diff options
author | Reyk Floeter <reyk@cvs.openbsd.org> | 2015-02-10 07:19:53 +0000 |
---|---|---|
committer | Reyk Floeter <reyk@cvs.openbsd.org> | 2015-02-10 07:19:53 +0000 |
commit | c602513e0c403682b086392b6f9653971cd9dd41 (patch) | |
tree | 3eeb533fa1858d5583c641746e93cc0e4b2ac3ff /usr.sbin/ntpd/ntpd.conf.5 | |
parent | 70425dbbba2d162e4ad9d01bae71e55f9c7bd1ed (diff) |
Move the constraints in a new section and add a preamble to explain
the functionality.
Requested by henning@
OK beck@ deraadt@
Diffstat (limited to 'usr.sbin/ntpd/ntpd.conf.5')
-rw-r--r-- | usr.sbin/ntpd/ntpd.conf.5 | 79 |
1 files changed, 43 insertions, 36 deletions
diff --git a/usr.sbin/ntpd/ntpd.conf.5 b/usr.sbin/ntpd/ntpd.conf.5 index 8466076fd1b..3c6178d906e 100644 --- a/usr.sbin/ntpd/ntpd.conf.5 +++ b/usr.sbin/ntpd/ntpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ntpd.conf.5,v 1.25 2015/02/10 06:40:08 reyk Exp $ +.\" $OpenBSD: ntpd.conf.5,v 1.26 2015/02/10 07:19:52 reyk Exp $ .\" .\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> .\" @@ -33,42 +33,8 @@ Empty lines and lines beginning with the character are ignored. .Pp Keywords may be specified multiple times within the configuration file. -They are as follows: +The basic configuration options are as follows: .Bl -tag -width Ds -.It Ic constraint from Ar url -Specify the URL, IP address or the hostname of a HTTPS server to -provide a constraint. -.Xr ntpd 8 -will connect to the server and retrieve the remote time from the -.Eq Date -header. -This time will be used as a constraint on time synchronization; -received NTP packets with time information that is more than a few -minutes off will be discarded and the NTP -.Ic server -will be marked as invalid. -If multiple -.Ic constraint -keywords are used, -.Xr ntpd 8 -will calculate a median constraint from all the servers specified. -.Bd -literal -offset indent -server ntp.example.org -constraint www.example.com -.Ed -.It Ic constraints from Ar url -As with -.Ic constraint , -specify the URL, IP address or the hostname of a HTTPS server to -provide a constraint. -Should the hostname resolve to multiple IP addresses, -.Xr ntpd 8 -will calculate a median constraint from all of them. -For example: -.Bd -literal -offset indent -servers pool.ntp.org -constraints from "https://www.google.com/search?q=openntpd" -.Ed .It Xo Ic listen on Ar address .Op Ic rtable Ar table-id .Xc @@ -210,6 +176,47 @@ servers pool.ntp.org servers pool.ntp.org rtable 5 .Ed .El +.Sh CONSTRAINTS +.Xr ntpd 8 +can be configured to query the +.Sq Date +from trusted HTTPS servers via TLS. +This time information is not used for precision but acts as an +authenticated constraint, +thereby reducing the impact of unauthenticated NTP +.Sq Man-In-The-Middle +attacks. +Received NTP packets with time information falling outside of a range +near the constraint will be discarded and such NTP +.Ic servers +will be marked as invalid. +.Bl -tag -width Ds +.It Ic constraint from Ar url +Specify the URL, IP address or the hostname of a HTTPS server to +provide a constraint. +If multiple +.Ic constraint +keywords are used, +.Xr ntpd 8 +will calculate a median constraint from all the servers specified. +.Bd -literal -offset indent +server ntp.example.org +constraint www.example.com +.Ed +.It Ic constraints from Ar url +As with +.Ic constraint , +specify the URL, IP address or the hostname of a HTTPS server to +provide a constraint. +Should the hostname resolve to multiple IP addresses, +.Xr ntpd 8 +will calculate a median constraint from all of them. +For example: +.Bd -literal -offset indent +servers pool.ntp.org +constraints from "https://www.google.com/search?q=openntpd" +.Ed +.El .Sh FILES .Bl -tag -width "/etc/ntpd.confXXX" -compact .It Pa /etc/ntpd.conf |