2 .Dt NTP_CONF 5 File Formats
4 .\" EDIT THIS FILE WITH CAUTION (ntp.mdoc)
8 .\" It has been AutoGen-ed November 21, 2016 at 08:02:03 AM by AutoGen 5.18.5
9 .\" From the definitions ntp.conf.def
10 .\" and the template file agmdoc-cmd.tpl
13 .Nd Network Time Protocol (NTP) daemon configuration file format
20 configuration file is read at initial startup by the
22 daemon in order to specify the synchronization sources,
23 modes and other related information.
24 Usually, it is installed in the
27 but could be installed elsewhere
32 The file format is similar to other
37 character and extend to the end of the line;
38 blank lines are ignored.
39 Configuration commands consist of an initial keyword
40 followed by a list of arguments,
41 some of which may be optional, separated by whitespace.
42 Commands may not be continued over multiple lines.
43 Arguments may be host names,
44 host addresses written in numeric, dotted\-quad form,
45 integers, floating point numbers (when specifying times in seconds)
48 The rest of this page describes the configuration and control options.
50 .Qq Notes on Configuring NTP and Setting up an NTP Subnet
52 (available as part of the HTML documentation
54 .Pa /usr/share/doc/ntp )
55 contains an extended discussion of these options.
56 In addition to the discussion of general
57 .Sx Configuration Options ,
58 there are sections describing the following supported functionality
59 and the options used to control it:
60 .Bl -bullet -offset indent
62 .Sx Authentication Support
64 .Sx Monitoring Support
66 .Sx Access Control Support
68 .Sx Automatic NTP Configuration Options
70 .Sx Reference Clock Support
72 .Sx Miscellaneous Options
75 Following these is a section describing
76 .Sx Miscellaneous Options .
77 While there is a rich set of options available,
78 the only required option is one or more
86 .Sh Configuration Support
87 Following is a description of the configuration commands in
89 These commands have the same basic functions as in NTPv3 and
90 in some cases new functions and new arguments.
92 classes of commands, configuration commands that configure a
93 persistent association with a remote server or peer or reference
94 clock, and auxiliary commands that specify environmental variables
95 that control various related operations.
96 .Ss Configuration Commands
97 The various modes are determined by the command keyword and the
98 type of the required IP address.
99 Addresses are classed by type as
100 (s) a remote server or peer (IPv4 class A, B and C), (b) the
101 broadcast address of a local interface, (m) a multicast address (IPv4
102 class D), or (r) a reference clock address (127.127.x.x).
104 only those options applicable to each command are listed below.
106 of options not listed may not be caught as an error, but may result
107 in some weird and even destructive behavior.
109 If the Basic Socket Interface Extensions for IPv6 (RFC\-2553)
110 is detected, support for the IPv6 address family is generated
111 in addition to the default support of the IPv4 address family.
112 In a few cases, including the
119 IPv6 addresses are automatically generated.
120 IPv6 addresses can be identified by the presence of colons
122 in the address field.
123 IPv6 addresses can be used almost everywhere where
124 IPv4 addresses can be used,
125 with the exception of reference clock addresses,
126 which are always IPv4.
128 Note that in contexts where a host name is expected, a
131 the host name forces DNS resolution to the IPv4 namespace,
134 qualifier forces DNS resolution to the IPv6 namespace.
135 See IPv6 references for the
136 equivalent classes for that address family.
137 .Bl -tag -width indent
138 .It Xo Ic pool Ar address
141 .Op Cm version Ar version
143 .Op Cm minpoll Ar minpoll
144 .Op Cm maxpoll Ar maxpoll
146 .It Xo Ic server Ar address
147 .Op Cm key Ar key \&| Cm autokey
150 .Op Cm version Ar version
152 .Op Cm minpoll Ar minpoll
153 .Op Cm maxpoll Ar maxpoll
156 .It Xo Ic peer Ar address
157 .Op Cm key Ar key \&| Cm autokey
158 .Op Cm version Ar version
160 .Op Cm minpoll Ar minpoll
161 .Op Cm maxpoll Ar maxpoll
165 .It Xo Ic broadcast Ar address
166 .Op Cm key Ar key \&| Cm autokey
167 .Op Cm version Ar version
169 .Op Cm minpoll Ar minpoll
173 .It Xo Ic manycastclient Ar address
174 .Op Cm key Ar key \&| Cm autokey
175 .Op Cm version Ar version
177 .Op Cm minpoll Ar minpoll
178 .Op Cm maxpoll Ar maxpoll
183 These five commands specify the time server name or address to
184 be used and the mode in which to operate.
188 either a DNS name or an IP address in dotted\-quad notation.
189 Additional information on association behavior can be found in the
190 .Qq Association Management
192 (available as part of the HTML documentation
194 .Pa /usr/share/doc/ntp ) .
195 .Bl -tag -width indent
197 For type s addresses, this command mobilizes a persistent
198 client mode association with a number of remote servers.
199 In this mode the local clock can be synchronized to the
200 remote server, but the remote server can never be synchronized to
203 For type s and r addresses, this command mobilizes a persistent
204 client mode association with the specified remote server or local
206 In this mode the local clock can synchronized to the
207 remote server, but the remote server can never be synchronized to
214 For type s addresses (only), this command mobilizes a
215 persistent symmetric\-active mode association with the specified
217 In this mode the local clock can be synchronized to
218 the remote peer or the remote peer can be synchronized to the local
220 This is useful in a network of servers where, depending on
221 various failure scenarios, either the local or remote peer may be
222 the better source of time.
223 This command should NOT be used for type
226 For type b and m addresses (only), this
227 command mobilizes a persistent broadcast mode association.
229 commands can be used to specify multiple local broadcast interfaces
230 (subnets) and/or multiple multicast groups.
232 broadcast messages go only to the interface associated with the
233 subnet specified, but multicast messages go to all interfaces.
234 In broadcast mode the local server sends periodic broadcast
235 messages to a client population at the
237 specified, which is usually the broadcast address on (one of) the
238 local network(s) or a multicast address assigned to NTP.
240 has assigned the multicast group address IPv4 224.0.1.1 and
241 IPv6 ff05::101 (site local) exclusively to
242 NTP, but other nonconflicting addresses can be used to contain the
243 messages within administrative boundaries.
245 specification applies only to the local server operating as a
246 sender; for operation as a broadcast client, see the
252 .It Ic manycastclient
253 For type m addresses (only), this command mobilizes a
254 manycast client mode association for the multicast address
256 In this case a specific address must be supplied which
257 matches the address used on the
260 the designated manycast servers.
261 The NTP multicast address
262 224.0.1.1 assigned by the IANA should NOT be used, unless specific
263 means are taken to avoid spraying large areas of the Internet with
264 these messages and causing a possibly massive implosion of replies
268 command specifies that the local server
269 is to operate in client mode with the remote servers that are
270 discovered as the result of broadcast/multicast messages.
272 client broadcasts a request message to the group address associated
275 and specifically enabled
276 servers respond to these messages.
277 The client selects the servers
278 providing the best time and continues as with the
281 The remaining servers are discarded as if never
286 .Bl -tag -width indent
288 All packets sent to and received from the server or peer are to
289 include authentication fields encrypted using the autokey scheme
291 .Sx Authentication Options .
293 when the server is reachable, send a burst of eight packets
294 instead of the usual one.
295 The packet spacing is normally 2 s;
296 however, the spacing between the first and second packets
297 can be changed with the
300 additional time for a modem or ISDN call to complete.
301 This is designed to improve timekeeping quality
304 command and s addresses.
306 When the server is unreachable, send a burst of eight packets
307 instead of the usual one.
308 The packet spacing is normally 2 s;
309 however, the spacing between the first two packets can be
313 additional time for a modem or ISDN call to complete.
314 This is designed to speed the initial synchronization
317 command and s addresses and when
323 All packets sent to and received from the server or peer are to
324 include authentication fields encrypted using the specified
326 identifier with values from 1 to 65534, inclusive.
328 default is to include no encryption field.
329 .It Cm minpoll Ar minpoll
330 .It Cm maxpoll Ar maxpoll
331 These options specify the minimum and maximum poll intervals
332 for NTP messages, as a power of 2 in seconds
334 interval defaults to 10 (1,024 s), but can be increased by the
336 option to an upper limit of 17 (36.4 h).
338 minimum poll interval defaults to 6 (64 s), but can be decreased by
341 option to a lower limit of 4 (16 s).
343 Marks the server as unused, except for display purposes.
344 The server is discarded by the selection algroithm.
346 Says the association can be preempted.
348 Marks the server as a truechimer.
349 Use this option only for testing.
351 Marks the server as preferred.
352 All other things being equal,
353 this host will be chosen for synchronization among a set of
354 correctly operating hosts.
356 .Qq Mitigation Rules and the prefer Keyword
358 (available as part of the HTML documentation
360 .Pa /usr/share/doc/ntp )
361 for further information.
363 Forces the association to always survive the selection and clustering algorithms.
364 This option should almost certainly
366 be used while testing an association.
368 This option is used only with broadcast server and manycast
370 It specifies the time\-to\-live
373 use on broadcast server and multicast server and the maximum
375 for the expanding ring search with manycast
377 Selection of the proper value, which defaults to
378 127, is something of a black art and should be coordinated with the
379 network administrator.
380 .It Cm version Ar version
381 Specifies the version number to be used for outgoing NTP
383 Versions 1\-4 are the choices, with version 4 the
390 modes only, this flag enables interleave mode.
392 .Ss Auxiliary Commands
393 .Bl -tag -width indent
394 .It Ic broadcastclient
395 This command enables reception of broadcast server messages to
396 any local interface (type b) address.
397 Upon receiving a message for
398 the first time, the broadcast client measures the nominal server
399 propagation delay using a brief client/server exchange with the
400 server, then enters the broadcast client mode, in which it
401 synchronizes to succeeding broadcast messages.
403 to avoid accidental or malicious disruption in this mode, both the
404 server and client should operate using symmetric\-key or public\-key
405 authentication as described in
406 .Sx Authentication Options .
407 .It Ic manycastserver Ar address ...
408 This command enables reception of manycast client messages to
409 the multicast group address(es) (type m) specified.
411 address is required, but the NTP multicast address 224.0.1.1
412 assigned by the IANA should NOT be used, unless specific means are
413 taken to limit the span of the reply and avoid a possibly massive
414 implosion at the original sender.
415 Note that, in order to avoid
416 accidental or malicious disruption in this mode, both the server
417 and client should operate using symmetric\-key or public\-key
418 authentication as described in
419 .Sx Authentication Options .
420 .It Ic multicastclient Ar address ...
421 This command enables reception of multicast server messages to
422 the multicast group address(es) (type m) specified.
424 a message for the first time, the multicast client measures the
425 nominal server propagation delay using a brief client/server
426 exchange with the server, then enters the broadcast client mode, in
427 which it synchronizes to succeeding multicast messages.
429 in order to avoid accidental or malicious disruption in this mode,
430 both the server and client should operate using symmetric\-key or
431 public\-key authentication as described in
432 .Sx Authentication Options .
433 .It Ic mdnstries Ar number
434 If we are participating in mDNS,
435 after we have synched for the first time
436 we attempt to register with the mDNS system.
437 If that registration attempt fails,
438 we try again at one minute intervals for up to
443 may be starting before mDNS.
444 The default value for
448 .Sh Authentication Support
449 Authentication support allows the NTP client to verify that the
450 server is in fact known and trusted and not an intruder intending
451 accidentally or on purpose to masquerade as that server.
453 specification RFC\-1305 defines a scheme which provides
454 cryptographic authentication of received NTP packets.
456 this was done using the Data Encryption Standard (DES) algorithm
457 operating in Cipher Block Chaining (CBC) mode, commonly called
459 Subsequently, this was replaced by the RSA Message Digest
460 5 (MD5) algorithm using a private key, commonly called keyed\-MD5.
461 Either algorithm computes a message digest, or one\-way hash, which
462 can be used to verify the server has the correct private key and
465 NTPv4 retains the NTPv3 scheme, properly described as symmetric key
466 cryptography and, in addition, provides a new Autokey scheme
467 based on public key cryptography.
468 Public key cryptography is generally considered more secure
469 than symmetric key cryptography, since the security is based
470 on a private value which is generated by each server and
472 With Autokey all key distribution and
473 management functions involve only public values, which
474 considerably simplifies key distribution and storage.
475 Public key management is based on X.509 certificates,
476 which can be provided by commercial services or
477 produced by utility programs in the OpenSSL software library
478 or the NTPv4 distribution.
480 While the algorithms for symmetric key cryptography are
481 included in the NTPv4 distribution, public key cryptography
482 requires the OpenSSL software library to be installed
483 before building the NTP distribution.
484 Directions for doing that
485 are on the Building and Installing the Distribution page.
487 Authentication is configured separately for each association
498 configuration commands as described in
499 .Sx Configuration Options
502 options described below specify the locations of the key files,
503 if other than default, which symmetric keys are trusted
504 and the interval between various operations, if other than default.
506 Authentication is always enabled,
507 although ineffective if not configured as
509 If a NTP packet arrives
510 including a message authentication
511 code (MAC), it is accepted only if it
512 passes all cryptographic checks.
514 checks require correct key ID, key value
517 been modified in any way or replayed
518 by an intruder, it will fail one or more
519 of these checks and be discarded.
520 Furthermore, the Autokey scheme requires a
521 preliminary protocol exchange to obtain
522 the server certificate, verify its
523 credentials and initialize the protocol
527 flag controls whether new associations or
528 remote configuration commands require cryptographic authentication.
529 This flag can be set or reset by the
533 commands and also by remote
534 configuration commands sent by a
538 If this flag is enabled, which is the default
539 case, new broadcast client and symmetric passive associations and
540 remote configuration commands must be cryptographically
541 authenticated using either symmetric key or public key cryptography.
543 flag is disabled, these operations are effective
544 even if not cryptographic
546 It should be understood
547 that operating with the
549 flag disabled invites a significant vulnerability
550 where a rogue hacker can
551 masquerade as a falseticker and seriously
552 disrupt system timekeeping.
554 important to note that this flag has no purpose
555 other than to allow or disallow
556 a new association in response to new broadcast
557 and symmetric active messages
558 and remote configuration commands and, in particular,
559 the flag has no effect on
560 the authentication process itself.
562 An attractive alternative where multicast support is available
563 is manycast mode, in which clients periodically troll
564 for servers as described in the
565 .Sx Automatic NTP Configuration Options
567 Either symmetric key or public key
568 cryptographic authentication can be used in this mode.
569 The principle advantage
570 of manycast mode is that potential servers need not be
571 configured in advance,
572 since the client finds them during regular operation,
573 and the configuration
574 files for all clients can be identical.
576 The security model and protocol schemes for
577 both symmetric key and public key
578 cryptography are summarized below;
579 further details are in the briefings, papers
580 and reports at the NTP project page linked from
581 .Li http://www.ntp.org/ .
582 .Ss Symmetric\-Key Cryptography
583 The original RFC\-1305 specification allows any one of possibly
584 65,534 keys, each distinguished by a 32\-bit key identifier, to
585 authenticate an association.
586 The servers and clients involved must
587 agree on the key and key identifier to
588 authenticate NTP packets.
590 related information are specified in a key
593 which must be distributed and stored using
594 secure means beyond the scope of the NTP protocol itself.
595 Besides the keys used
596 for ordinary NTP associations,
597 additional keys can be used as passwords for the
605 is first started, it reads the key file specified in the
607 configuration command and installs the keys
610 individual keys must be activated with the
614 allows, for instance, the installation of possibly
615 several batches of keys and
616 then activating or deactivating each batch
619 This also provides a revocation capability that can be used
620 if a key becomes compromised.
623 command selects the key used as the password for the
627 command selects the key used as the password for the
630 .Ss Public Key Cryptography
631 NTPv4 supports the original NTPv3 symmetric key scheme
632 described in RFC\-1305 and in addition the Autokey protocol,
633 which is based on public key cryptography.
634 The Autokey Version 2 protocol described on the Autokey Protocol
635 page verifies packet integrity using MD5 message digests
636 and verifies the source with digital signatures and any of several
637 digest/signature schemes.
638 Optional identity schemes described on the Identity Schemes
639 page and based on cryptographic challenge/response algorithms
641 Using all of these schemes provides strong security against
642 replay with or without modification, spoofing, masquerade
643 and most forms of clogging attacks.
645 .\" The cryptographic means necessary for all Autokey operations
646 .\" is provided by the OpenSSL software library.
647 .\" This library is available from http://www.openssl.org/
648 .\" and can be installed using the procedures outlined
649 .\" in the Building and Installing the Distribution page.
651 .\" the configure and build
652 .\" process automatically detects the library and links
653 .\" the library routines required.
655 The Autokey protocol has several modes of operation
656 corresponding to the various NTP modes supported.
657 Most modes use a special cookie which can be
658 computed independently by the client and server,
659 but encrypted in transmission.
660 All modes use in addition a variant of the S\-KEY scheme,
661 in which a pseudo\-random key list is generated and used
663 These schemes are described along with an executive summary,
664 current status, briefing slides and reading list on the
665 .Sx Autonomous Authentication
668 The specific cryptographic environment used by Autokey servers
669 and clients is determined by a set of files
670 and soft links generated by the
671 .Xr ntp\-keygen 1ntpkeygenmdoc
673 This includes a required host key file,
674 required certificate file and optional sign key file,
675 leapsecond file and identity scheme files.
677 digest/signature scheme is specified in the X.509 certificate
678 along with the matching sign key.
679 There are several schemes
680 available in the OpenSSL software library, each identified
681 by a specific string such as
682 .Cm md5WithRSAEncryption ,
683 which stands for the MD5 message digest with RSA
685 The current NTP distribution supports
686 all the schemes in the OpenSSL library, including
687 those based on RSA and DSA digital signatures.
689 NTP secure groups can be used to define cryptographic compartments
690 and security hierarchies.
691 It is important that every host
692 in the group be able to construct a certificate trail to one
693 or more trusted hosts in the same group.
695 host runs the Autokey protocol to obtain the certificates
696 for all hosts along the trail to one or more trusted hosts.
697 This requires the configuration file in all hosts to be
698 engineered so that, even under anticipated failure conditions,
699 the NTP subnet will form such that every group host can find
700 a trail to at least one trusted host.
701 .Ss Naming and Addressing
702 It is important to note that Autokey does not use DNS to
703 resolve addresses, since DNS can't be completely trusted
704 until the name servers have synchronized clocks.
705 The cryptographic name used by Autokey to bind the host identity
706 credentials and cryptographic values must be independent
707 of interface, network and any other naming convention.
708 The name appears in the host certificate in either or both
709 the subject and issuer fields, so protection against
710 DNS compromise is essential.
712 By convention, the name of an Autokey host is the name returned
715 system call or equivalent in other systems.
717 model, there are no provisions to allow alternate names or aliases.
718 However, this is not to say that DNS aliases, different names
719 for each interface, etc., are constrained in any way.
721 It is also important to note that Autokey verifies authenticity
722 using the host name, network address and public keys,
723 all of which are bound together by the protocol specifically
724 to deflect masquerade attacks.
725 For this reason Autokey
726 includes the source and destination IP addresses in message digest
727 computations and so the same addresses must be available
728 at both the server and client.
729 For this reason operation
730 with network address translation schemes is not possible.
731 This reflects the intended robust security model where government
732 and corporate NTP servers are operated outside firewall perimeters.
734 A specific combination of authentication scheme (none,
735 symmetric key, public key) and identity scheme is called
736 a cryptotype, although not all combinations are compatible.
737 There may be management configurations where the clients,
738 servers and peers may not all support the same cryptotypes.
739 A secure NTPv4 subnet can be configured in many ways while
740 keeping in mind the principles explained above and
742 Note however that some cryptotype
743 combinations may successfully interoperate with each other,
744 but may not represent good security practice.
746 The cryptotype of an association is determined at the time
747 of mobilization, either at configuration time or some time
748 later when a message of appropriate cryptotype arrives.
753 configuration command and no
757 subcommands are present, the association is not
758 authenticated; if the
760 subcommand is present, the association is authenticated
761 using the symmetric key ID specified; if the
763 subcommand is present, the association is authenticated
766 When multiple identity schemes are supported in the Autokey
767 protocol, the first message exchange determines which one is used.
768 The client request message contains bits corresponding
769 to which schemes it has available.
770 The server response message
771 contains bits corresponding to which schemes it has available.
772 Both server and client match the received bits with their own
773 and select a common scheme.
775 Following the principle that time is a public value,
776 a server responds to any client packet that matches
777 its cryptotype capabilities.
778 Thus, a server receiving
779 an unauthenticated packet will respond with an unauthenticated
780 packet, while the same server receiving a packet of a cryptotype
781 it supports will respond with packets of that cryptotype.
782 However, unconfigured broadcast or manycast client
783 associations or symmetric passive associations will not be
784 mobilized unless the server supports a cryptotype compatible
785 with the first packet received.
786 By default, unauthenticated associations will not be mobilized
787 unless overridden in a decidedly dangerous way.
789 Some examples may help to reduce confusion.
790 Client Alice has no specific cryptotype selected.
791 Server Bob has both a symmetric key file and minimal Autokey files.
792 Alice's unauthenticated messages arrive at Bob, who replies with
793 unauthenticated messages.
794 Cathy has a copy of Bob's symmetric
795 key file and has selected key ID 4 in messages to Bob.
796 Bob verifies the message with his key ID 4.
798 same key and the message is verified, Bob sends Cathy a reply
799 authenticated with that key.
800 If verification fails,
801 Bob sends Cathy a thing called a crypto\-NAK, which tells her
803 She can see the evidence using the
807 Denise has rolled her own host key and certificate.
808 She also uses one of the identity schemes as Bob.
809 She sends the first Autokey message to Bob and they
810 both dance the protocol authentication and identity steps.
811 If all comes out okay, Denise and Bob continue as described above.
813 It should be clear from the above that Bob can support
814 all the girls at the same time, as long as he has compatible
815 authentication and identity credentials.
816 Now, Bob can act just like the girls in his own choice of servers;
817 he can run multiple configured associations with multiple different
818 servers (or the same server, although that might not be useful).
819 But, wise security policy might preclude some cryptotype
820 combinations; for instance, running an identity scheme
821 with one server and no authentication with another might not be wise.
823 The cryptographic values used by the Autokey protocol are
824 incorporated as a set of files generated by the
825 .Xr ntp\-keygen 1ntpkeygenmdoc
826 utility program, including symmetric key, host key and
827 public certificate files, as well as sign key, identity parameters
828 and leapseconds files.
829 Alternatively, host and sign keys and
830 certificate files can be generated by the OpenSSL utilities
831 and certificates can be imported from public certificate
833 Note that symmetric keys are necessary for the
838 The remaining files are necessary only for the
841 Certificates imported from OpenSSL or public certificate
842 authorities have certian limitations.
843 The certificate should be in ASN.1 syntax, X.509 Version 3
844 format and encoded in PEM, which is the same format
846 The overall length of the certificate encoded
847 in ASN.1 must not exceed 1024 bytes.
848 The subject distinguished
849 name field (CN) is the fully qualified name of the host
850 on which it is used; the remaining subject fields are ignored.
851 The certificate extension fields must not contain either
852 a subject key identifier or a issuer key identifier field;
853 however, an extended key usage field for a trusted host must
856 Other extension fields are ignored.
857 .Ss Authentication Commands
858 .Bl -tag -width indent
859 .It Ic autokey Op Ar logsec
860 Specifies the interval between regenerations of the session key
861 list used with the Autokey protocol.
862 Note that the size of the key
863 list for each association depends on this interval and the current
865 The default value is 12 (4096 s or about 1.1 hours).
866 For poll intervals above the specified interval, a session key list
867 with a single entry will be regenerated for every message
869 .It Ic controlkey Ar key
870 Specifies the key identifier to use with the
872 utility, which uses the standard
873 protocol defined in RFC\-1305.
877 the key identifier for a trusted key, where the value can be in the
878 range 1 to 65,534, inclusive.
882 .Op Cm randfile Ar file
887 .Op Cm iffpar Ar file
889 .Op Cm pw Ar password
891 This command requires the OpenSSL library.
892 It activates public key
893 cryptography, selects the message digest and signature
894 encryption scheme and loads the required private and public
895 values described above.
896 If one or more files are left unspecified,
897 the default names are used as described above.
898 Unless the complete path and name of the file are specified, the
899 location of a file is relative to the keys directory specified
904 Following are the subcommands:
905 .Bl -tag -width indent
907 Specifies the location of the required host public certificate file.
908 This overrides the link
909 .Pa ntpkey_cert_ Ns Ar hostname
910 in the keys directory.
912 Specifies the location of the optional GQ parameters file.
915 .Pa ntpkey_gq_ Ns Ar hostname
916 in the keys directory.
918 Specifies the location of the required host key file.
921 .Pa ntpkey_key_ Ns Ar hostname
922 in the keys directory.
923 .It Cm iffpar Ar file
924 Specifies the location of the optional IFF parameters file.
925 This overrides the link
926 .Pa ntpkey_iff_ Ns Ar hostname
927 in the keys directory.
929 Specifies the location of the optional leapsecond file.
930 This overrides the link
932 in the keys directory.
934 Specifies the location of the optional MV parameters file.
935 This overrides the link
936 .Pa ntpkey_mv_ Ns Ar hostname
937 in the keys directory.
938 .It Cm pw Ar password
939 Specifies the password to decrypt files containing private keys and
941 This is required only if these files have been
943 .It Cm randfile Ar file
944 Specifies the location of the random seed file used by the OpenSSL
946 The defaults are described in the main text above.
948 Specifies the location of the optional sign key file.
951 .Pa ntpkey_sign_ Ns Ar hostname
952 in the keys directory.
954 not found, the host key is also the sign key.
956 .It Ic keys Ar keyfile
957 Specifies the complete path and location of the MD5 key file
958 containing the keys and key identifiers used by
963 when operating with symmetric key cryptography.
964 This is the same operation as the
967 .It Ic keysdir Ar path
968 This command specifies the default directory path for
969 cryptographic keys, parameters and certificates.
971 .Pa /usr/local/etc/ .
972 .It Ic requestkey Ar key
973 Specifies the key identifier to use with the
975 utility program, which uses a
976 proprietary protocol specific to this implementation of
980 argument is a key identifier
981 for the trusted key, where the value can be in the range 1 to
983 .It Ic revoke Ar logsec
984 Specifies the interval between re\-randomization of certain
985 cryptographic values used by the Autokey scheme, as a power of 2 in
987 These values need to be updated frequently in order to
988 deflect brute\-force attacks on the algorithms of the scheme;
989 however, updating some values is a relatively expensive operation.
990 The default interval is 16 (65,536 s or about 18 hours).
992 intervals above the specified interval, the values will be updated
993 for every message sent.
994 .It Ic trustedkey Ar key ...
995 Specifies the key identifiers which are trusted for the
996 purposes of authenticating peers with symmetric key cryptography,
997 as well as keys used by the
1002 The authentication procedures require that both the local
1003 and remote servers share the same key and key identifier for this
1004 purpose, although different keys can be used with different
1008 arguments are 32\-bit unsigned
1009 integers with values from 1 to 65,534.
1012 The following error codes are reported via the NTP control
1013 and monitoring protocol trap mechanism.
1014 .Bl -tag -width indent
1016 .Pq bad field format or length
1017 The packet has invalid version, length or format.
1020 The packet timestamp is the same or older than the most recent received.
1021 This could be due to a replay or a server clock time step.
1024 The packet filestamp is the same or older than the most recent received.
1025 This could be due to a replay or a key file generation error.
1027 .Pq bad or missing public key
1028 The public key is missing, has incorrect format or is an unsupported type.
1030 .Pq unsupported digest type
1031 The server requires an unsupported digest/signature scheme.
1033 .Pq mismatched digest types
1036 .Pq bad signature length
1037 The signature length does not match the current public key.
1039 .Pq signature not verified
1040 The message fails the signature check.
1041 It could be bogus or signed by a
1042 different private key.
1044 .Pq certificate not verified
1045 The certificate is invalid or signed with the wrong key.
1047 .Pq certificate not verified
1048 The certificate is not yet valid or has expired or the signature could not
1051 .Pq bad or missing cookie
1052 The cookie is missing, corrupted or bogus.
1054 .Pq bad or missing leapseconds table
1055 The leapseconds table is missing, corrupted or bogus.
1057 .Pq bad or missing certificate
1058 The certificate is missing, corrupted or bogus.
1060 .Pq bad or missing identity
1061 The identity key is missing, corrupt or bogus.
1063 .Sh Monitoring Support
1065 includes a comprehensive monitoring facility suitable
1066 for continuous, long term recording of server and client
1067 timekeeping performance.
1071 for a listing and example of each type of statistics currently
1073 Statistic files are managed using file generation sets
1076 directory of the source code distribution.
1078 these facilities and
1081 jobs, the data can be
1082 automatically summarized and archived for retrospective analysis.
1083 .Ss Monitoring Commands
1084 .Bl -tag -width indent
1085 .It Ic statistics Ar name ...
1086 Enables writing of statistics records.
1087 Currently, eight kinds of
1089 statistics are supported.
1090 .Bl -tag -width indent
1092 Enables recording of clock driver statistics information.
1094 received from a clock driver appends a line of the following form to
1095 the file generation set named
1098 49213 525.624 127.127.4.1 93 226 00:08:29.606 D
1101 The first two fields show the date (Modified Julian Day) and time
1102 (seconds and fraction past UTC midnight).
1103 The next field shows the
1104 clock address in dotted\-quad notation.
1105 The final field shows the last
1106 timecode received from the clock in decoded ASCII format, where
1108 In some clock drivers a good deal of additional information
1109 can be gathered and displayed as well.
1110 See information specific to each
1111 clock for further details.
1113 This option requires the OpenSSL cryptographic software library.
1115 enables recording of cryptographic public key protocol information.
1116 Each message received by the protocol module appends a line of the
1117 following form to the file generation set named
1120 49213 525.624 127.127.4.1 message
1123 The first two fields show the date (Modified Julian Day) and time
1124 (seconds and fraction past UTC midnight).
1125 The next field shows the peer
1126 address in dotted\-quad notation, The final message field includes the
1127 message type and certain ancillary information.
1129 .Sx Authentication Options
1130 section for further information.
1132 Enables recording of loop filter statistics information.
1134 update of the local clock outputs a line of the following form to
1135 the file generation set named
1138 50935 75440.031 0.000006019 13.778190 0.000351733 0.0133806
1141 The first two fields show the date (Modified Julian Day) and
1142 time (seconds and fraction past UTC midnight).
1143 The next five fields
1144 show time offset (seconds), frequency offset (parts per million \-
1145 PPM), RMS jitter (seconds), Allan deviation (PPM) and clock
1146 discipline time constant.
1148 Enables recording of peer statistics information.
1150 statistics records of all peers of a NTP server and of special
1151 signals, where present and configured.
1152 Each valid update appends a
1153 line of the following form to the current element of a file
1154 generation set named
1157 48773 10847.650 127.127.4.1 9714 \-0.001605376 0.000000000 0.001424877 0.000958674
1160 The first two fields show the date (Modified Julian Day) and
1161 time (seconds and fraction past UTC midnight).
1163 show the peer address in dotted\-quad notation and status,
1165 The status field is encoded in hex in the format
1166 described in Appendix A of the NTP specification RFC 1305.
1167 The final four fields show the offset,
1168 delay, dispersion and RMS jitter, all in seconds.
1170 Enables recording of raw\-timestamp statistics information.
1172 includes statistics records of all peers of a NTP server and of
1173 special signals, where present and configured.
1175 received from a peer or clock driver appends a line of the
1176 following form to the file generation set named
1179 50928 2132.543 128.4.1.1 128.4.1.20 3102453281.584327000 3102453281.58622800031 02453332.540806000 3102453332.541458000
1182 The first two fields show the date (Modified Julian Day) and
1183 time (seconds and fraction past UTC midnight).
1185 show the remote peer or clock address followed by the local address
1186 in dotted\-quad notation.
1187 The final four fields show the originate,
1188 receive, transmit and final NTP timestamps in order.
1190 values are as received and before processing by the various data
1191 smoothing and mitigation algorithms.
1193 Enables recording of ntpd statistics counters on a periodic basis.
1195 hour a line of the following form is appended to the file generation
1199 50928 2132.543 36000 81965 0 9546 56 71793 512 540 10 147
1202 The first two fields show the date (Modified Julian Day) and time
1203 (seconds and fraction past UTC midnight).
1204 The remaining ten fields show
1205 the statistics counter values accumulated since the last generated
1207 .Bl -tag -width indent
1208 .It Time since restart Cm 36000
1209 Time in hours since the system was last rebooted.
1210 .It Packets received Cm 81965
1211 Total number of packets received.
1212 .It Packets processed Cm 0
1213 Number of packets received in response to previous packets sent
1214 .It Current version Cm 9546
1215 Number of packets matching the current NTP version.
1216 .It Previous version Cm 56
1217 Number of packets matching the previous NTP version.
1218 .It Bad version Cm 71793
1219 Number of packets matching neither NTP version.
1220 .It Access denied Cm 512
1221 Number of packets denied access for any reason.
1222 .It Bad length or format Cm 540
1223 Number of packets with invalid length, format or port number.
1224 .It Bad authentication Cm 10
1225 Number of packets not verified as authentic.
1226 .It Rate exceeded Cm 147
1227 Number of packets discarded due to rate limitation.
1229 .It Cm statsdir Ar directory_path
1230 Indicates the full path of a directory where statistics files
1231 should be created (see below).
1233 the (otherwise constant)
1235 filename prefix to be modified for file generation sets, which
1236 is useful for handling statistics logs.
1237 .It Cm filegen Ar name Xo
1238 .Op Cm file Ar filename
1239 .Op Cm type Ar typename
1240 .Op Cm link | nolink
1241 .Op Cm enable | disable
1243 Configures setting of generation file set name.
1245 file sets provide a means for handling files that are
1246 continuously growing during the lifetime of a server.
1247 Server statistics are a typical example for such files.
1248 Generation file sets provide access to a set of files used
1249 to store the actual data.
1250 At any time at most one element
1251 of the set is being written to.
1252 The type given specifies
1253 when and how data will be directed to a new element of the set.
1254 This way, information stored in elements of a file set
1255 that are currently unused are available for administrational
1256 operations without the risk of disturbing the operation of ntpd.
1257 (Most important: they can be removed to free space for new data
1260 Note that this command can be sent from the
1262 program running at a remote location.
1263 .Bl -tag -width indent
1265 This is the type of the statistics records, as shown in the
1268 .It Cm file Ar filename
1269 This is the file name for the statistics records.
1271 members are built from three concatenated elements
1276 .Bl -tag -width indent
1278 This is a constant filename path.
1279 It is not subject to
1280 modifications via the
1283 It is defined by the
1284 server, usually specified as a compile\-time constant.
1286 however, be configurable for individual file generation sets
1288 For example, the prefix used with
1292 generation can be configured using the
1294 option explained above.
1296 This string is directly concatenated to the prefix mentioned
1297 above (no intervening
1299 This can be modified using
1300 the file argument to the
1306 allowed in this component to prevent filenames referring to
1307 parts outside the filesystem hierarchy denoted by
1310 This part is reflects individual elements of a file set.
1312 generated according to the type of a file set.
1314 .It Cm type Ar typename
1315 A file generation set is characterized by its type.
1317 types are supported:
1318 .Bl -tag -width indent
1320 The file set is actually a single plain file.
1322 One element of file set is used per incarnation of a ntpd
1324 This type does not perform any changes to file set
1325 members during runtime, however it provides an easy way of
1326 separating files belonging to different
1328 server incarnations.
1329 The set member filename is built by appending a
1336 appending the decimal representation of the process ID of the
1340 One file generation set element is created per day.
1342 defined as the period between 00:00 and 24:00 UTC.
1344 member suffix consists of a
1346 and a day specification in
1350 is a 4\-digit year number (e.g., 1992).
1352 is a two digit month number.
1354 is a two digit day number.
1355 Thus, all information written at 10 December 1992 would end up
1358 .Ar filename Ns .19921210 .
1360 Any file set member contains data related to a certain week of
1362 The term week is defined by computing day\-of\-year
1364 Elements of such a file generation set are
1365 distinguished by appending the following suffix to the file set
1366 filename base: A dot, a 4\-digit year number, the letter
1368 and a 2\-digit week number.
1369 For example, information from January,
1370 10th 1992 would end up in a file with suffix
1371 .No . Ns Ar 1992W1 .
1373 One generation file set element is generated per month.
1375 file name suffix consists of a dot, a 4\-digit year number, and
1378 One generation file element is generated per year.
1380 suffix consists of a dot and a 4 digit year number.
1382 This type of file generation sets changes to a new element of
1383 the file set every 24 hours of server operation.
1385 suffix consists of a dot, the letter
1387 and an 8\-digit number.
1388 This number is taken to be the number of seconds the server is
1389 running at the start of the corresponding 24\-hour period.
1390 Information is only written to a file generation by specifying
1392 output is prevented by specifying
1395 .It Cm link | nolink
1396 It is convenient to be able to access the current element of a file
1397 generation set by a fixed name.
1398 This feature is enabled by
1403 If link is specified, a
1404 hard link from the current file set element to a file without
1406 When there is already a file with this name and
1407 the number of links of this file is one, it is renamed appending a
1414 number of links is greater than one, the file is unlinked.
1416 allows the current file to be accessed by a constant name.
1417 .It Cm enable \&| Cm disable
1418 Enables or disables the recording function.
1422 .Sh Access Control Support
1425 daemon implements a general purpose address/mask based restriction
1427 The list contains address/match entries sorted first
1428 by increasing address values and and then by increasing mask values.
1429 A match occurs when the bitwise AND of the mask and the packet
1430 source address is equal to the bitwise AND of the mask and
1431 address in the list.
1432 The list is searched in order with the
1433 last match found defining the restriction flags associated
1435 Additional information and examples can be found in the
1436 .Qq Notes on Configuring NTP and Setting up a NTP Subnet
1438 (available as part of the HTML documentation
1440 .Pa /usr/share/doc/ntp ) .
1442 The restriction facility was implemented in conformance
1443 with the access policies for the original NSFnet backbone
1445 Later the facility was expanded to deflect
1446 cryptographic and clogging attacks.
1447 While this facility may
1448 be useful for keeping unwanted or broken or malicious clients
1449 from congesting innocent servers, it should not be considered
1450 an alternative to the NTP authentication facilities.
1451 Source address based restrictions are easily circumvented
1452 by a determined cracker.
1454 Clients can be denied service because they are explicitly
1455 included in the restrict list created by the
1458 or implicitly as the result of cryptographic or rate limit
1460 Cryptographic violations include certificate
1461 or identity verification failure; rate limit violations generally
1462 result from defective NTP implementations that send packets
1464 Some violations cause denied service
1465 only for the offending packet, others cause denied service
1466 for a timed period and others cause the denied service for
1467 an indefinite period.
1468 When a client or network is denied access
1469 for an indefinite period, the only way at present to remove
1470 the restrictions is by restarting the server.
1471 .Ss The Kiss\-of\-Death Packet
1472 Ordinarily, packets denied service are simply dropped with no
1473 further action except incrementing statistics counters.
1475 more proactive response is needed, such as a server message that
1476 explicitly requests the client to stop sending and leave a message
1477 for the system operator.
1478 A special packet format has been created
1479 for this purpose called the "kiss\-of\-death" (KoD) packet.
1480 KoD packets have the leap bits set unsynchronized and stratum set
1481 to zero and the reference identifier field set to a four\-byte
1487 flag of the matching restrict list entry is set,
1488 the code is "DENY"; if the
1490 flag is set and the rate limit
1491 is exceeded, the code is "RATE".
1492 Finally, if a cryptographic violation occurs, the code is "CRYP".
1494 A client receiving a KoD performs a set of sanity checks to
1495 minimize security exposure, then updates the stratum and
1496 reference identifier peer variables, sets the access
1497 denied (TEST4) bit in the peer flash variable and sends
1498 a message to the log.
1499 As long as the TEST4 bit is set,
1500 the client will send no further packets to the server.
1501 The only way at present to recover from this condition is
1502 to restart the protocol at both the client and server.
1504 happens automatically at the client when the association times out.
1505 It will happen at the server only if the server operator cooperates.
1506 .Ss Access Control Commands
1507 .Bl -tag -width indent
1509 .Op Cm average Ar avg
1510 .Op Cm minimum Ar min
1511 .Op Cm monitor Ar prob
1513 Set the parameters of the
1515 facility which protects the server from
1519 subcommand specifies the minimum average packet
1522 subcommand specifies the minimum packet spacing.
1523 Packets that violate these minima are discarded
1524 and a kiss\-o'\-death packet returned if enabled.
1526 minimum average and minimum are 5 and 2, respectively.
1529 subcommand specifies the probability of discard
1530 for packets that overflow the rate\-control window.
1531 .It Xo Ic restrict address
1537 argument expressed in
1538 dotted\-quad form is the address of a host or network.
1541 argument can be a valid host DNS name.
1544 argument expressed in dotted\-quad form defaults to
1545 .Cm 255.255.255.255 ,
1548 is treated as the address of an individual host.
1549 A default entry (address
1553 is always included and is always the first entry in the list.
1554 Note that text string
1556 with no mask option, may
1557 be used to indicate the default entry.
1558 In the current implementation,
1561 restricts access, i.e., an entry with no flags indicates that free
1562 access to the server is to be given.
1563 The flags are not orthogonal,
1564 in that more restrictive flags will often make less restrictive
1566 The flags can generally be classed into two
1567 categories, those which restrict time service and those which
1568 restrict informational queries and attempts to do run\-time
1569 reconfiguration of the server.
1570 One or more of the following flags
1572 .Bl -tag -width indent
1574 Deny packets of all kinds, including
1580 If this flag is set when an access violation occurs, a kiss\-o'\-death
1581 (KoD) packet is sent.
1582 KoD packets are rate limited to no more than one
1584 If another KoD packet occurs within one second after the
1585 last one, the packet is dropped.
1587 Deny service if the packet spacing violates the lower limits specified
1591 A history of clients is kept using the
1592 monitoring capability of
1594 Thus, monitoring is always active as
1595 long as there is a restriction entry with the
1599 Declare traps set by matching hosts to be low priority.
1601 number of traps a server can maintain is limited (the current limit
1603 Traps are usually assigned on a first come, first served
1604 basis, with later trap requestors being denied service.
1606 modifies the assignment algorithm by allowing low priority traps to
1607 be overridden by later requests for normal priority traps.
1613 queries which attempt to modify the state of the
1614 server (i.e., run time reconfiguration).
1615 Queries which return
1616 information are permitted.
1623 Time service is not affected.
1625 Deny packets which would result in mobilizing a new association.
1627 includes broadcast and symmetric active packets when a configured
1628 association does not exist.
1631 associations, so if you want to use servers from a
1633 directive and also want to use
1635 by default, you'll want a
1636 .Cm "restrict source ..." line as well that does
1642 Deny all packets except
1648 Decline to provide mode 6 control message trap service to matching
1650 The trap service is a subsystem of the
1653 protocol which is intended for use by remote event logging programs.
1655 Deny service unless the packet is cryptographically authenticated.
1657 This is actually a match algorithm modifier, rather than a
1659 Its presence causes the restriction entry to be
1660 matched only if the source port in the packet is the standard NTP
1670 is considered more specific and
1671 is sorted later in the list.
1673 Deny packets that do not match the current NTP version.
1676 Default restriction list entries with the flags ignore, interface,
1677 ntpport, for each of the local host's interface addresses are
1678 inserted into the table at startup to prevent the server
1679 from attempting to synchronize to its own time.
1680 A default entry is also always present, though if it is
1681 otherwise unconfigured; no flags are associated
1682 with the default entry (i.e., everything besides your own
1683 NTP server is unrestricted).
1685 .Sh Automatic NTP Configuration Options
1687 Manycasting is a automatic discovery and configuration paradigm
1689 It is intended as a means for a multicast client
1690 to troll the nearby network neighborhood to find cooperating
1691 manycast servers, validate them using cryptographic means
1692 and evaluate their time values with respect to other servers
1693 that might be lurking in the vicinity.
1694 The intended result is that each manycast client mobilizes
1695 client associations with some number of the "best"
1696 of the nearby manycast servers, yet automatically reconfigures
1697 to sustain this number of servers should one or another fail.
1699 Note that the manycasting paradigm does not coincide
1700 with the anycast paradigm described in RFC\-1546,
1701 which is designed to find a single server from a clique
1702 of servers providing the same service.
1703 The manycast paradigm is designed to find a plurality
1704 of redundant servers satisfying defined optimality criteria.
1706 Manycasting can be used with either symmetric key
1707 or public key cryptography.
1708 The public key infrastructure (PKI)
1709 offers the best protection against compromised keys
1710 and is generally considered stronger, at least with relatively
1712 It is implemented using the Autokey protocol and
1713 the OpenSSL cryptographic library available from
1714 .Li http://www.openssl.org/ .
1715 The library can also be used with other NTPv4 modes
1716 as well and is highly recommended, especially for broadcast modes.
1718 A persistent manycast client association is configured
1721 command, which is similar to the
1723 command but with a multicast (IPv4 class
1728 The IANA has designated IPv4 address 224.1.1.1
1729 and IPv6 address FF05::101 (site local) for NTP.
1730 When more servers are needed, it broadcasts manycast
1731 client messages to this address at the minimum feasible rate
1732 and minimum feasible time\-to\-live (TTL) hops, depending
1733 on how many servers have already been found.
1734 There can be as many manycast client associations
1735 as different group address, each one serving as a template
1736 for a future ephemeral unicast client/server association.
1738 Manycast servers configured with the
1740 command listen on the specified group address for manycast
1742 Note the distinction between manycast client,
1743 which actively broadcasts messages, and manycast server,
1744 which passively responds to them.
1745 If a manycast server is
1746 in scope of the current TTL and is itself synchronized
1747 to a valid source and operating at a stratum level equal
1748 to or lower than the manycast client, it replies to the
1749 manycast client message with an ordinary unicast server message.
1751 The manycast client receiving this message mobilizes
1752 an ephemeral client/server association according to the
1753 matching manycast client template, but only if cryptographically
1754 authenticated and the server stratum is less than or equal
1755 to the client stratum.
1756 Authentication is explicitly required
1757 and either symmetric key or public key (Autokey) can be used.
1758 Then, the client polls the server at its unicast address
1759 in burst mode in order to reliably set the host clock
1760 and validate the source.
1761 This normally results
1762 in a volley of eight client/server at 2\-s intervals
1763 during which both the synchronization and cryptographic
1764 protocols run concurrently.
1765 Following the volley,
1766 the client runs the NTP intersection and clustering
1767 algorithms, which act to discard all but the "best"
1768 associations according to stratum and synchronization
1770 The surviving associations then continue
1771 in ordinary client/server mode.
1773 The manycast client polling strategy is designed to reduce
1774 as much as possible the volume of manycast client messages
1775 and the effects of implosion due to near\-simultaneous
1776 arrival of manycast server messages.
1777 The strategy is determined by the
1778 .Ic manycastclient ,
1782 configuration commands.
1783 The manycast poll interval is
1784 normally eight times the system poll interval,
1785 which starts out at the
1787 value specified in the
1788 .Ic manycastclient ,
1789 command and, under normal circumstances, increments to the
1791 value specified in this command.
1792 Initially, the TTL is
1793 set at the minimum hops specified by the
1796 At each retransmission the TTL is increased until reaching
1797 the maximum hops specified by this command or a sufficient
1798 number client associations have been found.
1799 Further retransmissions use the same TTL.
1801 The quality and reliability of the suite of associations
1802 discovered by the manycast client is determined by the NTP
1803 mitigation algorithms and the
1807 values specified in the
1809 configuration command.
1812 candidate servers must be available and the mitigation
1813 algorithms produce at least
1815 survivors in order to synchronize the clock.
1816 Byzantine agreement principles require at least four
1817 candidates in order to correctly discard a single falseticker.
1818 For legacy purposes,
1823 For manycast service
1825 should be explicitly set to 4, assuming at least that
1826 number of servers are available.
1830 servers are found, the manycast poll interval is immediately
1835 servers are found when the TTL has reached the maximum hops,
1836 the manycast poll interval is doubled.
1837 For each transmission
1838 after that, the poll interval is doubled again until
1839 reaching the maximum of eight times
1841 Further transmissions use the same poll interval and
1843 Note that while all this is going on,
1844 each client/server association found is operating normally
1845 it the system poll interval.
1847 Administratively scoped multicast boundaries are normally
1848 specified by the network router configuration and,
1849 in the case of IPv6, the link/site scope prefix.
1850 By default, the increment for TTL hops is 32 starting
1851 from 31; however, the
1853 configuration command can be
1854 used to modify the values to match the scope rules.
1856 It is often useful to narrow the range of acceptable
1857 servers which can be found by manycast client associations.
1858 Because manycast servers respond only when the client
1859 stratum is equal to or greater than the server stratum,
1860 primary (stratum 1) servers fill find only primary servers
1861 in TTL range, which is probably the most common objective.
1862 However, unless configured otherwise, all manycast clients
1863 in TTL range will eventually find all primary servers
1864 in TTL range, which is probably not the most common
1865 objective in large networks.
1868 command can be used to modify this behavior.
1869 Servers with stratum below
1875 command are strongly discouraged during the selection
1876 process; however, these servers may be temporally
1877 accepted if the number of servers within TTL range is
1881 The above actions occur for each manycast client message,
1882 which repeats at the designated poll interval.
1883 However, once the ephemeral client association is mobilized,
1884 subsequent manycast server replies are discarded,
1885 since that would result in a duplicate association.
1886 If during a poll interval the number of client associations
1889 all manycast client prototype associations are reset
1890 to the initial poll interval and TTL hops and operation
1891 resumes from the beginning.
1892 It is important to avoid
1893 frequent manycast client messages, since each one requires
1894 all manycast servers in TTL range to respond.
1895 The result could well be an implosion, either minor or major,
1896 depending on the number of servers in range.
1897 The recommended value for
1901 It is possible and frequently useful to configure a host
1902 as both manycast client and manycast server.
1903 A number of hosts configured this way and sharing a common
1904 group address will automatically organize themselves
1905 in an optimum configuration based on stratum and
1906 synchronization distance.
1907 For example, consider an NTP
1908 subnet of two primary servers and a hundred or more
1910 With two exceptions, all servers
1911 and clients have identical configuration files including both
1915 commands using, for instance, multicast group address
1917 The only exception is that each primary server
1918 configuration file must include commands for the primary
1919 reference source such as a GPS receiver.
1921 The remaining configuration files for all secondary
1922 servers and clients have the same contents, except for the
1924 command, which is specific for each stratum level.
1925 For stratum 1 and stratum 2 servers, that command is
1927 For stratum 3 and above servers the
1929 value is set to the intended stratum number.
1930 Thus, all stratum 3 configuration files are identical,
1931 all stratum 4 files are identical and so forth.
1933 Once operations have stabilized in this scenario,
1934 the primary servers will find the primary reference source
1935 and each other, since they both operate at the same
1936 stratum (1), but not with any secondary server or client,
1937 since these operate at a higher stratum.
1939 servers will find the servers at the same stratum level.
1940 If one of the primary servers loses its GPS receiver,
1941 it will continue to operate as a client and other clients
1942 will time out the corresponding association and
1943 re\-associate accordingly.
1945 Some administrators prefer to avoid running
1947 continuously and run either
1953 In either case the servers must be
1954 configured in advance and the program fails if none are
1955 available when the cron job runs.
1957 application of manycast is with
1960 The program wakes up, scans the local landscape looking
1961 for the usual suspects, selects the best from among
1962 the rascals, sets the clock and then departs.
1963 Servers do not have to be configured in advance and
1964 all clients throughout the network can have the same
1966 .Ss Manycast Interactions with Autokey
1967 Each time a manycast client sends a client mode packet
1968 to a multicast group address, all manycast servers
1969 in scope generate a reply including the host name
1971 The manycast clients then run
1972 the Autokey protocol, which collects and verifies
1973 all certificates involved.
1974 Following the burst interval
1975 all but three survivors are cast off,
1976 but the certificates remain in the local cache.
1977 It often happens that several complete signing trails
1978 from the client to the primary servers are collected in this way.
1980 About once an hour or less often if the poll interval
1981 exceeds this, the client regenerates the Autokey key list.
1982 This is in general transparent in client/server mode.
1983 However, about once per day the server private value
1984 used to generate cookies is refreshed along with all
1985 manycast client associations.
1987 cryptographic values including certificates is refreshed.
1988 If a new certificate has been generated since
1989 the last refresh epoch, it will automatically revoke
1990 all prior certificates that happen to be in the
1992 At the same time, the manycast
1993 scheme starts all over from the beginning and
1994 the expanding ring shrinks to the minimum and increments
1995 from there while collecting all servers in scope.
1996 .Ss Broadcast Options
1997 .Bl -tag -width indent
2000 .Cm bcpollbstep Ar gate
2003 This command provides a way to delay,
2004 by the specified number of broadcast poll intervals,
2005 believing backward time steps from a broadcast server.
2006 Broadcast time networks are expected to be trusted.
2007 In the event a broadcast server's time is stepped backwards,
2008 there is clear benefit to having the clients notice this change
2009 as soon as possible.
2010 Attacks such as replay attacks can happen, however,
2011 and even though there are a number of protections built in to
2012 broadcast mode, attempts to perform a replay attack are possible.
2013 This value defaults to 0, but can be changed
2014 to any number of poll intervals between 0 and 4.
2015 .Ss Manycast Options
2016 .Bl -tag -width indent
2019 .Cm ceiling Ar ceiling |
2020 .Cm cohort { 0 | 1 } |
2021 .Cm floor Ar floor |
2022 .Cm minclock Ar minclock |
2023 .Cm minsane Ar minsane
2026 This command affects the clock selection and clustering
2028 It can be used to select the quality and
2029 quantity of peers used to synchronize the system clock
2030 and is most useful in manycast mode.
2031 The variables operate
2033 .Bl -tag -width indent
2034 .It Cm ceiling Ar ceiling
2035 Peers with strata above
2037 will be discarded if there are at least
2040 This value defaults to 15, but can be changed
2041 to any number from 1 to 15.
2042 .It Cm cohort Bro 0 | 1 Brc
2043 This is a binary flag which enables (0) or disables (1)
2044 manycast server replies to manycast clients with the same
2046 This is useful to reduce implosions where
2047 large numbers of clients with the same stratum level
2049 The default is to enable these replies.
2050 .It Cm floor Ar floor
2051 Peers with strata below
2053 will be discarded if there are at least
2056 This value defaults to 1, but can be changed
2057 to any number from 1 to 15.
2058 .It Cm minclock Ar minclock
2059 The clustering algorithm repeatedly casts out outlier
2060 associations until no more than
2062 associations remain.
2063 This value defaults to 3,
2064 but can be changed to any number from 1 to the number of
2066 .It Cm minsane Ar minsane
2067 This is the minimum number of candidates available
2068 to the clock selection algorithm in order to produce
2069 one or more truechimers for the clustering algorithm.
2070 If fewer than this number are available, the clock is
2071 undisciplined and allowed to run free.
2073 for legacy purposes.
2074 However, according to principles of
2075 Byzantine agreement,
2077 should be at least 4 in order to detect and discard
2078 a single falseticker.
2080 .It Cm ttl Ar hop ...
2081 This command specifies a list of TTL values in increasing
2082 order, up to 8 values can be specified.
2083 In manycast mode these values are used in turn
2084 in an expanding\-ring search.
2085 The default is eight
2086 multiples of 32 starting at 31.
2088 .Sh Reference Clock Support
2089 The NTP Version 4 daemon supports some three dozen different radio,
2090 satellite and modem reference clocks plus a special pseudo\-clock
2091 used for backup or when no other clock source is available.
2092 Detailed descriptions of individual device drivers and options can
2094 .Qq Reference Clock Drivers
2096 (available as part of the HTML documentation
2098 .Pa /usr/share/doc/ntp ) .
2099 Additional information can be found in the pages linked
2100 there, including the
2101 .Qq Debugging Hints for Reference Clock Drivers
2103 .Qq How To Write a Reference Clock Driver
2105 (available as part of the HTML documentation
2107 .Pa /usr/share/doc/ntp ) .
2108 In addition, support for a PPS
2109 signal is available as described in the
2110 .Qq Pulse\-per\-second (PPS) Signal Interfacing
2112 (available as part of the HTML documentation
2114 .Pa /usr/share/doc/ntp ) .
2116 drivers support special line discipline/streams modules which can
2117 significantly improve the accuracy using the driver.
2120 .Qq Line Disciplines and Streams Drivers
2122 (available as part of the HTML documentation
2124 .Pa /usr/share/doc/ntp ) .
2126 A reference clock will generally (though not always) be a radio
2127 timecode receiver which is synchronized to a source of standard
2128 time such as the services offered by the NRC in Canada and NIST and
2130 The interface between the computer and the timecode
2131 receiver is device dependent, but is usually a serial port.
2133 device driver specific to each reference clock must be selected and
2134 compiled in the distribution; however, most common radio, satellite
2135 and modem clocks are included by default.
2136 Note that an attempt to
2137 configure a reference clock when the driver has not been compiled
2138 or the hardware port has not been appropriately configured results
2139 in a scalding remark to the system log file, but is otherwise non
2142 For the purposes of configuration,
2145 reference clocks in a manner analogous to normal NTP peers as much
2147 Reference clocks are identified by a syntactically
2148 correct but invalid IP address, in order to distinguish them from
2150 Reference clock addresses are of the form
2152 .Li 127.127. Ar t . Ar u ,
2157 denoting the clock type and
2160 number in the range 0\-3.
2161 While it may seem overkill, it is in fact
2162 sometimes useful to configure multiple reference clocks of the same
2163 type, in which case the unit numbers must be unique.
2167 command is used to configure a reference
2170 argument in that command
2171 is the clock address.
2177 options are not used for reference clock support.
2180 option is added for reference clock support, as
2184 option can be useful to
2185 persuade the server to cherish a reference clock with somewhat more
2186 enthusiasm than other reference clocks or peers.
2188 information on this option can be found in the
2189 .Qq Mitigation Rules and the prefer Keyword
2190 (available as part of the HTML documentation
2192 .Pa /usr/share/doc/ntp )
2199 meaning only for selected clock drivers.
2200 See the individual clock
2201 driver document pages for additional information.
2205 command is used to provide additional
2206 information for individual clock drivers and normally follows
2207 immediately after the
2212 argument specifies the clock address.
2217 options can be used to
2218 override the defaults for the device.
2219 There are two optional
2220 device\-dependent time offsets and four flags that can be included
2225 The stratum number of a reference clock is by default zero.
2228 daemon adds one to the stratum of each
2229 peer, a primary server ordinarily displays an external stratum of
2231 In order to provide engineered backups, it is often useful to
2232 specify the reference clock stratum as greater than zero.
2235 option is used for this purpose.
2237 involving both a reference clock and a pulse\-per\-second (PPS)
2238 discipline signal, it is useful to specify the reference clock
2239 identifier as other than the default, depending on the driver.
2242 option is used for this purpose.
2244 these options apply to all clock drivers.
2245 .Ss Reference Clock Commands
2246 .Bl -tag -width indent
2249 .Li 127.127. Ar t . Ar u
2253 .Op Cm minpoll Ar int
2254 .Op Cm maxpoll Ar int
2256 This command can be used to configure reference clocks in
2258 The options are interpreted as follows:
2259 .Bl -tag -width indent
2261 Marks the reference clock as preferred.
2262 All other things being
2263 equal, this host will be chosen for synchronization among a set of
2264 correctly operating hosts.
2266 .Qq Mitigation Rules and the prefer Keyword
2268 (available as part of the HTML documentation
2270 .Pa /usr/share/doc/ntp )
2271 for further information.
2273 Specifies a mode number which is interpreted in a
2274 device\-specific fashion.
2275 For instance, it selects a dialing
2276 protocol in the ACTS driver and a device subtype in the
2279 .It Cm minpoll Ar int
2280 .It Cm maxpoll Ar int
2281 These options specify the minimum and maximum polling interval
2282 for reference clock messages, as a power of 2 in seconds
2284 most directly connected reference clocks, both
2288 default to 6 (64 s).
2289 For modem reference clocks,
2291 defaults to 10 (17.1 m) and
2293 defaults to 14 (4.5 h).
2294 The allowable range is 4 (16 s) to 17 (36.4 h) inclusive.
2298 .Li 127.127. Ar t . Ar u
2302 .Op Cm stratum Ar int
2303 .Op Cm refid Ar string
2305 .Op Cm flag1 Cm 0 \&| Cm 1
2306 .Op Cm flag2 Cm 0 \&| Cm 1
2307 .Op Cm flag3 Cm 0 \&| Cm 1
2308 .Op Cm flag4 Cm 0 \&| Cm 1
2310 This command can be used to configure reference clocks in
2312 It must immediately follow the
2314 command which configures the driver.
2315 Note that the same capability
2316 is possible at run time using the
2319 The options are interpreted as
2321 .Bl -tag -width indent
2323 Specifies a constant to be added to the time offset produced by
2324 the driver, a fixed\-point decimal number in seconds.
2326 as a calibration constant to adjust the nominal time offset of a
2327 particular clock to agree with an external standard, such as a
2328 precision PPS signal.
2329 It also provides a way to correct a
2330 systematic error or bias due to serial port or operating system
2331 latencies, different cable lengths or receiver internal delay.
2333 specified offset is in addition to the propagation delay provided
2334 by other means, such as internal DIPswitches.
2336 for an individual system and driver is available, an approximate
2337 correction is noted in the driver documentation pages.
2338 Note: in order to facilitate calibration when more than one
2339 radio clock or PPS signal is supported, a special calibration
2340 feature is available.
2341 It takes the form of an argument to the
2343 command described in
2344 .Sx Miscellaneous Options
2345 page and operates as described in the
2346 .Qq Reference Clock Drivers
2348 (available as part of the HTML documentation
2350 .Pa /usr/share/doc/ntp ) .
2351 .It Cm time2 Ar secs
2352 Specifies a fixed\-point decimal number in seconds, which is
2353 interpreted in a driver\-dependent way.
2354 See the descriptions of
2355 specific drivers in the
2356 .Qq Reference Clock Drivers
2358 (available as part of the HTML documentation
2360 .Pa /usr/share/doc/ntp ) .
2361 .It Cm stratum Ar int
2362 Specifies the stratum number assigned to the driver, an integer
2364 This number overrides the default stratum number
2365 ordinarily assigned by the driver itself, usually zero.
2366 .It Cm refid Ar string
2367 Specifies an ASCII string of from one to four characters which
2368 defines the reference identifier used by the driver.
2370 overrides the default identifier ordinarily assigned by the driver
2373 Specifies a mode number which is interpreted in a
2374 device\-specific fashion.
2375 For instance, it selects a dialing
2376 protocol in the ACTS driver and a device subtype in the
2379 .It Cm flag1 Cm 0 \&| Cm 1
2380 .It Cm flag2 Cm 0 \&| Cm 1
2381 .It Cm flag3 Cm 0 \&| Cm 1
2382 .It Cm flag4 Cm 0 \&| Cm 1
2383 These four flags are used for customizing the clock driver.
2385 interpretation of these values, and whether they are used at all,
2386 is a function of the particular clock driver.
2390 is used to enable recording monitoring
2393 file configured with the
2396 Further information on the
2398 command can be found in
2399 .Sx Monitoring Options .
2402 .Sh Miscellaneous Options
2403 .Bl -tag -width indent
2404 .It Ic broadcastdelay Ar seconds
2405 The broadcast and multicast modes require a special calibration
2406 to determine the network delay between the local and remote
2408 Ordinarily, this is done automatically by the initial
2409 protocol exchanges between the client and server.
2411 the calibration procedure may fail due to network or server access
2412 controls, for example.
2413 This command specifies the default delay to
2414 be used under these circumstances.
2415 Typically (for Ethernet), a
2416 number between 0.003 and 0.007 seconds is appropriate.
2418 when this command is not used is 0.004 seconds.
2419 .It Ic calldelay Ar delay
2420 This option controls the delay in seconds between the first and second
2421 packets sent in burst or iburst mode to allow additional time for a modem
2422 or ISDN call to complete.
2423 .It Ic driftfile Ar driftfile
2424 This command specifies the complete path and name of the file used to
2425 record the frequency of the local clock oscillator.
2429 command line option.
2430 If the file exists, it is read at
2431 startup in order to set the initial frequency and then updated once per
2432 hour with the current frequency computed by the daemon.
2434 specified, but the file itself does not exist, the starts with an initial
2435 frequency of zero and creates the file when writing it for the first time.
2436 If this command is not given, the daemon will always start with an initial
2439 The file format consists of a single line containing a single
2440 floating point number, which records the frequency offset measured
2441 in parts\-per\-million (PPM).
2442 The file is updated by first writing
2443 the current drift value into a temporary file and then renaming
2444 this file to replace the old version.
2447 must have write permission for the directory the
2448 drift file is located in, and that file system links, symbolic or
2449 otherwise, should be avoided.
2450 .It Ic dscp Ar value
2451 This option specifies the Differentiated Services Control Point (DSCP) value,
2453 The default value is 46, signifying Expedited Forwarding.
2456 .Cm auth | Cm bclient |
2457 .Cm calibrate | Cm kernel |
2458 .Cm mode7 | Cm monitor |
2459 .Cm ntp | Cm stats |
2460 .Cm peer_clear_digest_early |
2461 .Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early
2466 .Cm auth | Cm bclient |
2467 .Cm calibrate | Cm kernel |
2468 .Cm mode7 | Cm monitor |
2469 .Cm ntp | Cm stats |
2470 .Cm peer_clear_digest_early |
2471 .Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early
2474 Provides a way to enable or disable various server options.
2475 Flags not mentioned are unaffected.
2476 Note that all of these flags
2477 can be controlled remotely using the
2480 .Bl -tag -width indent
2482 Enables the server to synchronize with unconfigured peers only if the
2483 peer has been correctly authenticated using either public key or
2484 private key cryptography.
2485 The default for this flag is
2488 Enables the server to listen for a message from a broadcast or
2489 multicast server, as in the
2491 command with default
2493 The default for this flag is
2496 Enables the calibrate feature for reference clocks.
2501 Enables the kernel time discipline, if available.
2502 The default for this
2505 if support is available, otherwise
2508 Enables processing of NTP mode 7 implementation\-specific requests
2509 which are used by the deprecated
2512 The default for this flag is disable.
2513 This flag is excluded from runtime configuration using
2517 program provides the same capabilities as
2519 using standard mode 6 requests.
2521 Enables the monitoring facility.
2527 command or further information.
2529 default for this flag is
2532 Enables time and frequency discipline.
2533 In effect, this switch opens and
2534 closes the feedback loop, which is useful for testing.
2538 .It Cm peer_clear_digest_early
2541 is using autokey and it
2542 receives a crypto\-NAK packet that
2543 passes the duplicate packet and origin timestamp checks
2544 the peer variables are immediately cleared.
2545 While this is generally a feature
2546 as it allows for quick recovery if a server key has changed,
2547 a properly forged and appropriately delivered crypto\-NAK packet
2548 can be used in a DoS attack.
2549 If you have active noticable problems with this type of DoS attack
2550 then you should consider
2551 disabling this option.
2554 file for evidence of any of these attacks.
2556 default for this flag is
2559 Enables the statistics facility.
2561 .Sx Monitoring Options
2562 section for further information.
2563 The default for this flag is
2565 .It Cm unpeer_crypto_early
2568 receives an autokey packet that fails TEST9,
2570 the association is immediately cleared.
2571 This is almost certainly a feature,
2572 but if, in spite of the current recommendation of not using autokey,
2577 you are seeing this sort of DoS attack
2578 disabling this flag will delay
2579 tearing down the association until the reachability counter
2583 file for evidence of any of these attacks.
2585 default for this flag is
2587 .It Cm unpeer_crypto_nak_early
2590 receives a crypto\-NAK packet that
2591 passes the duplicate packet and origin timestamp checks
2592 the association is immediately cleared.
2593 While this is generally a feature
2594 as it allows for quick recovery if a server key has changed,
2595 a properly forged and appropriately delivered crypto\-NAK packet
2596 can be used in a DoS attack.
2597 If you have active noticable problems with this type of DoS attack
2598 then you should consider
2599 disabling this option.
2602 file for evidence of any of these attacks.
2604 default for this flag is
2606 .It Cm unpeer_digest_early
2609 receives what should be an authenticated packet
2610 that passes other packet sanity checks but
2611 contains an invalid digest
2612 the association is immediately cleared.
2613 While this is generally a feature
2614 as it allows for quick recovery,
2615 if this type of packet is carefully forged and sent
2616 during an appropriate window it can be used for a DoS attack.
2617 If you have active noticable problems with this type of DoS attack
2618 then you should consider
2619 disabling this option.
2622 file for evidence of any of these attacks.
2624 default for this flag is
2627 .It Ic includefile Ar includefile
2628 This command allows additional configuration commands
2629 to be included from a separate file.
2631 be nested to a depth of five; upon reaching the end of any
2632 include file, command processing resumes in the previous
2634 This option is useful for sites that run
2636 on multiple hosts, with (mostly) common options (e.g., a
2638 .It Ic leapsmearinterval Ar seconds
2639 This EXPERIMENTAL option is only available if
2642 .Cm \-\-enable\-leap\-smear
2646 It specifies the interval over which a leap second correction will be applied.
2647 Recommended values for this option are between
2648 7200 (2 hours) and 86400 (24 hours).
2649 .Sy DO NOT USE THIS OPTION ON PUBLIC\-ACCESS SERVERS!
2650 See http://bugs.ntp.org/2855 for more information.
2651 .It Ic logconfig Ar configkeyword
2652 This command controls the amount and type of output written to
2655 facility or the alternate
2658 By default, all output is turned on.
2661 keywords can be prefixed with
2677 messages can be controlled in four
2686 Within these classes four types of messages can be
2687 controlled: informational messages
2705 Configuration keywords are formed by concatenating the message class with
2709 prefix can be used instead of a message class.
2711 message class may also be followed by the
2713 keyword to enable/disable all
2714 messages of the respective message class.
2715 Thus, a minimal log configuration
2716 could look like this:
2718 logconfig =syncstatus +sysevents
2721 This would just list the synchronizations state of
2723 and the major system events.
2724 For a simple reference server, the
2725 following minimum message configuration could be useful:
2727 logconfig =syncall +clockall
2730 This configuration will list all clock information and
2731 synchronization information.
2732 All other events and messages about
2733 peers, system events and so on is suppressed.
2734 .It Ic logfile Ar logfile
2735 This command specifies the location of an alternate log file to
2736 be used instead of the default system
2739 This is the same operation as the
2741 command line option.
2742 .It Ic setvar Ar variable Op Cm default
2743 This command adds an additional system variable.
2745 variables can be used to distribute additional information such as
2747 If the variable of the form
2754 variable will be listed as part of the default system variables
2760 These additional variables serve
2761 informational purposes only.
2762 They are not related to the protocol
2763 other that they can be listed.
2764 The known protocol variables will
2765 always override any variables defined via the
2768 There are three special variables that contain the names
2769 of all variable of the same group.
2773 the names of all system variables.
2777 the names of all peer variables and the
2779 holds the names of the reference clock variables.
2782 .Cm allan Ar allan |
2783 .Cm dispersion Ar dispersion |
2785 .Cm huffpuff Ar huffpuff |
2786 .Cm panic Ar panic |
2788 .Cm stepback Ar stepback |
2789 .Cm stepfwd Ar stepfwd |
2790 .Cm stepout Ar stepout
2793 This command can be used to alter several system variables in
2794 very exceptional circumstances.
2795 It should occur in the
2796 configuration file before any other configuration options.
2798 default values of these variables have been carefully optimized for
2799 a wide range of network speeds and reliability expectations.
2801 general, they interact in intricate ways that are hard to predict
2802 and some combinations can result in some very nasty behavior.
2804 rarely is it necessary to change the default values; but, some
2805 folks cannot resist twisting the knobs anyway and this command is
2807 Emphasis added: twisters are on their own and can expect
2808 no help from the support group.
2810 The variables operate as follows:
2811 .Bl -tag -width indent
2812 .It Cm allan Ar allan
2813 The argument becomes the new value for the minimum Allan
2814 intercept, which is a parameter of the PLL/FLL clock discipline
2816 The value in log2 seconds defaults to 7 (1024 s), which is also the lower
2818 .It Cm dispersion Ar dispersion
2819 The argument becomes the new value for the dispersion increase rate,
2820 normally .000015 s/s.
2822 The argument becomes the initial value of the frequency offset in
2823 parts\-per\-million.
2824 This overrides the value in the frequency file, if
2825 present, and avoids the initial training state if it is not.
2826 .It Cm huffpuff Ar huffpuff
2827 The argument becomes the new value for the experimental
2828 huff\-n'\-puff filter span, which determines the most recent interval
2829 the algorithm will search for a minimum delay.
2831 900 s (15 m), but a more reasonable value is 7200 (2 hours).
2833 is no default, since the filter is not enabled unless this command
2835 .It Cm panic Ar panic
2836 The argument is the panic threshold, normally 1000 s.
2838 the panic sanity check is disabled and a clock offset of any value will
2841 The argument is the step threshold, which by default is 0.128 s.
2843 be set to any positive number in seconds.
2844 If set to zero, step
2845 adjustments will never occur.
2846 Note: The kernel time discipline is
2847 disabled if the step threshold is set to zero or greater than the
2849 .It Cm stepback Ar stepback
2850 The argument is the step threshold for the backward direction,
2851 which by default is 0.128 s.
2853 be set to any positive number in seconds.
2854 If both the forward and backward step thresholds are set to zero, step
2855 adjustments will never occur.
2856 Note: The kernel time discipline is
2858 each direction of step threshold are either
2859 set to zero or greater than .5 second.
2860 .It Cm stepfwd Ar stepfwd
2861 As for stepback, but for the forward direction.
2862 .It Cm stepout Ar stepout
2863 The argument is the stepout timeout, which by default is 900 s.
2865 be set to any positive number in seconds.
2866 If set to zero, the stepout
2867 pulses will not be suppressed.
2871 .Cm memlock Ar Nmegabytes |
2872 .Cm stacksize Ar N4kPages
2873 .Cm filenum Ar Nfiledescriptors
2876 .Bl -tag -width indent
2877 .It Cm memlock Ar Nmegabytes
2878 Specify the number of megabytes of memory that should be
2879 allocated and locked.
2880 Probably only available under Linux, this option may be useful
2881 when dropping root (the
2884 The default is 32 megabytes on non\-Linux machines, and \-1 under Linux.
2885 -1 means "do not lock the process into memory".
2886 0 means "lock whatever memory the process wants into memory".
2887 .It Cm stacksize Ar N4kPages
2888 Specifies the maximum size of the process stack on systems with the
2891 Defaults to 50 4k pages (200 4k pages in OpenBSD).
2892 .It Cm filenum Ar Nfiledescriptors
2893 Specifies the maximum number of file descriptors ntpd may have open at once.
2894 Defaults to the system default.
2896 .It Xo Ic trap Ar host_address
2897 .Op Cm port Ar port_number
2898 .Op Cm interface Ar interface_address
2900 This command configures a trap receiver at the given host
2901 address and port number for sending messages with the specified
2902 local interface address.
2903 If the port number is unspecified, a value
2905 If the interface address is not specified, the
2906 message is sent with a source address of the local interface the
2907 message is sent through.
2908 Note that on a multihomed host the
2909 interface used may vary from time to time with routing changes.
2911 The trap receiver will generally log event messages and other
2912 information from the server in a log file.
2914 programs may also request their own trap dynamically, configuring a
2915 trap receiver will ensure that no messages are lost when the server
2918 This command specifies a list of TTL values in increasing order, up to 8
2919 values can be specified.
2920 In manycast mode these values are used in turn in
2921 an expanding\-ring search.
2922 The default is eight multiples of 32 starting at
2928 Display usage information and exit.
2930 Pass the extended usage information through a pager.
2931 .It Fl \-version Op Brq Ar v|c|n
2932 Output version of program and exit. The default mode is `v', a simple
2933 version. The `c' mode will print copyright information and `n' will
2934 print the full copyright notice.
2936 .Sh "OPTION PRESETS"
2937 Any option that is not marked as \fInot presettable\fP may be preset
2938 by loading values from environment variables named:
2940 \fBNTP_CONF_<option\-name>\fP or \fBNTP_CONF\fP
2944 See \fBOPTION PRESETS\fP for configuration environment variables.
2946 .Bl -tag -width /etc/ntp.drift -compact
2947 .It Pa /etc/ntp.conf
2948 the default name of the configuration file
2953 .It Pa ntpkey_ Ns Ar host
2956 Diffie\-Hellman agreement parameters
2959 One of the following exit values will be returned:
2961 .It 0 " (EXIT_SUCCESS)"
2962 Successful program execution.
2963 .It 1 " (EXIT_FAILURE)"
2964 The operation failed or the command syntax was not valid.
2965 .It 70 " (EX_SOFTWARE)"
2966 libopts had an internal operational error. Please report
2967 it to autogen\-users@lists.sourceforge.net. Thank you.
2974 In addition to the manual pages provided,
2975 comprehensive documentation is available on the world wide web
2977 .Li http://www.ntp.org/ .
2978 A snapshot of this documentation is available in HTML format in
2979 .Pa /usr/share/doc/ntp .
2982 .%T Network Time Protocol (Version 4)
2986 The University of Delaware and Network Time Foundation
2988 Copyright (C) 1992\-2016 The University of Delaware and Network Time Foundation all rights reserved.
2989 This program is released under the terms of the NTP license, <http://ntp.org/license>.
2991 The syntax checking is not picky; some combinations of
2992 ridiculous and even hilarious options and modes may not be
2996 .Pa ntpkey_ Ns Ar host
2997 files are really digital
2999 These should be obtained via secure directory
3000 services when they become universally available.
3002 Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
3004 This document was derived from FreeBSD.
3006 This manual page was \fIAutoGen\fP\-erated from the \fBntp.conf\fP