From e917f797a40aa69f746acb5ed8451a46129a4f27 Mon Sep 17 00:00:00 2001
From: deraadt <>
Date: Mon, 18 May 2015 13:48:38 +0000
Subject: [PATCH] enable ntpd by default at install time.  We use pools and a
 reliable constraint to keep them in check.  in the worst case of being on a
 dark net, nothing changes.

this is being enabled by default to allow gathering of more operational
information from users.  and if the operational heuristics in ntpd can be
suitable refined, this may stay the default into the future.  if not, ntpd
will become even more awesome along the way.

with reyk rpe
---
 src/etc/Makefile  |  3 ++-
 src/etc/ntpd.conf | 14 ++++++++++++++
 src/etc/rc.conf   |  4 ++--
 3 files changed, 18 insertions(+), 3 deletions(-)
 create mode 100644 src/etc/ntpd.conf

diff --git a/src/etc/Makefile b/src/etc/Makefile
index f8b3769d..afa7130e 100644
--- a/src/etc/Makefile
+++ b/src/etc/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.401 2015/03/27 18:49:50 schwarze Exp $
+#	$OpenBSD: Makefile,v 1.402 2015/05/18 13:48:38 deraadt Exp $
 
 TZDIR=		/usr/share/zoneinfo
 LOCALTIME=	Canada/Mountain
@@ -97,6 +97,7 @@ distribution-etc-root-var: distrib-dirs
 	${INSTALL} -c -o root -g wheel -m 600 master.passwd ${DESTDIR}/etc
 	pwd_mkdb -p -d ${DESTDIR}/etc /etc/master.passwd
 	${INSTALL} -c -o root -g wheel -m 600 pf.conf ${DESTDIR}/etc
+	${INSTALL} -c -o root -g wheel -m 640 ntpd.conf ${DESTDIR}/etc
 	${INSTALL} -c -o root -g _nsd -m 640 nsd.conf ${DESTDIR}/var/nsd/etc
 	${INSTALL} -c -o root -g wheel -m 644 unbound.conf ${DESTDIR}/var/unbound/etc
 	${INSTALL} -c -o ${BINOWN} -g ${BINGRP} -m 555 \
diff --git a/src/etc/ntpd.conf b/src/etc/ntpd.conf
new file mode 100644
index 00000000..ec5a86e2
--- /dev/null
+++ b/src/etc/ntpd.conf
@@ -0,0 +1,14 @@
+# $OpenBSD: ntpd.conf,v 1.13 2015/05/18 13:48:38 deraadt Exp $
+
+# Addresses to listen on (ntpd does not listen by default)
+#listen on *
+
+# use a random selection of NTP Pool Time Servers
+# see http://support.ntp.org/bin/view/Servers/NTPPoolServers
+servers pool.ntp.org
+
+# use all detected timedelta sensors
+sensor *
+
+# get the time constraint from a well-known HTTPS site
+constraints from "https://www.google.com"
diff --git a/src/etc/rc.conf b/src/etc/rc.conf
index 66c687a9..c4c7ca46 100644
--- a/src/etc/rc.conf
+++ b/src/etc/rc.conf
@@ -1,4 +1,4 @@
-#	$OpenBSD: rc.conf,v 1.202 2015/05/04 22:25:17 schwarze Exp $
+#	$OpenBSD: rc.conf,v 1.203 2015/05/18 13:48:38 deraadt Exp $
 
 # DO NOT EDIT THIS FILE!!
 #
@@ -40,7 +40,7 @@ mopd_flags=NO
 mrouted_flags=NO	# be sure to enable multicast_router below
 npppd_flags=NO
 nsd_flags=NO
-ntpd_flags=NO
+ntpd_flags=
 ospfd_flags=NO
 ospf6d_flags=NO
 pflogd_flags=		# add more flags, e.g. "-s 256"