases new functions and new arguments.
94 classes of commands, configuration commands that configure a
95 persistent association with a remote server or peer or reference
96 clock, and auxiliary commands that specify environmental variables
97 that control various related operations.
98 .Ss Configuration Commands
99 The various modes are determined by the command keyword and the
100 type of the required IP address.
101 Addresses are classed by type as
102 (s) a remote server or peer (IPv4 class A, B and C), (b) the
103 broadcast address of a local interface, (m) a multicast address (IPv4
104 class D), or (r) a reference clock address (127.127.x.x).
106 only those options applicable to each command are listed below.
108 of options not listed may not be caught as an error, but may result
109 in some weird and even destructive behavior.
111 If the Basic Socket Interface Extensions for IPv6 (RFC\-2553)
112 is detected, support for the IPv6 address family is generated
113 in addition to the default support of the IPv4 address family.
114 In a few cases, including the reslist billboard generated
115 by ntpdc, IPv6 addresses are automatically generated.
116 IPv6 addresses can be identified by the presence of colons
118 in the address field.
119 IPv6 addresses can be used almost everywhere where
120 IPv4 addresses can be used,
121 with the exception of reference clock addresses,
122 which are always IPv4.
124 Note that in contexts where a host name is expected, a
127 the host name forces DNS resolution to the IPv4 namespace,
130 qualifier forces DNS resolution to the IPv6 namespace.
131 See IPv6 references for the
132 equivalent classes for that address family.
133 .Bl -tag -width indent
134 .It Xo Ic pool Ar address
137 .Op Cm version Ar version
139 .Op Cm minpoll Ar minpoll
140 .Op Cm maxpoll Ar maxpoll
142 .It Xo Ic server Ar address
143 .Op Cm key Ar key \&| Cm autokey
146 .Op Cm version Ar version
148 .Op Cm minpoll Ar minpoll
149 .Op Cm maxpoll Ar maxpoll
151 .It Xo Ic peer Ar address
152 .Op Cm key Ar key \&| Cm autokey
153 .Op Cm version Ar version
155 .Op Cm minpoll Ar minpoll
156 .Op Cm maxpoll Ar maxpoll
158 .It Xo Ic broadcast Ar address
159 .Op Cm key Ar key \&| Cm autokey
160 .Op Cm version Ar version
162 .Op Cm minpoll Ar minpoll
165 .It Xo Ic manycastclient Ar address
166 .Op Cm key Ar key \&| Cm autokey
167 .Op Cm version Ar version
169 .Op Cm minpoll Ar minpoll
170 .Op Cm maxpoll Ar maxpoll
175 These five commands specify the time server name or address to
176 be used and the mode in which to operate.
180 either a DNS name or an IP address in dotted\-quad notation.
181 Additional information on association behavior can be found in the
182 .Qq Association Management
184 (available as part of the HTML documentation
186 .Pa /usr/share/doc/ntp ) .
187 .Bl -tag -width indent
189 For type s addresses, this command mobilizes a persistent
190 client mode association with a number of remote servers.
191 In this mode the local clock can synchronized to the
192 remote server, but the remote server can never be synchronized to
195 For type s and r addresses, this command mobilizes a persistent
196 client mode association with the specified remote server or local
198 In this mode the local clock can synchronized to the
199 remote server, but the remote server can never be synchronized to
206 For type s addresses (only), this command mobilizes a
207 persistent symmetric\-active mode association with the specified
209 In this mode the local clock can be synchronized to
210 the remote peer or the remote peer can be synchronized to the local
212 This is useful in a network of servers where, depending on
213 various failure scenarios, either the local or remote peer may be
214 the better source of time.
215 This command should NOT be used for type
218 For type b and m addresses (only), this
219 command mobilizes a persistent broadcast mode association.
221 commands can be used to specify multiple local broadcast interfaces
222 (subnets) and/or multiple multicast groups.
224 broadcast messages go only to the interface associated with the
225 subnet specified, but multicast messages go to all interfaces.
226 In broadcast mode the local server sends periodic broadcast
227 messages to a client population at the
229 specified, which is usually the broadcast address on (one of) the
230 local network(s) or a multicast address assigned to NTP.
232 has assigned the multicast group address IPv4 224.0.1.1 and
233 IPv6 ff05::101 (site local) exclusively to
234 NTP, but other nonconflicting addresses can be used to contain the
235 messages within administrative boundaries.
237 specification applies only to the local server operating as a
238 sender; for operation as a broadcast client, see the
244 .It Ic manycastclient
245 For type m addresses (only), this command mobilizes a
246 manycast client mode association for the multicast address
248 In this case a specific address must be supplied which
249 matches the address used on the
252 the designated manycast servers.
253 The NTP multicast address
254 224.0.1.1 assigned by the IANA should NOT be used, unless specific
255 means are taken to avoid spraying large areas of the Internet with
256 these messages and causing a possibly massive implosion of replies
260 command specifies that the local server
261 is to operate in client mode with the remote servers that are
262 discovered as the result of broadcast/multicast messages.
264 client broadcasts a request message to the group address associated
267 and specifically enabled
268 servers respond to these messages.
269 The client selects the servers
270 providing the best time and continues as with the
273 The remaining servers are discarded as if never
278 .Bl -tag -width indent
280 All packets sent to and received from the server or peer are to
281 include authentication fields encrypted using the autokey scheme
283 .Sx Authentication Options .
285 when the server is reachable, send a burst of eight packets
286 instead of the usual one.
287 The packet spacing is normally 2 s;
288 however, the spacing between the first and second packets
289 can be changed with the calldelay command to allow
290 additional time for a modem or ISDN call to complete.
291 This is designed to improve timekeeping quality
294 command and s addresses.
296 When the server is unreachable, send a burst of eight packets
297 instead of the usual one.
298 The packet spacing is normally 2 s;
299 however, the spacing between the first two packets can be
300 changed with the calldelay command to allow
301 additional time for a modem or ISDN call to complete.
302 This is designed to speed the initial synchronization
305 command and s addresses and when
311 All packets sent to and received from the server or peer are to
312 include authentication fields encrypted using the specified
314 identifier with values from 1 to 65534, inclusive.
316 default is to include no encryption field.
317 .It Cm minpoll Ar minpoll
318 .It Cm maxpoll Ar maxpoll
319 These options specify the minimum and maximum poll intervals
320 for NTP messages, as a power of 2 in seconds
322 interval defaults to 10 (1,024 s), but can be increased by the
324 option to an upper limit of 17 (36.4 h).
326 minimum poll interval defaults to 6 (64 s), but can be decreased by
329 option to a lower limit of 4 (16 s).
331 Marks the server as unused, except for display purposes.
332 The server is discarded by the selection algroithm.
334 Marks the server as preferred.
335 All other things being equal,
336 this host will be chosen for synchronization among a set of
337 correctly operating hosts.
339 .Qq Mitigation Rules and the prefer Keyword
341 (available as part of the HTML documentation
343 .Pa /usr/share/doc/ntp )
344 for further information.
346 This option is used only with broadcast server and manycast
348 It specifies the time\-to\-live
351 use on broadcast server and multicast server and the maximum
353 for the expanding ring search with manycast
355 Selection of the proper value, which defaults to
356 127, is something of a black art and should be coordinated with the
357 network administrator.
358 .It Cm version Ar version
359 Specifies the version number to be used for outgoing NTP
361 Versions 1\-4 are the choices, with version 4 the
364 .Ss Auxiliary Commands
365 .Bl -tag -width indent
366 .It Ic broadcastclient
367 This command enables reception of broadcast server messages to
368 any local interface (type b) address.
369 Upon receiving a message for
370 the first time, the broadcast client measures the nominal server
371 propagation delay using a brief client/server exchange with the
372 server, then enters the broadcast client mode, in which it
373 synchronizes to succeeding broadcast messages.
375 to avoid accidental or malicious disruption in this mode, both the
376 server and client should operate using symmetric\-key or public\-key
377 authentication as described in
378 .Sx Authentication Options .
379 .It Ic manycastserver Ar address ...
380 This command enables reception of manycast client messages to
381 the multicast group address(es) (type m) specified.
383 address is required, but the NTP multicast address 224.0.1.1
384 assigned by the IANA should NOT be used, unless specific means are
385 taken to limit the span of the reply and avoid a possibly massive
386 implosion at the original sender.
387 Note that, in order to avoid
388 accidental or malicious disruption in this mode, both the server
389 and client should operate using symmetric\-key or public\-key
390 authentication as described in
391 .Sx Authentication Options .
392 .It Ic multicastclient Ar address ...
393 This command enables reception of multicast server messages to
394 the multicast group address(es) (type m) specified.
396 a message for the first time, the multicast client measures the
397 nominal server propagation delay using a brief client/server
398 exchange with the server, then enters the broadcast client mode, in
399 which it synchronizes to succeeding multicast messages.
401 in order to avoid accidental or malicious disruption in this mode,
402 both the server and client should operate using symmetric\-key or
403 public\-key authentication as described in
404 .Sx Authentication Options .
405 .It Ic mdnstries Ar number
406 If we are participating in mDNS,
407 after we have synched for the first time
408 we attempt to register with the mDNS system.
409 If that registration attempt fails,
410 we try again at one minute intervals for up to
415 may be starting before mDNS.
416 The default value for
420 .Sh Authentication Support
421 Authentication support allows the NTP client to verify that the
422 server is in fact known and trusted and not an intruder intending
423 accidentally or on purpose to masquerade as that server.
425 specification RFC\-1305 defines a scheme which provides
426 cryptographic authentication of received NTP packets.
428 this was done using the Data Encryption Standard (DES) algorithm
429 operating in Cipher Block Chaining (CBC) mode, commonly called
431 Subsequently, this was replaced by the RSA Message Digest
432 5 (MD5) algorithm using a private key, commonly called keyed\-MD5.
433 Either algorithm computes a message digest, or one\-way hash, which
434 can be used to verify the server has the correct private key and
437 NTPv4 retains the NTPv3 scheme, properly described as symmetric key
438 cryptography and, in addition, provides a new Autokey scheme
439 based on public key cryptography.
440 Public key cryptography is generally considered more secure
441 than symmetric key cryptography, since the security is based
442 on a private value which is generated by each server and
444 With Autokey all key distribution and
445 management functions involve only public values, which
446 considerably simplifies key distribution and storage.
447 Public key management is based on X.509 certificates,
448 which can be provided by commercial services or
449 produced by utility programs in the OpenSSL software library
450 or the NTPv4 distribution.
452 While the algorithms for symmetric key cryptography are
453 included in the NTPv4 distribution, public key cryptography
454 requires the OpenSSL software library to be installed
455 before building the NTP distribution.
456 Directions for doing that
457 are on the Building and Installing the Distribution page.
459 Authentication is configured separately for each association
470 configuration commands as described in
471 .Sx Configuration Options
474 options described below specify the locations of the key files,
475 if other than default, which symmetric keys are trusted
476 and the interval between various operations, if other than default.
478 Authentication is always enabled,
479 although ineffective if not configured as
481 If a NTP packet arrives
482 including a message authentication
483 code (MAC), it is accepted only if it
484 passes all cryptographic checks.
486 checks require correct key ID, key value
489 been modified in any way or replayed
490 by an intruder, it will fail one or more
491 of these checks and be discarded.
492 Furthermore, the Autokey scheme requires a
493 preliminary protocol exchange to obtain
494 the server certificate, verify its
495 credentials and initialize the protocol
499 flag controls whether new associations or
500 remote configuration commands require cryptographic authentication.
501 This flag can be set or reset by the
505 commands and also by remote
506 configuration commands sent by a
510 If this flag is enabled, which is the default
511 case, new broadcast client and symmetric passive associations and
512 remote configuration commands must be cryptographically
513 authenticated using either symmetric key or public key cryptography.
515 flag is disabled, these operations are effective
516 even if not cryptographic
518 It should be understood
519 that operating with the
521 flag disabled invites a significant vulnerability
522 where a rogue hacker can
523 masquerade as a falseticker and seriously
524 disrupt system timekeeping.
526 important to note that this flag has no purpose
527 other than to allow or disallow
528 a new association in response to new broadcast
529 and symmetric active messages
530 and remote configuration commands and, in particular,
531 the flag has no effect on
532 the authentication process itself.
534 An attractive alternative where multicast support is available
535 is manycast mode, in which clients periodically troll
536 for servers as described in the
537 .Sx Automatic NTP Configuration Options
539 Either symmetric key or public key
540 cryptographic authentication can be used in this mode.
541 The principle advantage
542 of manycast mode is that potential servers need not be
543 configured in advance,
544 since the client finds them during regular operation,
545 and the configuration
546 files for all clients can be identical.
548 The security model and protocol schemes for
549 both symmetric key and public key
550 cryptography are summarized below;
551 further details are in the briefings, papers
552 and reports at the NTP project page linked from
553 .Li http://www.ntp.org/ .
554 .Ss Symmetric\-Key Cryptography
555 The original RFC\-1305 specification allows any one of possibly
556 65,534 keys, each distinguished by a 32\-bit key identifier, to
557 authenticate an association.
558 The servers and clients involved must
559 agree on the key and key identifier to
560 authenticate NTP packets.
562 related information are specified in a key
565 which must be distributed and stored using
566 secure means beyond the scope of the NTP protocol itself.
567 Besides the keys used
568 for ordinary NTP associations,
569 additional keys can be used as passwords for the
577 is first started, it reads the key file specified in the
579 configuration command and installs the keys
582 individual keys must be activated with the
586 allows, for instance, the installation of possibly
587 several batches of keys and
588 then activating or deactivating each batch
590 .Xr ntpdc @NTPDC_MS@ .
591 This also provides a revocation capability that can be used
592 if a key becomes compromised.
595 command selects the key used as the password for the
599 command selects the key used as the password for the
602 .Ss Public Key Cryptography
603 NTPv4 supports the original NTPv3 symmetric key scheme
604 described in RFC\-1305 and in addition the Autokey protocol,
605 which is based on public key cryptography.
606 The Autokey Version 2 protocol described on the Autokey Protocol
607 page verifies packet integrity using MD5 message digests
608 and verifies the source with digital signatures and any of several
609 digest/signature schemes.
610 Optional identity schemes described on the Identity Schemes
611 page and based on cryptographic challenge/response algorithms
613 Using all of these schemes provides strong security against
614 replay with or without modification, spoofing, masquerade
615 and most forms of clogging attacks.
617 .\" The cryptographic means necessary for all Autokey operations
618 .\" is provided by the OpenSSL software library.
619 .\" This library is available from http://www.openssl.org/
620 .\" and can be installed using the procedures outlined
621 .\" in the Building and Installing the Distribution page.
623 .\" the configure and build
624 .\" process automatically detects the library and links
625 .\" the library routines required.
627 The Autokey protocol has several modes of operation
628 corresponding to the various NTP modes supported.
629 Most modes use a special cookie which can be
630 computed independently by the client and server,
631 but encrypted in transmission.
632 All modes use in addition a variant of the S\-KEY scheme,
633 in which a pseudo\-random key list is generated and used
635 These schemes are described along with an executive summary,
636 current status, briefing slides and reading list on the
637 .Sx Autonomous Authentication
640 The specific cryptographic environment used by Autokey servers
641 and clients is determined by a set of files
642 and soft links generated by the
643 .Xr ntp\-keygen 1ntpkeygenmdoc
645 This includes a required host key file,
646 required certificate file and optional sign key file,
647 leapsecond file and identity scheme files.
649 digest/signature scheme is specified in the X.509 certificate
650 along with the matching sign key.
651 There are several schemes
652 available in the OpenSSL software library, each identified
653 by a specific string such as
654 .Cm md5WithRSAEncryption ,
655 which stands for the MD5 message digest with RSA
657 The current NTP distribution supports
658 all the schemes in the OpenSSL library, including
659 those based on RSA and DSA digital signatures.
661 NTP secure groups can be used to define cryptographic compartments
662 and security hierarchies.
663 It is important that every host
664 in the group be able to construct a certificate trail to one
665 or more trusted hosts in the same group.
667 host runs the Autokey protocol to obtain the certificates
668 for all hosts along the trail to one or more trusted hosts.
669 This requires the configuration file in all hosts to be
670 engineered so that, even under anticipated failure conditions,
671 the NTP subnet will form such that every group host can find
672 a trail to at least one trusted host.
673 .Ss Naming and Addressing
674 It is important to note that Autokey does not use DNS to
675 resolve addresses, since DNS can't be completely trusted
676 until the name servers have synchronized clocks.
677 The cryptographic name used by Autokey to bind the host identity
678 credentials and cryptographic values must be independent
679 of interface, network and any other naming convention.
680 The name appears in the host certificate in either or both
681 the subject and issuer fields, so protection against
682 DNS compromise is essential.
684 By convention, the name of an Autokey host is the name returned
687 system call or equivalent in other systems.
689 model, there are no provisions to allow alternate names or aliases.
690 However, this is not to say that DNS aliases, different names
691 for each interface, etc., are constrained in any way.
693 It is also important to note that Autokey verifies authenticity
694 using the host name, network address and public keys,
695 all of which are bound together by the protocol specifically
696 to deflect masquerade attacks.
697 For this reason Autokey
698 includes the source and destinatino IP addresses in message digest
699 computations and so the same addresses must be available
700 at both the server and client.
701 For this reason operation
702 with network address translation schemes is not possible.
703 This reflects the intended robust security model where government
704 and corporate NTP servers are operated outside firewall perimeters.
706 A specific combination of authentication scheme (none,
707 symmetric key, public key) and identity scheme is called
708 a cryptotype, although not all combinations are compatible.
709 There may be management configurations where the clients,
710 servers and peers may not all support the same cryptotypes.
711 A secure NTPv4 subnet can be configured in many ways while
712 keeping in mind the principles explained above and
714 Note however that some cryptotype
715 combinations may successfully interoperate with each other,
716 but may not represent good security practice.
718 The cryptotype of an association is determined at the time
719 of mobilization, either at configuration time or some time
720 later when a message of appropriate cryptotype arrives.
725 configuration command and no
729 subcommands are present, the association is not
730 authenticated; if the
732 subcommand is present, the association is authenticated
733 using the symmetric key ID specified; if the
735 subcommand is present, the association is authenticated
738 When multiple identity schemes are supported in the Autokey
739 protocol, the first message exchange determines which one is used.
740 The client request message contains bits corresponding
741 to which schemes it has available.
742 The server response message
743 contains bits corresponding to which schemes it has available.
744 Both server and client match the received bits with their own
745 and select a common scheme.
747 Following the principle that time is a public value,
748 a server responds to any client packet that matches
749 its cryptotype capabilities.
750 Thus, a server receiving
751 an unauthenticated packet will respond with an unauthenticated
752 packet, while the same server receiving a packet of a cryptotype
753 it supports will respond with packets of that cryptotype.
754 However, unconfigured broadcast or manycast client
755 associations or symmetric passive associations will not be
756 mobilized unless the server supports a cryptotype compatible
757 with the first packet received.
758 By default, unauthenticated associations will not be mobilized
759 unless overridden in a decidedly dangerous way.
761 Some examples may help to reduce confusion.
762 Client Alice has no specific cryptotype selected.
763 Server Bob has both a symmetric key file and minimal Autokey files.
764 Alice's unauthenticated messages arrive at Bob, who replies with
765 unauthenticated messages.
766 Cathy has a copy of Bob's symmetric
767 key file and has selected key ID 4 in messages to Bob.
768 Bob verifies the message with his key ID 4.
770 same key and the message is verified, Bob sends Cathy a reply
771 authenticated with that key.
772 If verification fails,
773 Bob sends Cathy a thing called a crypto\-NAK, which tells her
775 She can see the evidence using the
779 Denise has rolled her own host key and certificate.
780 She also uses one of the identity schemes as Bob.
781 She sends the first Autokey message to Bob and they
782 both dance the protocol authentication and identity steps.
783 If all comes out okay, Denise and Bob continue as described above.
785 It should be clear from the above that Bob can support
786 all the girls at the same time, as long as he has compatible
787 authentication and identity credentials.
788 Now, Bob can act just like the girls in his own choice of servers;
789 he can run multiple configured associations with multiple different
790 servers (or the same server, although that might not be useful).
791 But, wise security policy might preclude some cryptotype
792 combinations; for instance, running an identity scheme
793 with one server and no authentication with another might not be wise.
795 The cryptographic values used by the Autokey protocol are
796 incorporated as a set of files generated by the
797 .Xr ntp\-keygen 1ntpkeygenmdoc
798 utility program, including symmetric key, host key and
799 public certificate files, as well as sign key, identity parameters
800 and leapseconds files.
801 Alternatively, host and sign keys and
802 certificate files can be generated by the OpenSSL utilities
803 and certificates can be imported from public certificate
805 Note that symmetric keys are necessary for the
810 The remaining files are necessary only for the
813 Certificates imported from OpenSSL or public certificate
814 authorities have certian limitations.
815 The certificate should be in ASN.1 syntax, X.509 Version 3
816 format and encoded in PEM, which is the same format
818 The overall length of the certificate encoded
819 in ASN.1 must not exceed 1024 bytes.
820 The subject distinguished
821 name field (CN) is the fully qualified name of the host
822 on which it is used; the remaining subject fields are ignored.
823 The certificate extension fields must not contain either
824 a subject key identifier or a issuer key identifier field;
825 however, an extended key usage field for a trusted host must
828 Other extension fields are ignored.
829 .Ss Authentication Commands
830 .Bl -tag -width indent
831 .It Ic autokey Op Ar logsec
832 Specifies the interval between regenerations of the session key
833 list used with the Autokey protocol.
834 Note that the size of the key
835 list for each association depends on this interval and the current
837 The default value is 12 (4096 s or about 1.1 hours).
838 For poll intervals above the specified interval, a session key list
839 with a single entry will be regenerated for every message
841 .It Ic controlkey Ar key
842 Specifies the key identifier to use with the
844 utility, which uses the standard
845 protocol defined in RFC\-1305.
849 the key identifier for a trusted key, where the value can be in the
850 range 1 to 65,534, inclusive.
854 .Op Cm randfile Ar file
859 .Op Cm iffpar Ar file
861 .Op Cm pw Ar password
863 This command requires the OpenSSL library.
864 It activates public key
865 cryptography, selects the message digest and signature
866 encryption scheme and loads the required private and public
867 values described above.
868 If one or more files are left unspecified,
869 the default names are used as described above.
870 Unless the complete path and name of the file are specified, the
871 location of a file is relative to the keys directory specified
876 Following are the subcommands:
877 .Bl -tag -width indent
879 Specifies the location of the required host public certificate file.
880 This overrides the link
881 .Pa ntpkey_cert_ Ns Ar hostname
882 in the keys directory.
884 Specifies the location of the optional GQ parameters file.
887 .Pa ntpkey_gq_ Ns Ar hostname
888 in the keys directory.
890 Specifies the location of the required host key file.
893 .Pa ntpkey_key_ Ns Ar hostname
894 in the keys directory.
895 .It Cm iffpar Ar file
896 Specifies the location of the optional IFF parameters file.This
898 .Pa ntpkey_iff_ Ns Ar hostname
899 in the keys directory.
901 Specifies the location of the optional leapsecond file.
902 This overrides the link
904 in the keys directory.
906 Specifies the location of the optional MV parameters file.
909 .Pa ntpkey_mv_ Ns Ar hostname
910 in the keys directory.
911 .It Cm pw Ar password
912 Specifies the password to decrypt files containing private keys and
914 This is required only if these files have been
916 .It Cm randfile Ar file
917 Specifies the location of the random seed file used by the OpenSSL
919 The defaults are described in the main text above.
921 Specifies the location of the optional sign key file.
924 .Pa ntpkey_sign_ Ns Ar hostname
925 in the keys directory.
927 not found, the host key is also the sign key.
929 .It Ic keys Ar keyfile
930 Specifies the complete path and location of the MD5 key file
931 containing the keys and key identifiers used by
936 when operating with symmetric key cryptography.
937 This is the same operation as the
940 .It Ic keysdir Ar path
941 This command specifies the default directory path for
942 cryptographic keys, parameters and certificates.
944 .Pa /usr/local/etc/ .
945 .It Ic requestkey Ar key
946 Specifies the key identifier to use with the
948 utility program, which uses a
949 proprietary protocol specific to this implementation of
953 argument is a key identifier
954 for the trusted key, where the value can be in the range 1 to
956 .It Ic revoke Ar logsec
957 Specifies the interval between re\-randomization of certain
958 cryptographic values used by the Autokey scheme, as a power of 2 in
960 These values need to be updated frequently in order to
961 deflect brute\-force attacks on the algorithms of the scheme;
962 however, updating some values is a relatively expensive operation.
963 The default interval is 16 (65,536 s or about 18 hours).
965 intervals above the specified interval, the values will be updated
966 for every message sent.
967 .It Ic trustedkey Ar key ...
968 Specifies the key identifiers which are trusted for the
969 purposes of authenticating peers with symmetric key cryptography,
970 as well as keys used by the
975 The authentication procedures require that both the local
976 and remote servers share the same key and key identifier for this
977 purpose, although different keys can be used with different
981 arguments are 32\-bit unsigned
982 integers with values from 1 to 65,534.
985 The following error codes are reported via the NTP control
986 and monitoring protocol trap mechanism.
987 .Bl -tag -width indent
989 .Pq bad field format or length
990 The packet has invalid version, length or format.
993 The packet timestamp is the same or older than the most recent received.
994 This could be due to a replay or a server clock time step.
997 The packet filestamp is the same or older than the most recent received.
998 This could be due to a replay or a key file generation error.
1000 .Pq bad or missing public key
1001 The public key is missing, has incorrect format or is an unsupported type.
1003 .Pq unsupported digest type
1004 The server requires an unsupported digest/signature scheme.
1006 .Pq mismatched digest types
1009 .Pq bad signature length
1010 The signature length does not match the current public key.
1012 .Pq signature not verified
1013 The message fails the signature check.
1014 It could be bogus or signed by a
1015 different private key.
1017 .Pq certificate not verified
1018 The certificate is invalid or signed with the wrong key.
1020 .Pq certificate not verified
1021 The certificate is not yet valid or has expired or the signature could not
1024 .Pq bad or missing cookie
1025 The cookie is missing, corrupted or bogus.
1027 .Pq bad or missing leapseconds table
1028 The leapseconds table is missing, corrupted or bogus.
1030 .Pq bad or missing certificate
1031 The certificate is missing, corrupted or bogus.
1033 .Pq bad or missing identity
1034 The identity key is missing, corrupt or bogus.
1036 .Sh Monitoring Support
1038 includes a comprehensive monitoring facility suitable
1039 for continuous, long term recording of server and client
1040 timekeeping performance.
1044 for a listing and example of each type of statistics currently
1046 Statistic files are managed using file generation sets
1049 directory of this distribution.
1051 these facilities and
1054 jobs, the data can be
1055 automatically summarized and archived for retrospective analysis.
1056 .Ss Monitoring Commands
1057 .Bl -tag -width indent
1058 .It Ic statistics Ar name ...
1059 Enables writing of statistics records.
1060 Currently, eight kinds of
1062 statistics are supported.
1063 .Bl -tag -width indent
1065 Enables recording of clock driver statistics information.
1067 received from a clock driver appends a line of the following form to
1068 the file generation set named
1071 49213 525.624 127.127.4.1 93 226 00:08:29.606 D
1074 The first two fields show the date (Modified Julian Day) and time
1075 (seconds and fraction past UTC midnight).
1076 The next field shows the
1077 clock address in dotted\-quad notation.
1078 The final field shows the last
1079 timecode received from the clock in decoded ASCII format, where
1081 In some clock drivers a good deal of additional information
1082 can be gathered and displayed as well.
1083 See information specific to each
1084 clock for further details.
1086 This option requires the OpenSSL cryptographic software library.
1088 enables recording of cryptographic public key protocol information.
1089 Each message received by the protocol module appends a line of the
1090 following form to the file generation set named
1093 49213 525.624 127.127.4.1 message
1096 The first two fields show the date (Modified Julian Day) and time
1097 (seconds and fraction past UTC midnight).
1098 The next field shows the peer
1099 address in dotted\-quad notation, The final message field includes the
1100 message type and certain ancillary information.
1102 .Sx Authentication Options
1103 section for further information.
1105 Enables recording of loop filter statistics information.
1107 update of the local clock outputs a line of the following form to
1108 the file generation set named
1111 50935 75440.031 0.000006019 13.778190 0.000351733 0.0133806
1114 The first two fields show the date (Modified Julian Day) and
1115 time (seconds and fraction past UTC midnight).
1116 The next five fields
1117 show time offset (seconds), frequency offset (parts per million \-
1118 PPM), RMS jitter (seconds), Allan deviation (PPM) and clock
1119 discipline time constant.
1121 Enables recording of peer statistics information.
1123 statistics records of all peers of a NTP server and of special
1124 signals, where present and configured.
1125 Each valid update appends a
1126 line of the following form to the current element of a file
1127 generation set named
1130 48773 10847.650 127.127.4.1 9714 \-0.001605376 0.000000000 0.001424877 0.000958674
1133 The first two fields show the date (Modified Julian Day) and
1134 time (seconds and fraction past UTC midnight).
1136 show the peer address in dotted\-quad notation and status,
1138 The status field is encoded in hex in the format
1139 described in Appendix A of the NTP specification RFC 1305.
1140 The final four fields show the offset,
1141 delay, dispersion and RMS jitter, all in seconds.
1143 Enables recording of raw\-timestamp statistics information.
1145 includes statistics records of all peers of a NTP server and of
1146 special signals, where present and configured.
1148 received from a peer or clock driver appends a line of the
1149 following form to the file generation set named
1152 50928 2132.543 128.4.1.1 128.4.1.20 3102453281.584327000 3102453281.58622800031 02453332.540806000 3102453332.541458000
1155 The first two fields show the date (Modified Julian Day) and
1156 time (seconds and fraction past UTC midnight).
1158 show the remote peer or clock address followed by the local address
1159 in dotted\-quad notation.
1160 The final four fields show the originate,
1161 receive, transmit and final NTP timestamps in order.
1163 values are as received and before processing by the various data
1164 smoothing and mitigation algorithms.
1166 Enables recording of ntpd statistics counters on a periodic basis.
1168 hour a line of the following form is appended to the file generation
1172 50928 2132.543 36000 81965 0 9546 56 71793 512 540 10 147
1175 The first two fields show the date (Modified Julian Day) and time
1176 (seconds and fraction past UTC midnight).
1177 The remaining ten fields show
1178 the statistics counter values accumulated since the last generated
1180 .Bl -tag -width indent
1181 .It Time since restart Cm 36000
1182 Time in hours since the system was last rebooted.
1183 .It Packets received Cm 81965
1184 Total number of packets received.
1185 .It Packets processed Cm 0
1186 Number of packets received in response to previous packets sent
1187 .It Current version Cm 9546
1188 Number of packets matching the current NTP version.
1189 .It Previous version Cm 56
1190 Number of packets matching the previous NTP version.
1191 .It Bad version Cm 71793
1192 Number of packets matching neither NTP version.
1193 .It Access denied Cm 512
1194 Number of packets denied access for any reason.
1195 .It Bad length or format Cm 540
1196 Number of packets with invalid length, format or port number.
1197 .It Bad authentication Cm 10
1198 Number of packets not verified as authentic.
1199 .It Rate exceeded Cm 147
1200 Number of packets discarded due to rate limitation.
1202 .It Cm statsdir Ar directory_path
1203 Indicates the full path of a directory where statistics files
1204 should be created (see below).
1206 the (otherwise constant)
1208 filename prefix to be modified for file generation sets, which
1209 is useful for handling statistics logs.
1210 .It Cm filegen Ar name Xo
1211 .Op Cm file Ar filename
1212 .Op Cm type Ar typename
1213 .Op Cm link | nolink
1214 .Op Cm enable | disable
1216 Configures setting of generation file set name.
1218 file sets provide a means for handling files that are
1219 continuously growing during the lifetime of a server.
1220 Server statistics are a typical example for such files.
1221 Generation file sets provide access to a set of files used
1222 to store the actual data.
1223 At any time at most one element
1224 of the set is being written to.
1225 The type given specifies
1226 when and how data will be directed to a new element of the set.
1227 This way, information stored in elements of a file set
1228 that are currently unused are available for administrational
1229 operations without the risk of disturbing the operation of ntpd.
1230 (Most important: they can be removed to free space for new data
1233 Note that this command can be sent from the
1234 .Xr ntpdc @NTPDC_MS@
1235 program running at a remote location.
1236 .Bl -tag -width indent
1238 This is the type of the statistics records, as shown in the
1241 .It Cm file Ar filename
1242 This is the file name for the statistics records.
1244 members are built from three concatenated elements
1249 .Bl -tag -width indent
1251 This is a constant filename path.
1252 It is not subject to
1253 modifications via the
1256 It is defined by the
1257 server, usually specified as a compile\-time constant.
1259 however, be configurable for individual file generation sets
1261 For example, the prefix used with
1265 generation can be configured using the
1267 option explained above.
1269 This string is directly concatenated to the prefix mentioned
1270 above (no intervening
1272 This can be modified using
1273 the file argument to the
1279 allowed in this component to prevent filenames referring to
1280 parts outside the filesystem hierarchy denoted by
1283 This part is reflects individual elements of a file set.
1285 generated according to the type of a file set.
1287 .It Cm type Ar typename
1288 A file generation set is characterized by its type.
1290 types are supported:
1291 .Bl -tag -width indent
1293 The file set is actually a single plain file.
1295 One element of file set is used per incarnation of a ntpd
1297 This type does not perform any changes to file set
1298 members during runtime, however it provides an easy way of
1299 separating files belonging to different
1301 server incarnations.
1302 The set member filename is built by appending a
1309 appending the decimal representation of the process ID of the
1313 One file generation set element is created per day.
1315 defined as the period between 00:00 and 24:00 UTC.
1317 member suffix consists of a
1319 and a day specification in
1323 is a 4\-digit year number (e.g., 1992).
1325 is a two digit month number.
1327 is a two digit day number.
1328 Thus, all information written at 10 December 1992 would end up
1331 .Ar filename Ns .19921210 .
1333 Any file set member contains data related to a certain week of
1335 The term week is defined by computing day\-of\-year
1337 Elements of such a file generation set are
1338 distinguished by appending the following suffix to the file set
1339 filename base: A dot, a 4\-digit year number, the letter
1341 and a 2\-digit week number.
1342 For example, information from January,
1343 10th 1992 would end up in a file with suffix
1344 .No . Ns Ar 1992W1 .
1346 One generation file set element is generated per month.
1348 file name suffix consists of a dot, a 4\-digit year number, and
1351 One generation file element is generated per year.
1353 suffix consists of a dot and a 4 digit year number.
1355 This type of file generation sets changes to a new element of
1356 the file set every 24 hours of server operation.
1358 suffix consists of a dot, the letter
1360 and an 8\-digit number.
1361 This number is taken to be the number of seconds the server is
1362 running at the start of the corresponding 24\-hour period.
1363 Information is only written to a file generation by specifying
1365 output is prevented by specifying
1368 .It Cm link | nolink
1369 It is convenient to be able to access the current element of a file
1370 generation set by a fixed name.
1371 This feature is enabled by
1376 If link is specified, a
1377 hard link from the current file set element to a file without
1379 When there is already a file with this name and
1380 the number of links of this file is one, it is renamed appending a
1383 and the pid of the ntpd server process.
1385 number of links is greater than one, the file is unlinked.
1387 allows the current file to be accessed by a constant name.
1388 .It Cm enable \&| Cm disable
1389 Enables or disables the recording function.
1393 .Sh Access Control Support
1396 daemon implements a general purpose address/mask based restriction
1398 The list contains address/match entries sorted first
1399 by increasing address values and and then by increasing mask values.
1400 A match occurs when the bitwise AND of the mask and the packet
1401 source address is equal to the bitwise AND of the mask and
1402 address in the list.
1403 The list is searched in order with the
1404 last match found defining the restriction flags associated
1406 Additional information and examples can be found in the
1407 .Qq Notes on Configuring NTP and Setting up a NTP Subnet
1409 (available as part of the HTML documentation
1411 .Pa /usr/share/doc/ntp ) .
1413 The restriction facility was implemented in conformance
1414 with the access policies for the original NSFnet backbone
1416 Later the facility was expanded to deflect
1417 cryptographic and clogging attacks.
1418 While this facility may
1419 be useful for keeping unwanted or broken or malicious clients
1420 from congesting innocent servers, it should not be considered
1421 an alternative to the NTP authentication facilities.
1422 Source address based restrictions are easily circumvented
1423 by a determined cracker.
1425 Clients can be denied service because they are explicitly
1426 included in the restrict list created by the restrict command
1427 or implicitly as the result of cryptographic or rate limit
1429 Cryptographic violations include certificate
1430 or identity verification failure; rate limit violations generally
1431 result from defective NTP implementations that send packets
1433 Some violations cause denied service
1434 only for the offending packet, others cause denied service
1435 for a timed period and others cause the denied service for
1436 an indefinate period.
1437 When a client or network is denied access
1438 for an indefinate period, the only way at present to remove
1439 the restrictions is by restarting the server.
1440 .Ss The Kiss\-of\-Death Packet
1441 Ordinarily, packets denied service are simply dropped with no
1442 further action except incrementing statistics counters.
1444 more proactive response is needed, such as a server message that
1445 explicitly requests the client to stop sending and leave a message
1446 for the system operator.
1447 A special packet format has been created
1448 for this purpose called the "kiss\-of\-death" (KoD) packet.
1449 KoD packets have the leap bits set unsynchronized and stratum set
1450 to zero and the reference identifier field set to a four\-byte
1456 flag of the matching restrict list entry is set,
1457 the code is "DENY"; if the
1459 flag is set and the rate limit
1460 is exceeded, the code is "RATE".
1461 Finally, if a cryptographic violation occurs, the code is "CRYP".
1463 A client receiving a KoD performs a set of sanity checks to
1464 minimize security exposure, then updates the stratum and
1465 reference identifier peer variables, sets the access
1466 denied (TEST4) bit in the peer flash variable and sends
1467 a message to the log.
1468 As long as the TEST4 bit is set,
1469 the client will send no further packets to the server.
1470 The only way at present to recover from this condition is
1471 to restart the protocol at both the client and server.
1473 happens automatically at the client when the association times out.
1474 It will happen at the server only if the server operator cooperates.
1475 .Ss Access Control Commands
1476 .Bl -tag -width indent
1478 .Op Cm average Ar avg
1479 .Op Cm minimum Ar min
1480 .Op Cm monitor Ar prob
1482 Set the parameters of the
1484 facility which protects the server from
1488 subcommand specifies the minimum average packet
1491 subcommand specifies the minimum packet spacing.
1492 Packets that violate these minima are discarded
1493 and a kiss\-o'\-death packet returned if enabled.
1495 minimum average and minimum are 5 and 2, respectively.
1496 The monitor subcommand specifies the probability of discard
1497 for packets that overflow the rate\-control window.
1498 .It Xo Ic restrict address
1504 argument expressed in
1505 dotted\-quad form is the address of a host or network.
1508 argument can be a valid host DNS name.
1511 argument expressed in dotted\-quad form defaults to
1512 .Cm 255.255.255.255 ,
1515 is treated as the address of an individual host.
1516 A default entry (address
1520 is always included and is always the first entry in the list.
1521 Note that text string
1523 with no mask option, may
1524 be used to indicate the default entry.
1525 In the current implementation,
1528 restricts access, i.e., an entry with no flags indicates that free
1529 access to the server is to be given.
1530 The flags are not orthogonal,
1531 in that more restrictive flags will often make less restrictive
1533 The flags can generally be classed into two
1534 categories, those which restrict time service and those which
1535 restrict informational queries and attempts to do run\-time
1536 reconfiguration of the server.
1537 One or more of the following flags
1539 .Bl -tag -width indent
1541 Deny packets of all kinds, including
1544 .Xr ntpdc @NTPDC_MS@
1547 If this flag is set when an access violation occurs, a kiss\-o'\-death
1548 (KoD) packet is sent.
1549 KoD packets are rate limited to no more than one
1551 If another KoD packet occurs within one second after the
1552 last one, the packet is dropped.
1554 Deny service if the packet spacing violates the lower limits specified
1555 in the discard command.
1556 A history of clients is kept using the
1557 monitoring capability of
1558 .Xr ntpd @NTPD_MS@ .
1559 Thus, monitoring is always active as
1560 long as there is a restriction entry with the
1564 Declare traps set by matching hosts to be low priority.
1566 number of traps a server can maintain is limited (the current limit
1568 Traps are usually assigned on a first come, first served
1569 basis, with later trap requestors being denied service.
1571 modifies the assignment algorithm by allowing low priority traps to
1572 be overridden by later requests for normal priority traps.
1577 .Xr ntpdc @NTPDC_MS@
1578 queries which attempt to modify the state of the
1579 server (i.e., run time reconfiguration).
1580 Queries which return
1581 information are permitted.
1586 .Xr ntpdc @NTPDC_MS@
1588 Time service is not affected.
1590 Deny packets which would result in mobilizing a new association.
1592 includes broadcast and symmetric active packets when a configured
1593 association does not exist.
1596 associations, so if you want to use servers from a
1598 directive and also want to use
1600 by default, you'll want a
1601 .Cm "restrict source ..." line as well that does
1607 Deny all packets except
1610 .Xr ntpdc @NTPDC_MS@
1613 Decline to provide mode 6 control message trap service to matching
1615 The trap service is a subsystem of the ntpdq control message
1616 protocol which is intended for use by remote event logging programs.
1618 Deny service unless the packet is cryptographically authenticated.
1620 This is actually a match algorithm modifier, rather than a
1622 Its presence causes the restriction entry to be
1623 matched only if the source port in the packet is the standard NTP
1633 is considered more specific and
1634 is sorted later in the list.
1636 Deny packets that do not match the current NTP version.
1639 Default restriction list entries with the flags ignore, interface,
1640 ntpport, for each of the local host's interface addresses are
1641 inserted into the table at startup to prevent the server
1642 from attempting to synchronize to its own time.
1643 A default entry is also always present, though if it is
1644 otherwise unconfigured; no flags are associated
1645 with the default entry (i.e., everything besides your own
1646 NTP server is unrestricted).
1648 .Sh Automatic NTP Configuration Options
1650 Manycasting is a automatic discovery and configuration paradigm
1652 It is intended as a means for a multicast client
1653 to troll the nearby network neighborhood to find cooperating
1654 manycast servers, validate them using cryptographic means
1655 and evaluate their time values with respect to other servers
1656 that might be lurking in the vicinity.
1657 The intended result is that each manycast client mobilizes
1658 client associations with some number of the "best"
1659 of the nearby manycast servers, yet automatically reconfigures
1660 to sustain this number of servers should one or another fail.
1662 Note that the manycasting paradigm does not coincide
1663 with the anycast paradigm described in RFC\-1546,
1664 which is designed to find a single server from a clique
1665 of servers providing the same service.
1666 The manycast paradigm is designed to find a plurality
1667 of redundant servers satisfying defined optimality criteria.
1669 Manycasting can be used with either symmetric key
1670 or public key cryptography.
1671 The public key infrastructure (PKI)
1672 offers the best protection against compromised keys
1673 and is generally considered stronger, at least with relatively
1675 It is implemented using the Autokey protocol and
1676 the OpenSSL cryptographic library available from
1677 .Li http://www.openssl.org/ .
1678 The library can also be used with other NTPv4 modes
1679 as well and is highly recommended, especially for broadcast modes.
1681 A persistent manycast client association is configured
1682 using the manycastclient command, which is similar to the
1683 server command but with a multicast (IPv4 class
1688 The IANA has designated IPv4 address 224.1.1.1
1689 and IPv6 address FF05::101 (site local) for NTP.
1690 When more servers are needed, it broadcasts manycast
1691 client messages to this address at the minimum feasible rate
1692 and minimum feasible time\-to\-live (TTL) hops, depending
1693 on how many servers have already been found.
1694 There can be as many manycast client associations
1695 as different group address, each one serving as a template
1696 for a future ephemeral unicast client/server association.
1698 Manycast servers configured with the
1700 command listen on the specified group address for manycast
1702 Note the distinction between manycast client,
1703 which actively broadcasts messages, and manycast server,
1704 which passively responds to them.
1705 If a manycast server is
1706 in scope of the current TTL and is itself synchronized
1707 to a valid source and operating at a stratum level equal
1708 to or lower than the manycast client, it replies to the
1709 manycast client message with an ordinary unicast server message.
1711 The manycast client receiving this message mobilizes
1712 an ephemeral client/server association according to the
1713 matching manycast client template, but only if cryptographically
1714 authenticated and the server stratum is less than or equal
1715 to the client stratum.
1716 Authentication is explicitly required
1717 and either symmetric key or public key (Autokey) can be used.
1718 Then, the client polls the server at its unicast address
1719 in burst mode in order to reliably set the host clock
1720 and validate the source.
1721 This normally results
1722 in a volley of eight client/server at 2\-s intervals
1723 during which both the synchronization and cryptographic
1724 protocols run concurrently.
1725 Following the volley,
1726 the client runs the NTP intersection and clustering
1727 algorithms, which act to discard all but the "best"
1728 associations according to stratum and synchronization
1730 The surviving associations then continue
1731 in ordinary client/server mode.
1733 The manycast client polling strategy is designed to reduce
1734 as much as possible the volume of manycast client messages
1735 and the effects of implosion due to near\-simultaneous
1736 arrival of manycast server messages.
1737 The strategy is determined by the
1738 .Ic manycastclient ,
1742 configuration commands.
1743 The manycast poll interval is
1744 normally eight times the system poll interval,
1745 which starts out at the
1747 value specified in the
1748 .Ic manycastclient ,
1749 command and, under normal circumstances, increments to the
1751 value specified in this command.
1752 Initially, the TTL is
1753 set at the minimum hops specified by the ttl command.
1754 At each retransmission the TTL is increased until reaching
1755 the maximum hops specified by this command or a sufficient
1756 number client associations have been found.
1757 Further retransmissions use the same TTL.
1759 The quality and reliability of the suite of associations
1760 discovered by the manycast client is determined by the NTP
1761 mitigation algorithms and the
1765 values specified in the
1767 configuration command.
1770 candidate servers must be available and the mitigation
1771 algorithms produce at least
1773 survivors in order to synchronize the clock.
1774 Byzantine agreement principles require at least four
1775 candidates in order to correctly discard a single falseticker.
1776 For legacy purposes,
1781 For manycast service
1783 should be explicitly set to 4, assuming at least that
1784 number of servers are available.
1788 servers are found, the manycast poll interval is immediately
1793 servers are found when the TTL has reached the maximum hops,
1794 the manycast poll interval is doubled.
1795 For each transmission
1796 after that, the poll interval is doubled again until
1797 reaching the maximum of eight times
1799 Further transmissions use the same poll interval and
1801 Note that while all this is going on,
1802 each client/server association found is operating normally
1803 it the system poll interval.
1805 Administratively scoped multicast boundaries are normally
1806 specified by the network router configuration and,
1807 in the case of IPv6, the link/site scope prefix.
1808 By default, the increment for TTL hops is 32 starting
1809 from 31; however, the
1811 configuration command can be
1812 used to modify the values to match the scope rules.
1814 It is often useful to narrow the range of acceptable
1815 servers which can be found by manycast client associations.
1816 Because manycast servers respond only when the client
1817 stratum is equal to or greater than the server stratum,
1818 primary (stratum 1) servers fill find only primary servers
1819 in TTL range, which is probably the most common objective.
1820 However, unless configured otherwise, all manycast clients
1821 in TTL range will eventually find all primary servers
1822 in TTL range, which is probably not the most common
1823 objective in large networks.
1826 command can be used to modify this behavior.
1827 Servers with stratum below
1833 command are strongly discouraged during the selection
1834 process; however, these servers may be temporally
1835 accepted if the number of servers within TTL range is
1839 The above actions occur for each manycast client message,
1840 which repeats at the designated poll interval.
1841 However, once the ephemeral client association is mobilized,
1842 subsequent manycast server replies are discarded,
1843 since that would result in a duplicate association.
1844 If during a poll interval the number of client associations
1847 all manycast client prototype associations are reset
1848 to the initial poll interval and TTL hops and operation
1849 resumes from the beginning.
1850 It is important to avoid
1851 frequent manycast client messages, since each one requires
1852 all manycast servers in TTL range to respond.
1853 The result could well be an implosion, either minor or major,
1854 depending on the number of servers in range.
1855 The recommended value for
1859 It is possible and frequently useful to configure a host
1860 as both manycast client and manycast server.
1861 A number of hosts configured this way and sharing a common
1862 group address will automatically organize themselves
1863 in an optimum configuration based on stratum and
1864 synchronization distance.
1865 For example, consider an NTP
1866 subnet of two primary servers and a hundred or more
1868 With two exceptions, all servers
1869 and clients have identical configuration files including both
1873 commands using, for instance, multicast group address
1875 The only exception is that each primary server
1876 configuration file must include commands for the primary
1877 reference source such as a GPS receiver.
1879 The remaining configuration files for all secondary
1880 servers and clients have the same contents, except for the
1882 command, which is specific for each stratum level.
1883 For stratum 1 and stratum 2 servers, that command is
1885 For stratum 3 and above servers the
1887 value is set to the intended stratum number.
1888 Thus, all stratum 3 configuration files are identical,
1889 all stratum 4 files are identical and so forth.
1891 Once operations have stabilized in this scenario,
1892 the primary servers will find the primary reference source
1893 and each other, since they both operate at the same
1894 stratum (1), but not with any secondary server or client,
1895 since these operate at a higher stratum.
1897 servers will find the servers at the same stratum level.
1898 If one of the primary servers loses its GPS receiver,
1899 it will continue to operate as a client and other clients
1900 will time out the corresponding association and
1901 re\-associate accordingly.
1903 Some administrators prefer to avoid running
1905 continuously and run either
1911 In either case the servers must be
1912 configured in advance and the program fails if none are
1913 available when the cron job runs.
1915 application of manycast is with
1918 The program wakes up, scans the local landscape looking
1919 for the usual suspects, selects the best from among
1920 the rascals, sets the clock and then departs.
1921 Servers do not have to be configured in advance and
1922 all clients throughout the network can have the same
1924 .Ss Manycast Interactions with Autokey
1925 Each time a manycast client sends a client mode packet
1926 to a multicast group address, all manycast servers
1927 in scope generate a reply including the host name
1929 The manycast clients then run
1930 the Autokey protocol, which collects and verifies
1931 all certificates involved.
1932 Following the burst interval
1933 all but three survivors are cast off,
1934 but the certificates remain in the local cache.
1935 It often happens that several complete signing trails
1936 from the client to the primary servers are collected in this way.
1938 About once an hour or less often if the poll interval
1939 exceeds this, the client regenerates the Autokey key list.
1940 This is in general transparent in client/server mode.
1941 However, about once per day the server private value
1942 used to generate cookies is refreshed along with all
1943 manycast client associations.
1945 cryptographic values including certificates is refreshed.
1946 If a new certificate has been generated since
1947 the last refresh epoch, it will automatically revoke
1948 all prior certificates that happen to be in the
1950 At the same time, the manycast
1951 scheme starts all over from the beginning and
1952 the expanding ring shrinks to the minimum and increments
1953 from there while collecting all servers in scope.
1954 .Ss Manycast Options
1955 .Bl -tag -width indent
1958 .Cm ceiling Ar ceiling |
1959 .Cm cohort { 0 | 1 } |
1960 .Cm floor Ar floor |
1961 .Cm minclock Ar minclock |
1962 .Cm minsane Ar minsane
1965 This command affects the clock selection and clustering
1967 It can be used to select the quality and
1968 quantity of peers used to synchronize the system clock
1969 and is most useful in manycast mode.
1970 The variables operate
1972 .Bl -tag -width indent
1973 .It Cm ceiling Ar ceiling
1974 Peers with strata above
1976 will be discarded if there are at least
1979 This value defaults to 15, but can be changed
1980 to any number from 1 to 15.
1981 .It Cm cohort Bro 0 | 1 Brc
1982 This is a binary flag which enables (0) or disables (1)
1983 manycast server replies to manycast clients with the same
1985 This is useful to reduce implosions where
1986 large numbers of clients with the same stratum level
1988 The default is to enable these replies.
1989 .It Cm floor Ar floor
1990 Peers with strata below
1992 will be discarded if there are at least
1995 This value defaults to 1, but can be changed
1996 to any number from 1 to 15.
1997 .It Cm minclock Ar minclock
1998 The clustering algorithm repeatedly casts out outlier
1999 associations until no more than
2001 associations remain.
2002 This value defaults to 3,
2003 but can be changed to any number from 1 to the number of
2005 .It Cm minsane Ar minsane
2006 This is the minimum number of candidates available
2007 to the clock selection algorithm in order to produce
2008 one or more truechimers for the clustering algorithm.
2009 If fewer than this number are available, the clock is
2010 undisciplined and allowed to run free.
2012 for legacy purposes.
2013 However, according to principles of
2014 Byzantine agreement,
2016 should be at least 4 in order to detect and discard
2017 a single falseticker.
2019 .It Cm ttl Ar hop ...
2020 This command specifies a list of TTL values in increasing
2021 order, up to 8 values can be specified.
2022 In manycast mode these values are used in turn
2023 in an expanding\-ring search.
2024 The default is eight
2025 multiples of 32 starting at 31.
2027 .Sh Reference Clock Support
2028 The NTP Version 4 daemon supports some three dozen different radio,
2029 satellite and modem reference clocks plus a special pseudo\-clock
2030 used for backup or when no other clock source is available.
2031 Detailed descriptions of individual device drivers and options can
2033 .Qq Reference Clock Drivers
2035 (available as part of the HTML documentation
2037 .Pa /usr/share/doc/ntp ) .
2038 Additional information can be found in the pages linked
2039 there, including the
2040 .Qq Debugging Hints for Reference Clock Drivers
2042 .Qq How To Write a Reference Clock Driver
2044 (available as part of the HTML documentation
2046 .Pa /usr/share/doc/ntp ) .
2047 In addition, support for a PPS
2048 signal is available as described in the
2049 .Qq Pulse\-per\-second (PPS) Signal Interfacing
2051 (available as part of the HTML documentation
2053 .Pa /usr/share/doc/ntp ) .
2055 drivers support special line discipline/streams modules which can
2056 significantly improve the accuracy using the driver.
2059 .Qq Line Disciplines and Streams Drivers
2061 (available as part of the HTML documentation
2063 .Pa /usr/share/doc/ntp ) .
2065 A reference clock will generally (though not always) be a radio
2066 timecode receiver which is synchronized to a source of standard
2067 time such as the services offered by the NRC in Canada and NIST and
2069 The interface between the computer and the timecode
2070 receiver is device dependent, but is usually a serial port.
2072 device driver specific to each reference clock must be selected and
2073 compiled in the distribution; however, most common radio, satellite
2074 and modem clocks are included by default.
2075 Note that an attempt to
2076 configure a reference clock when the driver has not been compiled
2077 or the hardware port has not been appropriately configured results
2078 in a scalding remark to the system log file, but is otherwise non
2081 For the purposes of configuration,
2084 reference clocks in a manner analogous to normal NTP peers as much
2086 Reference clocks are identified by a syntactically
2087 correct but invalid IP address, in order to distinguish them from
2089 Reference clock addresses are of the form
2091 .Li 127.127. Ar t . Ar u ,
2096 denoting the clock type and
2099 number in the range 0\-3.
2100 While it may seem overkill, it is in fact
2101 sometimes useful to configure multiple reference clocks of the same
2102 type, in which case the unit numbers must be unique.
2106 command is used to configure a reference
2109 argument in that command
2110 is the clock address.
2116 options are not used for reference clock support.
2119 option is added for reference clock support, as
2123 option can be useful to
2124 persuade the server to cherish a reference clock with somewhat more
2125 enthusiasm than other reference clocks or peers.
2127 information on this option can be found in the
2128 .Qq Mitigation Rules and the prefer Keyword
2129 (available as part of the HTML documentation
2131 .Pa /usr/share/doc/ntp )
2138 meaning only for selected clock drivers.
2139 See the individual clock
2140 driver document pages for additional information.
2144 command is used to provide additional
2145 information for individual clock drivers and normally follows
2146 immediately after the
2151 argument specifies the clock address.
2156 options can be used to
2157 override the defaults for the device.
2158 There are two optional
2159 device\-dependent time offsets and four flags that can be included
2164 The stratum number of a reference clock is by default zero.
2167 daemon adds one to the stratum of each
2168 peer, a primary server ordinarily displays an external stratum of
2170 In order to provide engineered backups, it is often useful to
2171 specify the reference clock stratum as greater than zero.
2174 option is used for this purpose.
2176 involving both a reference clock and a pulse\-per\-second (PPS)
2177 discipline signal, it is useful to specify the reference clock
2178 identifier as other than the default, depending on the driver.
2181 option is used for this purpose.
2183 these options apply to all clock drivers.
2184 .Ss Reference Clock Commands
2185 .Bl -tag -width indent
2188 .Li 127.127. Ar t . Ar u
2192 .Op Cm minpoll Ar int
2193 .Op Cm maxpoll Ar int
2195 This command can be used to configure reference clocks in
2197 The options are interpreted as follows:
2198 .Bl -tag -width indent
2200 Marks the reference clock as preferred.
2201 All other things being
2202 equal, this host will be chosen for synchronization among a set of
2203 correctly operating hosts.
2205 .Qq Mitigation Rules and the prefer Keyword
2207 (available as part of the HTML documentation
2209 .Pa /usr/share/doc/ntp )
2210 for further information.
2212 Specifies a mode number which is interpreted in a
2213 device\-specific fashion.
2214 For instance, it selects a dialing
2215 protocol in the ACTS driver and a device subtype in the
2218 .It Cm minpoll Ar int
2219 .It Cm maxpoll Ar int
2220 These options specify the minimum and maximum polling interval
2221 for reference clock messages, as a power of 2 in seconds
2223 most directly connected reference clocks, both
2227 default to 6 (64 s).
2228 For modem reference clocks,
2230 defaults to 10 (17.1 m) and
2232 defaults to 14 (4.5 h).
2233 The allowable range is 4 (16 s) to 17 (36.4 h) inclusive.
2237 .Li 127.127. Ar t . Ar u
2241 .Op Cm stratum Ar int
2242 .Op Cm refid Ar string
2244 .Op Cm flag1 Cm 0 \&| Cm 1
2245 .Op Cm flag2 Cm 0 \&| Cm 1
2246 .Op Cm flag3 Cm 0 \&| Cm 1
2247 .Op Cm flag4 Cm 0 \&| Cm 1
2249 This command can be used to configure reference clocks in
2251 It must immediately follow the
2253 command which configures the driver.
2254 Note that the same capability
2255 is possible at run time using the
2256 .Xr ntpdc @NTPDC_MS@
2258 The options are interpreted as
2260 .Bl -tag -width indent
2262 Specifies a constant to be added to the time offset produced by
2263 the driver, a fixed\-point decimal number in seconds.
2265 as a calibration constant to adjust the nominal time offset of a
2266 particular clock to agree with an external standard, such as a
2267 precision PPS signal.
2268 It also provides a way to correct a
2269 systematic error or bias due to serial port or operating system
2270 latencies, different cable lengths or receiver internal delay.
2272 specified offset is in addition to the propagation delay provided
2273 by other means, such as internal DIPswitches.
2275 for an individual system and driver is available, an approximate
2276 correction is noted in the driver documentation pages.
2277 Note: in order to facilitate calibration when more than one
2278 radio clock or PPS signal is supported, a special calibration
2279 feature is available.
2280 It takes the form of an argument to the
2282 command described in
2283 .Sx Miscellaneous Options
2284 page and operates as described in the
2285 .Qq Reference Clock Drivers
2287 (available as part of the HTML documentation
2289 .Pa /usr/share/doc/ntp ) .
2290 .It Cm time2 Ar secs
2291 Specifies a fixed\-point decimal number in seconds, which is
2292 interpreted in a driver\-dependent way.
2293 See the descriptions of
2294 specific drivers in the
2295 .Qq Reference Clock Drivers
2297 (available as part of the HTML documentation
2299 .Pa /usr/share/doc/ntp ) .
2300 .It Cm stratum Ar int
2301 Specifies the stratum number assigned to the driver, an integer
2303 This number overrides the default stratum number
2304 ordinarily assigned by the driver itself, usually zero.
2305 .It Cm refid Ar string
2306 Specifies an ASCII string of from one to four characters which
2307 defines the reference identifier used by the driver.
2309 overrides the default identifier ordinarily assigned by the driver
2312 Specifies a mode number which is interpreted in a
2313 device\-specific fashion.
2314 For instance, it selects a dialing
2315 protocol in the ACTS driver and a device subtype in the
2318 .It Cm flag1 Cm 0 \&| Cm 1
2319 .It Cm flag2 Cm 0 \&| Cm 1
2320 .It Cm flag3 Cm 0 \&| Cm 1
2321 .It Cm flag4 Cm 0 \&| Cm 1
2322 These four flags are used for customizing the clock driver.
2324 interpretation of these values, and whether they are used at all,
2325 is a function of the particular clock driver.
2329 is used to enable recording monitoring
2332 file configured with the
2335 Further information on the
2337 command can be found in
2338 .Sx Monitoring Options .
2341 .Sh Miscellaneous Options
2342 .Bl -tag -width indent
2343 .It Ic broadcastdelay Ar seconds
2344 The broadcast and multicast modes require a special calibration
2345 to determine the network delay between the local and remote
2347 Ordinarily, this is done automatically by the initial
2348 protocol exchanges between the client and server.
2350 the calibration procedure may fail due to network or server access
2351 controls, for example.
2352 This command specifies the default delay to
2353 be used under these circumstances.
2354 Typically (for Ethernet), a
2355 number between 0.003 and 0.007 seconds is appropriate.
2357 when this command is not used is 0.004 seconds.
2358 .It Ic calldelay Ar delay
2359 This option controls the delay in seconds between the first and second
2360 packets sent in burst or iburst mode to allow additional time for a modem
2361 or ISDN call to complete.
2362 .It Ic driftfile Ar driftfile
2363 This command specifies the complete path and name of the file used to
2364 record the frequency of the local clock oscillator.
2368 command line option.
2369 If the file exists, it is read at
2370 startup in order to set the initial frequency and then updated once per
2371 hour with the current frequency computed by the daemon.
2373 specified, but the file itself does not exist, the starts with an initial
2374 frequency of zero and creates the file when writing it for the first time.
2375 If this command is not given, the daemon will always start with an initial
2378 The file format consists of a single line containing a single
2379 floating point number, which records the frequency offset measured
2380 in parts\-per\-million (PPM).
2381 The file is updated by first writing
2382 the current drift value into a temporary file and then renaming
2383 this file to replace the old version.
2386 must have write permission for the directory the
2387 drift file is located in, and that file system links, symbolic or
2388 otherwise, should be avoided.
2389 .It Ic dscp Ar value
2390 This option specifies the Differentiated Services Control Point (DSCP) value,
2391 a 6\-bit code. The default value is 46, signifying Expedited Forwarding.
2394 .Cm auth | Cm bclient |
2395 .Cm calibrate | Cm kernel |
2396 .Cm mode7 | Cm monitor |
2397 .Cm ntp | Cm stats |
2398 .Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early
2403 .Cm auth | Cm bclient |
2404 .Cm calibrate | Cm kernel |
2405 .Cm mode7 | Cm monitor |
2406 .Cm ntp | Cm stats |
2407 .Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early
2410 Provides a way to enable or disable various server options.
2411 Flags not mentioned are unaffected.
2412 Note that all of these flags
2413 can be controlled remotely using the
2414 .Xr ntpdc @NTPDC_MS@
2416 .Bl -tag -width indent
2418 Enables the server to synchronize with unconfigured peers only if the
2419 peer has been correctly authenticated using either public key or
2420 private key cryptography.
2421 The default for this flag is
2424 Enables the server to listen for a message from a broadcast or
2425 multicast server, as in the
2427 command with default
2429 The default for this flag is
2432 Enables the calibrate feature for reference clocks.
2437 Enables the kernel time discipline, if available.
2438 The default for this
2441 if support is available, otherwise
2444 Enables processing of NTP mode 7 implementation\-specific requests
2445 which are used by the deprecated
2446 .Xr ntpdc @NTPDC_MS@
2448 The default for this flag is disable.
2449 This flag is excluded from runtime configuration using
2450 .Xr ntpq @NTPQ_MS@ .
2453 program provides the same capabilities as
2454 .Xr ntpdc @NTPDC_MS@
2455 using standard mode 6 requests.
2457 Enables the monitoring facility.
2459 .Xr ntpdc @NTPDC_MS@
2463 command or further information.
2465 default for this flag is
2468 Enables time and frequency discipline.
2469 In effect, this switch opens and
2470 closes the feedback loop, which is useful for testing.
2475 Enables the statistics facility.
2477 .Sx Monitoring Options
2478 section for further information.
2479 The default for this flag is
2481 .It Cm unpeer_crypto_early
2484 receives an autokey packet that fails TEST9,
2486 the association is immediately cleared.
2487 This is almost certainly a feature,
2488 but if, in spite of the current recommendation of not using autokey,
2493 you are seeing this sort of DoS attack
2494 disabling this flag will delay
2495 tearing down the association until the reachability counter
2499 file for evidence of any of these attacks.
2501 default for this flag is
2503 .It Cm unpeer_crypto_nak_early
2506 receives a crypto\-NAK packet that
2507 passes the duplicate packet and origin timestamp checks
2508 the association is immediately cleared.
2509 While this is generally a feature
2510 as it allows for quick recovery if a server key has changed,
2511 a properly forged and appropriately delivered crypto\-NAK packet
2512 can be used in a DoS attack.
2513 If you have active noticable problems with this type of DoS attack
2514 then you should consider
2515 disabling this option.
2518 file for evidence of any of these attacks.
2520 default for this flag is
2522 .It Cm unpeer_digest_early
2525 receives what should be an authenticated packet
2526 that passes other packet sanity checks but
2527 contains an invalid digest
2528 the association is immediately cleared.
2529 While this is generally a feature
2530 as it allows for quick recovery,
2531 if this type of packet is carefully forged and sent
2532 during an appropriate window it can be used for a DoS attack.
2533 If you have active noticable problems with this type of DoS attack
2534 then you should consider
2535 disabling this option.
2538 file for evidence of any of these attacks.
2540 default for this flag is
2543 .It Ic includefile Ar includefile
2544 This command allows additional configuration commands
2545 to be included from a separate file.
2547 be nested to a depth of five; upon reaching the end of any
2548 include file, command processing resumes in the previous
2550 This option is useful for sites that run
2552 on multiple hosts, with (mostly) common options (e.g., a
2554 .It Ic leapsmearinterval Ar seconds
2555 This EXPERIMENTAL option is only available if
2558 .Cm \-\-enable\-leap\-smear
2562 It specifies the interval over which a leap second correction will be applied.
2563 Recommended values for this option are between
2564 7200 (2 hours) and 86400 (24 hours).
2565 .Sy DO NOT USE THIS OPTION ON PUBLIC\-ACCESS SERVERS!
2566 See http://bugs.ntp.org/2855 for more information.
2567 .It Ic logconfig Ar configkeyword
2568 This command controls the amount and type of output written to
2571 facility or the alternate
2574 By default, all output is turned on.
2577 keywords can be prefixed with
2593 messages can be controlled in four
2602 Within these classes four types of messages can be
2603 controlled: informational messages
2621 Configuration keywords are formed by concatenating the message class with
2625 prefix can be used instead of a message class.
2627 message class may also be followed by the
2629 keyword to enable/disable all
2630 messages of the respective message class.Thus, a minimal log configuration
2631 could look like this:
2633 logconfig =syncstatus +sysevents
2636 This would just list the synchronizations state of
2638 and the major system events.
2639 For a simple reference server, the
2640 following minimum message configuration could be useful:
2642 logconfig =syncall +clockall
2645 This configuration will list all clock information and
2646 synchronization information.
2647 All other events and messages about
2648 peers, system events and so on is suppressed.
2649 .It Ic logfile Ar logfile
2650 This command specifies the location of an alternate log file to
2651 be used instead of the default system
2654 This is the same operation as the \-l command line option.
2655 .It Ic setvar Ar variable Op Cm default
2656 This command adds an additional system variable.
2658 variables can be used to distribute additional information such as
2660 If the variable of the form
2667 variable will be listed as part of the default system variables
2673 These additional variables serve
2674 informational purposes only.
2675 They are not related to the protocol
2676 other that they can be listed.
2677 The known protocol variables will
2678 always override any variables defined via the
2681 There are three special variables that contain the names
2682 of all variable of the same group.
2686 the names of all system variables.
2690 the names of all peer variables and the
2692 holds the names of the reference clock variables.
2695 .Cm allan Ar allan |
2696 .Cm dispersion Ar dispersion |
2698 .Cm huffpuff Ar huffpuff |
2699 .Cm panic Ar panic |
2701 .Cm stepback Ar stepback |
2702 .Cm stepfwd Ar stepfwd |
2703 .Cm stepout Ar stepout
2706 This command can be used to alter several system variables in
2707 very exceptional circumstances.
2708 It should occur in the
2709 configuration file before any other configuration options.
2711 default values of these variables have been carefully optimized for
2712 a wide range of network speeds and reliability expectations.
2714 general, they interact in intricate ways that are hard to predict
2715 and some combinations can result in some very nasty behavior.
2717 rarely is it necessary to change the default values; but, some
2718 folks cannot resist twisting the knobs anyway and this command is
2720 Emphasis added: twisters are on their own and can expect
2721 no help from the support group.
2723 The variables operate as follows:
2724 .Bl -tag -width indent
2725 .It Cm allan Ar allan
2726 The argument becomes the new value for the minimum Allan
2727 intercept, which is a parameter of the PLL/FLL clock discipline
2729 The value in log2 seconds defaults to 7 (1024 s), which is also the lower
2731 .It Cm dispersion Ar dispersion
2732 The argument becomes the new value for the dispersion increase rate,
2733 normally .000015 s/s.
2735 The argument becomes the initial value of the frequency offset in
2736 parts\-per\-million.
2737 This overrides the value in the frequency file, if
2738 present, and avoids the initial training state if it is not.
2739 .It Cm huffpuff Ar huffpuff
2740 The argument becomes the new value for the experimental
2741 huff\-n'\-puff filter span, which determines the most recent interval
2742 the algorithm will search for a minimum delay.
2744 900 s (15 m), but a more reasonable value is 7200 (2 hours).
2746 is no default, since the filter is not enabled unless this command
2748 .It Cm panic Ar panic
2749 The argument is the panic threshold, normally 1000 s.
2751 the panic sanity check is disabled and a clock offset of any value will
2754 The argument is the step threshold, which by default is 0.128 s.
2756 be set to any positive number in seconds.
2757 If set to zero, step
2758 adjustments will never occur.
2759 Note: The kernel time discipline is
2760 disabled if the step threshold is set to zero or greater than the
2762 .It Cm stepback Ar stepback
2763 The argument is the step threshold for the backward direction,
2764 which by default is 0.128 s.
2766 be set to any positive number in seconds.
2767 If both the forward and backward step thresholds are set to zero, step
2768 adjustments will never occur.
2769 Note: The kernel time discipline is
2771 each direction of step threshold are either
2772 set to zero or greater than .5 second.
2773 .It Cm stepfwd Ar stepfwd
2774 As for stepback, but for the forward direction.
2775 .It Cm stepout Ar stepout
2776 The argument is the stepout timeout, which by default is 900 s.
2778 be set to any positive number in seconds.
2779 If set to zero, the stepout
2780 pulses will not be suppressed.
2784 .Cm memlock Ar Nmegabytes |
2785 .Cm stacksize Ar N4kPages
2786 .Cm filenum Ar Nfiledescriptors
2789 .Bl -tag -width indent
2790 .It Cm memlock Ar Nmegabytes
2791 Specify the number of megabytes of memory that should be
2792 allocated and locked.
2793 Probably only available under Linux, this option may be useful
2794 when dropping root (the
2797 The default is 32 megabytes on non\-Linux machines, and \-1 under Linux.
2798 -1 means "do not lock the process into memory".
2799 0 means "lock whatever memory the process wants into memory".
2800 .It Cm stacksize Ar N4kPages
2801 Specifies the maximum size of the process stack on systems with the
2804 Defaults to 50 4k pages (200 4k pages in OpenBSD).
2805 .It Cm filenum Ar Nfiledescriptors
2806 Specifies the maximum number of file descriptors ntpd may have open at once. Defaults to the system default.
2808 .It Xo Ic trap Ar host_address
2809 .Op Cm port Ar port_number
2810 .Op Cm interface Ar interface_address
2812 This command configures a trap receiver at the given host
2813 address and port number for sending messages with the specified
2814 local interface address.
2815 If the port number is unspecified, a value
2817 If the interface address is not specified, the
2818 message is sent with a source address of the local interface the
2819 message is sent through.
2820 Note that on a multihomed host the
2821 interface used may vary from time to time with routing changes.
2823 The trap receiver will generally log event messages and other
2824 information from the server in a log file.
2826 programs may also request their own trap dynamically, configuring a
2827 trap receiver will ensure that no messages are lost when the server
2830 This command specifies a list of TTL values in increasing order, up to 8
2831 values can be specified.
2832 In manycast mode these values are used in turn in
2833 an expanding\-ring search.
2834 The default is eight multiples of 32 starting at
2840 Display usage information and exit.
2842 Pass the extended usage information through a pager.
2843 .It Fl \-version Op Brq Ar v|c|n
2844 Output version of program and exit. The default mode is `v', a simple
2845 version. The `c' mode will print copyright information and `n' will
2846 print the full copyright notice.
2848 .Sh "OPTION PRESETS"
2849 Any option that is not marked as \fInot presettable\fP may be preset
2850 by loading values from environment variables named:
2852 \fBNTP_CONF_<option\-name>\fP or \fBNTP_CONF\fP
2856 See \fBOPTION PRESETS\fP for configuration environment variables.
2858 .Bl -tag -width /etc/ntp.drift -compact
2859 .It Pa /etc/ntp.conf
2860 the default name of the configuration file
2865 .It Pa ntpkey_ Ns Ar host
2868 Diffie\-Hellman agreement parameters
2871 One of the following exit values will be returned:
2873 .It 0 " (EXIT_SUCCESS)"
2874 Successful program execution.
2875 .It 1 " (EXIT_FAILURE)"
2876 The operation failed or the command syntax was not valid.
2877 .It 70 " (EX_SOFTWARE)"
2878 libopts had an internal operational error. Please report
2879 it to autogen\-users@lists.sourceforge.net. Thank you.
2882 .Xr ntpd @NTPD_MS@ ,
2883 .Xr ntpdc @NTPDC_MS@ ,
2886 In addition to the manual pages provided,
2887 comprehensive documentation is available on the world wide web
2889 .Li http://www.ntp.org/ .
2890 A snapshot of this documentation is available in HTML format in
2891 .Pa /usr/share/doc/ntp .
2894 .%T Network Time Protocol (Version 4)
2898 The University of Delaware and Network Time Foundation
2900 Copyright (C) 1992\-2016 The University of Delaware and Network Time Foundation all rights reserved.
2901 This program is released under the terms of the NTP license, <http://ntp.org/license>.
2903 The syntax checking is not picky; some combinations of
2904 ridiculous and even hilarious options and modes may not be
2908 .Pa ntpkey_ Ns Ar host
2909 files are really digital
2911 These should be obtained via secure directory
2912 services when they become universally available.
2914 Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
2916 This document was derived from FreeBSD.
2918 This manual page was \fIAutoGen\fP\-erated from the \fBntp.conf\fP