| invoke-ntp.conf.texi (293423) | invoke-ntp.conf.texi (294554) |
|---|---|
| 1@node ntp.conf Notes 2@section Notes about ntp.conf 3@pindex ntp.conf 4@cindex Network Time Protocol (NTP) daemon configuration file format 5@ignore 6# 7# EDIT THIS FILE WITH CAUTION (invoke-ntp.conf.texi) 8# | 1@node ntp.conf Notes 2@section Notes about ntp.conf 3@pindex ntp.conf 4@cindex Network Time Protocol (NTP) daemon configuration file format 5@ignore 6# 7# EDIT THIS FILE WITH CAUTION (invoke-ntp.conf.texi) 8# |
| 9# It has been AutoGen-ed January 7, 2016 at 11:30:49 PM by AutoGen 5.18.5 | 9# It has been AutoGen-ed January 20, 2016 at 04:17:59 AM by AutoGen 5.18.5 |
| 10# From the definitions ntp.conf.def 11# and the template file agtexi-file.tpl 12@end ignore 13 14 15 16The 17@code{ntp.conf} --- 2271 unchanged lines hidden (view full) --- 2289This implies that 2290@code{ntpd(1ntpdmdoc)} 2291must have write permission for the directory the 2292drift file is located in, and that file system links, symbolic or 2293otherwise, should be avoided. 2294@item @code{dscp} @kbd{value} 2295This option specifies the Differentiated Services Control Point (DSCP) value, 2296a 6-bit code. The default value is 46, signifying Expedited Forwarding. | 10# From the definitions ntp.conf.def 11# and the template file agtexi-file.tpl 12@end ignore 13 14 15 16The 17@code{ntp.conf} --- 2271 unchanged lines hidden (view full) --- 2289This implies that 2290@code{ntpd(1ntpdmdoc)} 2291must have write permission for the directory the 2292drift file is located in, and that file system links, symbolic or 2293otherwise, should be avoided. 2294@item @code{dscp} @kbd{value} 2295This option specifies the Differentiated Services Control Point (DSCP) value, 2296a 6-bit code. The default value is 46, signifying Expedited Forwarding. |
| 2297@item @code{enable} @code{[@code{auth} | @code{bclient} | @code{calibrate} | @code{kernel} | @code{mode7} | @code{monitor} | @code{ntp} | @code{stats}]} 2298@item @code{disable} @code{[@code{auth} | @code{bclient} | @code{calibrate} | @code{kernel} | @code{mode7} | @code{monitor} | @code{ntp} | @code{stats}]} | 2297@item @code{enable} @code{[@code{auth} | @code{bclient} | @code{calibrate} | @code{kernel} | @code{mode7} | @code{monitor} | @code{ntp} | @code{stats} | @code{unpeer_crypto_early} | @code{unpeer_crypto_nak_early} | @code{unpeer_digest_early}]} 2298@item @code{disable} @code{[@code{auth} | @code{bclient} | @code{calibrate} | @code{kernel} | @code{mode7} | @code{monitor} | @code{ntp} | @code{stats} | @code{unpeer_crypto_early} | @code{unpeer_crypto_nak_early} | @code{unpeer_digest_early}]} |
| 2299Provides a way to enable or disable various server options. 2300Flags not mentioned are unaffected. 2301Note that all of these flags 2302can be controlled remotely using the 2303@code{ntpdc(1ntpdcmdoc)} 2304utility program. 2305@table @asis 2306@item @code{auth} --- 55 unchanged lines hidden (view full) --- 2362@code{enable}. 2363@item @code{stats} 2364Enables the statistics facility. 2365See the 2366@ref{Monitoring Options} 2367section for further information. 2368The default for this flag is 2369@code{disable}. | 2299Provides a way to enable or disable various server options. 2300Flags not mentioned are unaffected. 2301Note that all of these flags 2302can be controlled remotely using the 2303@code{ntpdc(1ntpdcmdoc)} 2304utility program. 2305@table @asis 2306@item @code{auth} --- 55 unchanged lines hidden (view full) --- 2362@code{enable}. 2363@item @code{stats} 2364Enables the statistics facility. 2365See the 2366@ref{Monitoring Options} 2367section for further information. 2368The default for this flag is 2369@code{disable}. |
| 2370@item @code{unpeer_crypto_early} 2371By default, if 2372@code{ntpd(1ntpdmdoc)} 2373receives an autokey packet that fails TEST9, 2374a crypto failure, 2375the association is immediately cleared. 2376This is almost certainly a feature, 2377but if, in spite of the current recommendation of not using autokey, 2378you are 2379.B still 2380using autokey 2381.B and 2382you are seeing this sort of DoS attack 2383disabling this flag will delay 2384tearing down the association until the reachability counter 2385becomes zero. 2386You can check your 2387@code{peerstats} 2388file for evidence of any of these attacks. 2389The 2390default for this flag is 2391@code{enable}. 2392@item @code{unpeer_crypto_nak_early} 2393By default, if 2394@code{ntpd(1ntpdmdoc)} 2395receives a crypto-NAK packet that 2396passes the duplicate packet and origin timestamp checks 2397the association is immediately cleared. 2398While this is generally a feature 2399as it allows for quick recovery if a server key has changed, 2400a properly forged and appropriately delivered crypto-NAK packet 2401can be used in a DoS attack. 2402If you have active noticable problems with this type of DoS attack 2403then you should consider 2404disabling this option. 2405You can check your 2406@code{peerstats} 2407file for evidence of any of these attacks. 2408The 2409default for this flag is 2410@code{enable}. 2411@item @code{unpeer_digest_early} 2412By default, if 2413@code{ntpd(1ntpdmdoc)} 2414receives what should be an authenticated packet 2415that passes other packet sanity checks but 2416contains an invalid digest 2417the association is immediately cleared. 2418While this is generally a feature 2419as it allows for quick recovery, 2420if this type of packet is carefully forged and sent 2421during an appropriate window it can be used for a DoS attack. 2422If you have active noticable problems with this type of DoS attack 2423then you should consider 2424disabling this option. 2425You can check your 2426@code{peerstats} 2427file for evidence of any of these attacks. 2428The 2429default for this flag is 2430@code{enable}. |
|
| 2370@end table 2371@item @code{includefile} @kbd{includefile} 2372This command allows additional configuration commands 2373to be included from a separate file. 2374Include files may 2375be nested to a depth of five; upon reaching the end of any 2376include file, command processing resumes in the previous 2377configuration file. --- 303 unchanged lines hidden --- | 2431@end table 2432@item @code{includefile} @kbd{includefile} 2433This command allows additional configuration commands 2434to be included from a separate file. 2435Include files may 2436be nested to a depth of five; upon reaching the end of any 2437include file, command processing resumes in the previous 2438configuration file. --- 303 unchanged lines hidden --- |