OpenNTPD daemon with OpenSSL implementation & flexible configurability
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

335 lines
11 KiB

  1. From: Pekka Helenius <fincer89@hotmail.com>
  2. Date: Tue, 04 Aug 2020 01:52:17 +0300
  3. Subject: Update default configuration file
  4. --- a/ntpd.conf 2020-07-31 23:00:50.000000000 +0300
  5. +++ b/ntpd.conf 2020-08-03 23:19:18.951338773 +0300
  6. @@ -1,11 +1,321 @@
  7. -# $OpenBSD: ntpd.conf,v 1.16 2019/11/06 19:04:12 deraadt Exp $
  8. -#
  9. # See ntpd.conf(5) and /etc/examples/ntpd.conf
  10. +# BASIC KEYWORDS
  11. +
  12. +# listen on 127.0.0.1 port 123
  13. +
  14. servers pool.ntp.org
  15. -server time.cloudflare.com
  16. -sensor *
  17. +server time.cloudflare.com
  18. +sensor *
  19. -constraint from "9.9.9.9" # quad9 v4 without DNS
  20. -constraint from "2620:fe::fe" # quad9 v6 without DNS
  21. +constraint from "9.9.9.9" # quad9 v4 without DNS
  22. +constraint from "2620:fe::fe" # quad9 v6 without DNS
  23. constraints from "www.google.com" # intentionally not 8.8.8.8
  24. +
  25. +constraints from "https://www.duckduckgo.com" port 443
  26. +
  27. +# ADVANCED KEYWORDS
  28. +
  29. +# During OpenNTPD initialization, all NTP peers get
  30. +# automatic time offset value, if pre-conditions for
  31. +# automatic interval adjustment are being met.
  32. +# The conditions are as follows: OpenNTPD configuration
  33. +# has constraints, trusted NTP peers or trusted sensors
  34. +# and current internally defined process security level
  35. +# is 0. In this case, initial time offset value is set
  36. +# to 1 which, in return, triggers automatic offset calculation.
  37. +#
  38. +# In the automatic offset calculation, a trusted NTP
  39. +# peer offset values are being counted for each peer.
  40. +# For each peer an independent pool size is determined
  41. +# by auto_replies value, ignoring the last value.
  42. +# For instance, with auto_replies value 4, first
  43. +# 3 NTP peer offset values are considered for a single
  44. +# NTP peer, and a median offset value of these collected
  45. +# 3 offset values is calculated and used for time adjustment.
  46. +#
  47. +# auto_replies 4
  48. +
  49. +# In OpenNTPD initial automatic time offset calculation,
  50. +# three conditions are being considered for NTP peers:
  51. +# is a NTP peer trusted and current overall constraint-based
  52. +# median offset not 0, and whether an initial NTP peer
  53. +# time offset exceeds value of auto_threshold . If these
  54. +# conditions are met, then auto_threshold value may be
  55. +# considered. If NTP peer current time offset value is
  56. +# less than auto_threshold , then the system time offset
  57. +# value is considered to be already OK, and OpenNTPD stops
  58. +# calculating automatic offset value from further NTP peer
  59. +# queries. In this case, median offset value is not calculated.
  60. +#
  61. +# auto_threshold 60
  62. +
  63. +# In automatic NTP peer offset calculation mode (during OpenNTPD
  64. +# initialization), if NTP peer IP address is still unresolved
  65. +# (unknown), the next query is attempted in interval_auto_dnsfail
  66. +# seconds. Applies to unresolved constraint IP addresses, as well.
  67. +#
  68. +# interval_auto_dnsfail 1
  69. +
  70. +# Maximum number of attempts to resolve a constraint IP address(es)
  71. +# with a DNS query before falling back from constraint_retry_interval
  72. +# to interval_auto_dnsfail in constraint initialization.
  73. +#
  74. +# tries_auto_dnsfail 4
  75. +
  76. +# PEM-formatted certificate bundle file
  77. +# for constraint HTTPS connections.
  78. +#
  79. +# constraint_ca /etc/ssl/cert.pem
  80. +
  81. +# Whether to validate constraint HTTPS
  82. +# server certificate.
  83. +#
  84. +# constraint_ca_validation true
  85. +
  86. +# Use either LibreSSL (libressl) or OpenSSL (openssl)
  87. +# for constraint HTTPS server connections. To
  88. +# support chosen TLS engine, ntpd(8) must be
  89. +# compiled and run with proper libraries installed
  90. +# on the system. Only LibreSSL and OpenSSL are
  91. +# supported.
  92. +#
  93. +# constraint_engine libressl
  94. +
  95. +# Accepted number of errors during constraint
  96. +# process. If error count exceeds this value
  97. +# multiplied by calculated peer count,
  98. +# constraint connection will be reseted and
  99. +# a new constraint is retrieved.
  100. +#
  101. +# constraint_error_margin 4
  102. +
  103. +# Acceptable time difference between retrieved
  104. +# HTTP header time value and calculated time
  105. +# value in seconds. HTTP header time values
  106. +# exceeding this margin value will be ignored.
  107. +#
  108. +# constraint_margin 120
  109. +
  110. +# Maximum allowed HTTP header length of constraint
  111. +# HTTPS server reply to be fetched in bytes. If
  112. +# the value is exceeded during processing, nothing
  113. +# is returned and constraint check fails.
  114. +#
  115. +# constraint_max_headerlength 8192
  116. +
  117. +# Constraint HTTPS servers scan interval in seconds.
  118. +#
  119. +# constraint_scan_interval 900
  120. +
  121. +# Maximum connection establishment time to a
  122. +# constraint HTTPS server in seconds.
  123. +#
  124. +# constraint_scan_timeout 10
  125. +
  126. +# ntpd(8) socket file path.
  127. +#
  128. +# ctlsocket /var/run/ntpd.sock
  129. +
  130. +# ntpd(8) drift file path.
  131. +#
  132. +# driftfile /var/db/ntpd.drift
  133. +
  134. +# Whether to reset frequency filters after
  135. +# frequency adjustment.
  136. +#
  137. +# filter_adjfreq true
  138. +
  139. +# Number of frequency samples for estimating
  140. +# permanent drift value.
  141. +#
  142. +# frequency_samples 8
  143. +
  144. +# Initial trust level for a new, timed out or
  145. +# erroneous remote NTP server. Every received
  146. +# and non-discarded reply increases trust for
  147. +# the server. The trust level is used for
  148. +# setting used interval_query_* value for the
  149. +# server and keeping track of valid remote NTP
  150. +# servers.
  151. +#
  152. +# A server having this trust level uses remote
  153. +# NTP query interval value interval_query_aggressive .
  154. +#
  155. +# trustlevel_pathetic 2
  156. +
  157. +# If a replying remote NTP server has trust level
  158. +# one number less than this value, the server gets
  159. +# trusted. In this case, the server can achieve
  160. +# maximum trust level trustlevel_max . This trust
  161. +# level is preceded by trust level trustlevel_pathetic
  162. +# and followed by trust level trustlevel_aggressive .
  163. +#
  164. +# A NTP server having trust level value trustlevel_badpeer ,
  165. +# or value greater than trustlevel_pathetic but less than
  166. +# trustlevel_aggressive uses remote NTP query interval
  167. +# value interval_query_aggressive .
  168. +#
  169. +# In a case of NTP server reply time out, if the server
  170. +# has at least trust level value trustlevel_badpeer
  171. +# and the trust level value divided by 2 is less than
  172. +# the trustlevel_badpeer value, the server will be
  173. +# invalidated and falls back to initial trust level
  174. +# trustlevel_pathetic .
  175. +#
  176. +# trustlevel_badpeer 6
  177. +
  178. +# Aggressive trust level is preceded by trust level
  179. +# trustlevel_badpeer and followed by trust level
  180. +# trustlevel_max . If a remote NTP server current trust
  181. +# level is at least value of trustlevel_pathetic but
  182. +# less than this value, used remote NTP query interval
  183. +# is determined by value interval_query_aggressive .
  184. +# A server with exact trust level trustlevel_aggressive
  185. +# uses query interval interval_query_normal
  186. +# (see trustlevel_max below).
  187. +#
  188. +# trustlevel_aggressive 8
  189. +
  190. +# Maximum trust level follows trust level trustlevel_aggressive .
  191. +# This is the maximum trust level which a remote NTP
  192. +# server can achieve. A server having at least trust
  193. +# level trustlevel_aggressive uses remote NTP query
  194. +# interval value interval_query_normal .
  195. +#
  196. +# trustlevel_max 10
  197. +
  198. +# Remote NTP server query interval in seconds for servers with
  199. +# a trust level value greater than trustlevel_pathetic but less
  200. +# than trustlevel_aggressive in a case where a NTP peer does not
  201. +# still have large enough pool of already queried offset time values
  202. +# for its offset time median calculation (checked against value
  203. +# auto replies ) or is not trusted , interval value
  204. +# interval_query_ultra_violence may be triggered.
  205. +# Applies only to NTP offset calculation automatic mode.
  206. +#
  207. +# In most cases, interval_query_aggressive is used instead.
  208. +# Dynamic offset scale value factors qscale_off_min and qscale_off_max
  209. +# are ignored.
  210. +#
  211. +# interval_query_ultra_violence 1
  212. +
  213. +# Remote NTP server query interval in seconds for
  214. +# servers with a trust level value less than trustlevel_pathetic .
  215. +# Practically never used.
  216. +#
  217. +# This value is not the final query interval value but
  218. +# used in a combination with a dynamic offset scale value,
  219. +# determined by qscale_off_min and qscale_off_max .
  220. +#
  221. +# trustlevel_query_pathetic 60
  222. +
  223. +# Remote NTP server query interval in seconds for servers
  224. +# with a trust level value greater than trustlevel_pathetic
  225. +# but less than trustlevel_aggressive . Since all servers
  226. +# start with a value trustlevel_pathetic , it means that
  227. +# this is the initial value used for all new, timed out
  228. +# or erroneous NTP servers.
  229. +#
  230. +# This value is not the final query interval value but
  231. +# used in a combination with a dynamic offset scale value,
  232. +# determined by qscale_off_min and qscale_off_max .
  233. +#
  234. +# trustlevel_query_aggressive 5
  235. +
  236. +# Remote NTP server query interval in seconds for servers
  237. +# with a trust level value between trustlevel_aggressive
  238. +# and trustlevel_max .
  239. +#
  240. +# This value is not the final query interval value but
  241. +# used in a combination with a dynamic offset scale value,
  242. +# determined by qscale_off_min and qscale_off_max .
  243. +#
  244. +# trustlevel_query_normal 30
  245. +
  246. +# Retry time in seconds after failed connection attempt
  247. +# to a remote NTP server.
  248. +#
  249. +# interval_query_timeout 300
  250. +
  251. +# Negligible frequency rate to not log in PPM.
  252. +#
  253. +# log_negligible_adjfreq 0.05
  254. +
  255. +# Negligible drift time to not log in milliseconds.
  256. +#
  257. +# log_negligible_adjtime 32
  258. +
  259. +# Maximum allowed frequency correction per iteration.
  260. +#
  261. +# max_frequency_adjust 0.0128
  262. +
  263. +# Maximum number of errors tolerated before reconnecting
  264. +# to a remote NTP server.
  265. +#
  266. +# max_send_errors 3
  267. +
  268. +# Maximum number of remote NTP server IP addresses
  269. +# fetched per DNS query.
  270. +#
  271. +# max_servers_dns 8
  272. +
  273. +# ntpd(8) process user name. Group name and working
  274. +# directory are internally fetched by getpwnam(3) .
  275. +#
  276. +# ntpd_user ntp
  277. +
  278. +# Minimum scale value used for dynamically adjusting
  279. +# NTP server query interval time. If median NTP server
  280. +# & sensor offset value is lower than this value, then
  281. +# this value is used for scale calculation as minimum value.
  282. +# Otherwise, the offset value is used as minimum value.
  283. +# The offset value is a combined median value, based on
  284. +# all NTP server & sensor offset values.
  285. +#
  286. +# The determined frequency scale is
  287. +# qscale_off_max / { qscale_off_min OR median offset } .
  288. +#
  289. +# In the end, the calculated scale value is multiplied
  290. +# one of interval_query_* values (pathetic, aggressive, normal)
  291. +# on a client side, and ultimately used for dynamic
  292. +# adjustment of client-side NTP server query interval time
  293. +# for ntpd(8) process.
  294. +#
  295. +# qscale_off_min 0.001
  296. +
  297. +# Maximum scale value used for dynamically adjusting
  298. +# NTP server query interval time. This value is used
  299. +# either with a median NTP server & sensor offset value,
  300. +# described in qscale_off_min section, or directly with
  301. +# the value of qscale_off_min . The more detailed description
  302. +# about further use of this value is above and
  303. +# in interval_query_* sections.
  304. +#
  305. +# qscale_off_max 0.050
  306. +
  307. +# Maximum time reserved for a single NTP server query
  308. +# in seconds.
  309. +#
  310. +# querytime_max 15
  311. +
  312. +# Sensor data maximum valid age in seconds.
  313. +#
  314. +# sensor_data_maxage 900
  315. +
  316. +# Sensor default reference ID string.
  317. +#
  318. +# sensor_default_refid "HARD"
  319. +
  320. +# Sensor query interval in seconds.
  321. +#
  322. +# sensor_query_interval 15
  323. +
  324. +# Scan interval for new sensors in seconds.
  325. +#
  326. +# sensor_scan_interval 60
  327. +
  328. +# Maximum time to wait for a constraint to reply
  329. +# during OpenNTPD initial automatic mode.
  330. +#
  331. +# settime_timeout 100