Browse Source

Disable -s and -S functionality. -s would force time using NTP packets without

any MITM protection checks.  We've had constraint checks for MITM protection
for some time. Recent work changed the default mode to rapidly check NTP packets against constraint validation, as the default mode.
In environments where https traffic doesn't work, ethernet-near servers can
be labelled as "trusted".  trusted sensor support is also coming.
We have reasons to immediately move people away from the -s mode.
ok otto
OPENBSD_6_7
deraadt 5 years ago
parent
commit
796283a2f8
1 changed files with 10 additions and 5 deletions
  1. +10
    -5
      src/usr.sbin/ntpd/ntpd.c

+ 10
- 5
src/usr.sbin/ntpd/ntpd.c View File

@ -1,4 +1,4 @@
/* $OpenBSD: ntpd.c,v 1.126 2019/11/10 19:24:47 otto Exp $ */
/* $OpenBSD: ntpd.c,v 1.127 2019/11/11 01:04:55 deraadt Exp $ */
/* /*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@ -99,7 +99,7 @@ usage(void)
fprintf(stderr, fprintf(stderr,
"usage: ntpctl -s all | peers | Sensors | status\n"); "usage: ntpctl -s all | peers | Sensors | status\n");
else else
fprintf(stderr, "usage: %s [-dnSsv] [-f file]\n",
fprintf(stderr, "usage: %s [-dnv] [-f file]\n",
__progname); __progname);
exit(1); exit(1);
} }
@ -140,6 +140,7 @@ main(int argc, char *argv[])
char **argv0 = argv; char **argv0 = argv;
char *pname = NULL; char *pname = NULL;
time_t settime_deadline; time_t settime_deadline;
int sopt = 0;
if (strcmp(__progname, "ntpctl") == 0) { if (strcmp(__progname, "ntpctl") == 0) {
ctl_main(argc, argv); ctl_main(argc, argv);
@ -166,10 +167,8 @@ main(int argc, char *argv[])
pname = optarg; pname = optarg;
break; break;
case 's': case 's':
lconf.settime = 1;
break;
case 'S': case 'S':
lconf.settime = 0;
sopt = ch;
break; break;
case 'v': case 'v':
lconf.verbose++; lconf.verbose++;
@ -187,6 +186,12 @@ main(int argc, char *argv[])
log_init(logdest, lconf.verbose, LOG_DAEMON); log_init(logdest, lconf.verbose, LOG_DAEMON);
if (sopt) {
log_warnx("-%c option no longer works and will be removed soon.",
sopt);
log_warnx("Please reconfigure to use constraints or trusted servers.");
}
argc -= optind; argc -= optind;
argv += optind; argv += optind;
if (argc > 0) if (argc > 0)


Loading…
Cancel
Save