HEADS UP: ntpd changing

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

HEADS UP: ntpd changing

Theo de Raadt-2
The ntpd options -s and -S are going to be removed soon and at startup
with print:

    -s option no longer works and will be removed soon.
    Please reconfigure to use constraints or trusted servers.

Probably after 6.7 we'll delete the warning.  Maybe for 6.8 we'll remove
-s and -S from getopt, and starting with those options will fail.

Effective immediately, the -s option stops doing what you expect.  It now
does nothing.

Big improvements have happened in ntpd recently.  At startup, ntpd
aggressively tries to learn from NTP packets validated by constraints,
and set the time.

That means a smarter variation of -s is the default, but the information
is now *VALIDATED* by constraints.

2 additional constraints have been added.  If you have upgraded, please
review /etc/examples/ntpd.conf for modern use

Those who cannot use https constraints, can instead tag server lines
with the keyword "trusted", which means you believe MITM attacks are not
possible on the network to those specific NTP servers.  Do this only on
servers directly connected over trusted network.  If someone does
"servers pool.ntp.org trusted", we're going to have a great laugh.

We're creating something a bit complex, but our goal is for every
machine to have a close approximation of correct time.  If we get
there, some good things will happen.  Some serious cargo-culting
for using -s has gotten in the way (-s performs no MITM checks).

Reply | Threaded
Open this post in threaded view
|

Re: HEADS UP: ntpd changing

Otto Moerbeek
On Sun, Nov 10, 2019 at 05:03:02PM -0700, Theo de Raadt wrote:

> The ntpd options -s and -S are going to be removed soon and at startup
> with print:
>
>     -s option no longer works and will be removed soon.
>     Please reconfigure to use constraints or trusted servers.
>
> Probably after 6.7 we'll delete the warning.  Maybe for 6.8 we'll remove
> -s and -S from getopt, and starting with those options will fail.
>
> Effective immediately, the -s option stops doing what you expect.  It now
> does nothing.
>
> Big improvements have happened in ntpd recently.  At startup, ntpd
> aggressively tries to learn from NTP packets validated by constraints,
> and set the time.
>
> That means a smarter variation of -s is the default, but the information
> is now *VALIDATED* by constraints.
>
> 2 additional constraints have been added.  If you have upgraded, please
> review /etc/examples/ntpd.conf for modern use
>
> Those who cannot use https constraints, can instead tag server lines
> with the keyword "trusted", which means you believe MITM attacks are not
> possible on the network to those specific NTP servers.  Do this only on
> servers directly connected over trusted network.  If someone does
> "servers pool.ntp.org trusted", we're going to have a great laugh.
>
> We're creating something a bit complex, but our goal is for every
> machine to have a close approximation of correct time.  If we get
> there, some good things will happen.  Some serious cargo-culting
> for using -s has gotten in the way (-s performs no MITM checks).
>

So if you are running current do the following. Likely you can stop
after step 2.

1. remove -s from ntpd_flags

2. check if the default ntpd.config works for you; it most lilely will,
   *including setting the time on boot*.

3. if you cannot use constraints because https to the world is not possible,
   consider running ntpd on your local net and use that as a peer marked as
   trusted or if availabel use a sensor marked as trusted.

4. Still having problems? Report so we can look at you use-case and
   find a solution.

        -Otto