From 5f9d0ecf71042eeacf223e5877012d24b1de7f10 Mon Sep 17 00:00:00 2001 From: reyk <> Date: Tue, 10 Feb 2015 07:19:52 +0000 Subject: [PATCH] Move the constraints in a new section and add a preamble to explain the functionality. Requested by henning@ OK beck@ deraadt@ --- src/usr.sbin/ntpd/ntpd.conf.5 | 79 +++++++++++++++++++---------------- 1 file changed, 43 insertions(+), 36 deletions(-) diff --git a/src/usr.sbin/ntpd/ntpd.conf.5 b/src/usr.sbin/ntpd/ntpd.conf.5 index 8466076f..3c6178d9 100644 --- a/src/usr.sbin/ntpd/ntpd.conf.5 +++ b/src/usr.sbin/ntpd/ntpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ntpd.conf.5,v 1.25 2015/02/10 06:40:08 reyk Exp $ +.\" $OpenBSD: ntpd.conf.5,v 1.26 2015/02/10 07:19:52 reyk Exp $ .\" .\" Copyright (c) 2003, 2004 Henning Brauer .\" @@ -33,42 +33,8 @@ Empty lines and lines beginning with the character are ignored. .Pp Keywords may be specified multiple times within the configuration file. -They are as follows: +The basic configuration options are as follows: .Bl -tag -width Ds -.It Ic constraint from Ar url -Specify the URL, IP address or the hostname of a HTTPS server to -provide a constraint. -.Xr ntpd 8 -will connect to the server and retrieve the remote time from the -.Eq Date -header. -This time will be used as a constraint on time synchronization; -received NTP packets with time information that is more than a few -minutes off will be discarded and the NTP -.Ic server -will be marked as invalid. -If multiple -.Ic constraint -keywords are used, -.Xr ntpd 8 -will calculate a median constraint from all the servers specified. -.Bd -literal -offset indent -server ntp.example.org -constraint www.example.com -.Ed -.It Ic constraints from Ar url -As with -.Ic constraint , -specify the URL, IP address or the hostname of a HTTPS server to -provide a constraint. -Should the hostname resolve to multiple IP addresses, -.Xr ntpd 8 -will calculate a median constraint from all of them. -For example: -.Bd -literal -offset indent -servers pool.ntp.org -constraints from "https://www.google.com/search?q=openntpd" -.Ed .It Xo Ic listen on Ar address .Op Ic rtable Ar table-id .Xc @@ -210,6 +176,47 @@ servers pool.ntp.org servers pool.ntp.org rtable 5 .Ed .El +.Sh CONSTRAINTS +.Xr ntpd 8 +can be configured to query the +.Sq Date +from trusted HTTPS servers via TLS. +This time information is not used for precision but acts as an +authenticated constraint, +thereby reducing the impact of unauthenticated NTP +.Sq Man-In-The-Middle +attacks. +Received NTP packets with time information falling outside of a range +near the constraint will be discarded and such NTP +.Ic servers +will be marked as invalid. +.Bl -tag -width Ds +.It Ic constraint from Ar url +Specify the URL, IP address or the hostname of a HTTPS server to +provide a constraint. +If multiple +.Ic constraint +keywords are used, +.Xr ntpd 8 +will calculate a median constraint from all the servers specified. +.Bd -literal -offset indent +server ntp.example.org +constraint www.example.com +.Ed +.It Ic constraints from Ar url +As with +.Ic constraint , +specify the URL, IP address or the hostname of a HTTPS server to +provide a constraint. +Should the hostname resolve to multiple IP addresses, +.Xr ntpd 8 +will calculate a median constraint from all of them. +For example: +.Bd -literal -offset indent +servers pool.ntp.org +constraints from "https://www.google.com/search?q=openntpd" +.Ed +.El .Sh FILES .Bl -tag -width "/etc/ntpd.confXXX" -compact .It Pa /etc/ntpd.conf