summaryrefslogtreecommitdiff
path: root/usr.sbin/ntpd/ntpd.conf.5
diff options
context:
space:
mode:
authorReyk Floeter <reyk@cvs.openbsd.org>2015-02-10 07:19:53 +0000
committerReyk Floeter <reyk@cvs.openbsd.org>2015-02-10 07:19:53 +0000
commitc602513e0c403682b086392b6f9653971cd9dd41 (patch)
tree3eeb533fa1858d5583c641746e93cc0e4b2ac3ff /usr.sbin/ntpd/ntpd.conf.5
parent70425dbbba2d162e4ad9d01bae71e55f9c7bd1ed (diff)
Move the constraints in a new section and add a preamble to explain
the functionality. Requested by henning@ OK beck@ deraadt@
Diffstat (limited to 'usr.sbin/ntpd/ntpd.conf.5')
-rw-r--r--usr.sbin/ntpd/ntpd.conf.579
1 files changed, 43 insertions, 36 deletions
diff --git a/usr.sbin/ntpd/ntpd.conf.5 b/usr.sbin/ntpd/ntpd.conf.5
index 8466076fd1b..3c6178d906e 100644
--- a/usr.sbin/ntpd/ntpd.conf.5
+++ b/usr.sbin/ntpd/ntpd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ntpd.conf.5,v 1.25 2015/02/10 06:40:08 reyk Exp $
+.\" $OpenBSD: ntpd.conf.5,v 1.26 2015/02/10 07:19:52 reyk Exp $
.\"
.\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
.\"
@@ -33,42 +33,8 @@ Empty lines and lines beginning with the
character are ignored.
.Pp
Keywords may be specified multiple times within the configuration file.
-They are as follows:
+The basic configuration options are as follows:
.Bl -tag -width Ds
-.It Ic constraint from Ar url
-Specify the URL, IP address or the hostname of a HTTPS server to
-provide a constraint.
-.Xr ntpd 8
-will connect to the server and retrieve the remote time from the
-.Eq Date
-header.
-This time will be used as a constraint on time synchronization;
-received NTP packets with time information that is more than a few
-minutes off will be discarded and the NTP
-.Ic server
-will be marked as invalid.
-If multiple
-.Ic constraint
-keywords are used,
-.Xr ntpd 8
-will calculate a median constraint from all the servers specified.
-.Bd -literal -offset indent
-server ntp.example.org
-constraint www.example.com
-.Ed
-.It Ic constraints from Ar url
-As with
-.Ic constraint ,
-specify the URL, IP address or the hostname of a HTTPS server to
-provide a constraint.
-Should the hostname resolve to multiple IP addresses,
-.Xr ntpd 8
-will calculate a median constraint from all of them.
-For example:
-.Bd -literal -offset indent
-servers pool.ntp.org
-constraints from "https://www.google.com/search?q=openntpd"
-.Ed
.It Xo Ic listen on Ar address
.Op Ic rtable Ar table-id
.Xc
@@ -210,6 +176,47 @@ servers pool.ntp.org
servers pool.ntp.org rtable 5
.Ed
.El
+.Sh CONSTRAINTS
+.Xr ntpd 8
+can be configured to query the
+.Sq Date
+from trusted HTTPS servers via TLS.
+This time information is not used for precision but acts as an
+authenticated constraint,
+thereby reducing the impact of unauthenticated NTP
+.Sq Man-In-The-Middle
+attacks.
+Received NTP packets with time information falling outside of a range
+near the constraint will be discarded and such NTP
+.Ic servers
+will be marked as invalid.
+.Bl -tag -width Ds
+.It Ic constraint from Ar url
+Specify the URL, IP address or the hostname of a HTTPS server to
+provide a constraint.
+If multiple
+.Ic constraint
+keywords are used,
+.Xr ntpd 8
+will calculate a median constraint from all the servers specified.
+.Bd -literal -offset indent
+server ntp.example.org
+constraint www.example.com
+.Ed
+.It Ic constraints from Ar url
+As with
+.Ic constraint ,
+specify the URL, IP address or the hostname of a HTTPS server to
+provide a constraint.
+Should the hostname resolve to multiple IP addresses,
+.Xr ntpd 8
+will calculate a median constraint from all of them.
+For example:
+.Bd -literal -offset indent
+servers pool.ntp.org
+constraints from "https://www.google.com/search?q=openntpd"
+.Ed
+.El
.Sh FILES
.Bl -tag -width "/etc/ntpd.confXXX" -compact
.It Pa /etc/ntpd.conf