FS#28703 - [ntp] fix configuration file
Attached to Project:
Arch Linux
Opened by orbisvicis (orbisvicis) - Tuesday, 28 February 2012, 17:07 GMT
Last edited by Gaetan Bisson (vesath) - Thursday, 01 March 2012, 12:19 GMT
Opened by orbisvicis (orbisvicis) - Tuesday, 28 February 2012, 17:07 GMT
Last edited by Gaetan Bisson (vesath) - Thursday, 01 March 2012, 12:19 GMT
|
Details
Description:
The ntp.conf file shipped by Arch Linux does not do what it claims. I've attached an updated version. Changes: Switch from "server" to "pool" directive. The "pool" directive is more appropriate, and is supported in the version of ntp shipped by Arch. Access control now actually does "# Only allow read-only access from localhost" (The previous settings allowed read-only access from anywhere, and unlimited access from localhost.) Additional info: * package version(s) local/ntp 4.2.6.p5-3 |
This task depends upon
Closed by Gaetan Bisson (vesath)
Thursday, 01 March 2012, 12:19 GMT
Reason for closing: Fixed
Additional comments about closing: ntp-4.2.6.p5-5 in [extra]
Thursday, 01 March 2012, 12:19 GMT
Reason for closing: Fixed
Additional comments about closing: ntp-4.2.6.p5-5 in [extra]
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=385334
You *cannot* use nomodify on localhost IPv4 or IPv6 restrict lines.
'restrict default ignore' : blocks incoming time packets (glad you caught this)
'restrict 127.0.0.1 nomodify' 'restrict ::1 nomodify" : resolver process can't update ntpd with the new address *
* note that this is fixed in the latest dev release (4.2.7.p261)
Furthermore 'nomodify' blocks remote configuration commands which do not work without being properly authenticated. The process of configuring and providing proper credentials is complicated making it unlikely for users to accidentally modify server configuration, therefore localhost 'nomodify' restrictions are pretty much useless.
Also the 'pool' directive can't be properly secured; the 'restrict source' option was introduced in 4.2.7.p22
Altogether I believe that all changes to ntp.conf should be reverted *until* 4.2.8 (stable version of 4.2.7) is released.
At which the following configuration should be used:
pool pool.ntp.org iburst
restrict default ignore
restrict source limited kod nomodify noquery nopeer notrap
restrict 127.0.0.1
restrict ::1
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp.log
* 'nopeer' blocks pool server discovery; I filed a report and if it is not a bug 'nopeer' should be removed.