Browse Source

Move the constraints in a new section and add a preamble to explain

the functionality.
Requested by henning@
OK beck@ deraadt@
OPENBSD_5_7
reyk 10 years ago
parent
commit
5f9d0ecf71
1 changed files with 43 additions and 36 deletions
  1. +43
    -36
      src/usr.sbin/ntpd/ntpd.conf.5

+ 43
- 36
src/usr.sbin/ntpd/ntpd.conf.5 View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ntpd.conf.5,v 1.25 2015/02/10 06:40:08 reyk Exp $
.\" $OpenBSD: ntpd.conf.5,v 1.26 2015/02/10 07:19:52 reyk Exp $
.\"
.\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
.\"
@ -33,42 +33,8 @@ Empty lines and lines beginning with the
character are ignored.
.Pp
Keywords may be specified multiple times within the configuration file.
They are as follows:
The basic configuration options are as follows:
.Bl -tag -width Ds
.It Ic constraint from Ar url
Specify the URL, IP address or the hostname of a HTTPS server to
provide a constraint.
.Xr ntpd 8
will connect to the server and retrieve the remote time from the
.Eq Date
header.
This time will be used as a constraint on time synchronization;
received NTP packets with time information that is more than a few
minutes off will be discarded and the NTP
.Ic server
will be marked as invalid.
If multiple
.Ic constraint
keywords are used,
.Xr ntpd 8
will calculate a median constraint from all the servers specified.
.Bd -literal -offset indent
server ntp.example.org
constraint www.example.com
.Ed
.It Ic constraints from Ar url
As with
.Ic constraint ,
specify the URL, IP address or the hostname of a HTTPS server to
provide a constraint.
Should the hostname resolve to multiple IP addresses,
.Xr ntpd 8
will calculate a median constraint from all of them.
For example:
.Bd -literal -offset indent
servers pool.ntp.org
constraints from "https://www.google.com/search?q=openntpd"
.Ed
.It Xo Ic listen on Ar address
.Op Ic rtable Ar table-id
.Xc
@ -210,6 +176,47 @@ servers pool.ntp.org
servers pool.ntp.org rtable 5
.Ed
.El
.Sh CONSTRAINTS
.Xr ntpd 8
can be configured to query the
.Sq Date
from trusted HTTPS servers via TLS.
This time information is not used for precision but acts as an
authenticated constraint,
thereby reducing the impact of unauthenticated NTP
.Sq Man-In-The-Middle
attacks.
Received NTP packets with time information falling outside of a range
near the constraint will be discarded and such NTP
.Ic servers
will be marked as invalid.
.Bl -tag -width Ds
.It Ic constraint from Ar url
Specify the URL, IP address or the hostname of a HTTPS server to
provide a constraint.
If multiple
.Ic constraint
keywords are used,
.Xr ntpd 8
will calculate a median constraint from all the servers specified.
.Bd -literal -offset indent
server ntp.example.org
constraint www.example.com
.Ed
.It Ic constraints from Ar url
As with
.Ic constraint ,
specify the URL, IP address or the hostname of a HTTPS server to
provide a constraint.
Should the hostname resolve to multiple IP addresses,
.Xr ntpd 8
will calculate a median constraint from all of them.
For example:
.Bd -literal -offset indent
servers pool.ntp.org
constraints from "https://www.google.com/search?q=openntpd"
.Ed
.El
.Sh FILES
.Bl -tag -width "/etc/ntpd.confXXX" -compact
.It Pa /etc/ntpd.conf


Loading…
Cancel
Save