From 5f9d0ecf71042eeacf223e5877012d24b1de7f10 Mon Sep 17 00:00:00 2001
From: reyk <>
Date: Tue, 10 Feb 2015 07:19:52 +0000
Subject: [PATCH] Move the constraints in a new section and add a preamble to
 explain the functionality.

Requested by henning@
OK beck@ deraadt@
---
 src/usr.sbin/ntpd/ntpd.conf.5 | 79 +++++++++++++++++++----------------
 1 file changed, 43 insertions(+), 36 deletions(-)

diff --git a/src/usr.sbin/ntpd/ntpd.conf.5 b/src/usr.sbin/ntpd/ntpd.conf.5
index 8466076f..3c6178d9 100644
--- a/src/usr.sbin/ntpd/ntpd.conf.5
+++ b/src/usr.sbin/ntpd/ntpd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ntpd.conf.5,v 1.25 2015/02/10 06:40:08 reyk Exp $
+.\" $OpenBSD: ntpd.conf.5,v 1.26 2015/02/10 07:19:52 reyk Exp $
 .\"
 .\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
 .\"
@@ -33,42 +33,8 @@ Empty lines and lines beginning with the
 character are ignored.
 .Pp
 Keywords may be specified multiple times within the configuration file.
-They are as follows:
+The basic configuration options are as follows:
 .Bl -tag -width Ds
-.It Ic constraint from Ar url
-Specify the URL, IP address or the hostname of a HTTPS server to
-provide a constraint.
-.Xr ntpd 8
-will connect to the server and retrieve the remote time from the
-.Eq Date
-header.
-This time will be used as a constraint on time synchronization;
-received NTP packets with time information that is more than a few
-minutes off will be discarded and the NTP
-.Ic server
-will be marked as invalid.
-If multiple
-.Ic constraint
-keywords are used,
-.Xr ntpd 8
-will calculate a median constraint from all the servers specified.
-.Bd -literal -offset indent
-server ntp.example.org
-constraint www.example.com
-.Ed
-.It Ic constraints from Ar url
-As with
-.Ic constraint ,
-specify the URL, IP address or the hostname of a HTTPS server to
-provide a constraint.
-Should the hostname resolve to multiple IP addresses,
-.Xr ntpd 8
-will calculate a median constraint from all of them.
-For example:
-.Bd -literal -offset indent
-servers pool.ntp.org
-constraints from "https://www.google.com/search?q=openntpd"
-.Ed
 .It Xo Ic listen on Ar address
 .Op Ic rtable Ar table-id
 .Xc
@@ -210,6 +176,47 @@ servers pool.ntp.org
 servers pool.ntp.org rtable 5
 .Ed
 .El
+.Sh CONSTRAINTS
+.Xr ntpd 8
+can be configured to query the
+.Sq Date
+from trusted HTTPS servers via TLS.
+This time information is not used for precision but acts as an
+authenticated constraint,
+thereby reducing the impact of unauthenticated NTP
+.Sq Man-In-The-Middle
+attacks.
+Received NTP packets with time information falling outside of a range
+near the constraint will be discarded and such NTP
+.Ic servers
+will be marked as invalid.
+.Bl -tag -width Ds
+.It Ic constraint from Ar url
+Specify the URL, IP address or the hostname of a HTTPS server to
+provide a constraint.
+If multiple
+.Ic constraint
+keywords are used,
+.Xr ntpd 8
+will calculate a median constraint from all the servers specified.
+.Bd -literal -offset indent
+server ntp.example.org
+constraint www.example.com
+.Ed
+.It Ic constraints from Ar url
+As with
+.Ic constraint ,
+specify the URL, IP address or the hostname of a HTTPS server to
+provide a constraint.
+Should the hostname resolve to multiple IP addresses,
+.Xr ntpd 8
+will calculate a median constraint from all of them.
+For example:
+.Bd -literal -offset indent
+servers pool.ntp.org
+constraints from "https://www.google.com/search?q=openntpd"
+.Ed
+.El
 .Sh FILES
 .Bl -tag -width "/etc/ntpd.confXXX" -compact
 .It Pa /etc/ntpd.conf