| Network Time Protocol (NTP) provides algorithms | | | | the ‘restrict' directive in the ntp.conf file. You can |
| and defines messages for the synchronisation of time | | | | restrict all access to the NTP server with:restrict |
| clients to an accurate time reference. This article | | | | default ignore |
| discusses how to configure a Linux NTP Time Server | | | | To only allow machines on your own network to |
| to synchronise time with an Internet based public | | | | synchronize with the server use:restrict 192.168.1.0 |
| NTP Server. | | | | mask 255.255.255.0 nomodify notrap |
| NTP server systems fall into two categories: primary | | | | Multiple restrict directives can be specified in the |
| reference servers and secondary reference servers. | | | | ntp.conf file to restrict access to a specified range of |
| Primary reference servers use an external timing | | | | computers. |
| reference to provide time, such as GPS or radio | | | | Authentication Options |
| clocks. Secondary reference servers synchronise with | | | | Authentication allows a matching passwords to be |
| primary reference NTP servers and offer slightly | | | | specified by the NTP server and associated clients. |
| reduced accuracy. Primary reference servers are | | | | NTP keys are stored in the ntp.keys file in the |
| designated stratum 1 servers, while secondary | | | | following format: Key-number M Key (The M stands |
| servers have a stratum greater than 1. | | | | for MD5 encryption), e.g.: |
| The NTP Distribution | | | | 1 M secret |
| The NTP source code is freely available from the | | | | 5 M RaBBit |
| Network Time Protocol web site. The current version | | | | 7 M TiMeLy |
| available for download is 4.2.4. NTP is available for the | | | | 10 M MYKEY |
| Linux operating systems with ports available for | | | | In the NTP configuration file ntp.conf, specify which |
| Windows NT. Once the source code is downloaded, it | | | | of the keys specified above are trusted, i.e. are |
| should be configured, compiled and installed on the | | | | secure and you want to use. Any keys specified in |
| host machine. Many Linux operating systems, such as | | | | the keys file but not trusted will not be used for |
| RedHat, offer NTP RPM packages. | | | | authentication, e.g.:trustedkey 1 7 10 |
| Configuring NTP | | | | The NTP server is now configured for authentication. |
| The ‘ntp.conf' file is main source of configuration | | | | Client Configuration for Authentication |
| information for a NTP server installation. Amongst | | | | The client needs to be configured with similar |
| other things, it contains a list of reference clocks that | | | | information as the server, however, you may use a |
| the installation is to synchronise. A list of NTP server | | | | subset of the keys specified on the server. A |
| references is specified with the ‘server' | | | | different subset of keys can be used on different |
| configuration command thus:server time-a.nist.gov # | | | | clients, e.g.: |
| NIST, Gaithersburg, Maryland NTP serverserver | | | | Client A) |
| time-c.timefreq.bldrdoc.gov # NIST, Boulder, Colorado | | | | 1 M secret |
| NTP server | | | | 7 M TiMeLytrustedkey 1 7 |
| Controlling the NTP Server Daemon | | | | Client B) |
| Once configured, the NTP daemon can be started, | | | | 1 M secret |
| stopped and restarted using the commands: | | | | 5 M RaBBit |
| ‘ntpd start'; ‘ntpd stop' and ‘ntpd | | | | 7 M TiMeLy |
| restart'. The NTP server daemon can be queried | | | | 10 M MYKEYtrustedkey 7 10 |
| using the ‘ntpq –p' command. The ntpq | | | | Essentially authentication is used by the client to |
| command queries the NTP server for synchronisation | | | | authenticate that the time server is who he says he |
| status and provides a list of servers with | | | | is, and that no rogue server intervenes. The key is |
| synchronisation information for each server. | | | | encrypted and sent to the client by the server |
| NTP Access Control | | | | where it is unencrypted and checked against the |
| Access to the NTP server can be restricted using | | | | client keys to ensure a match. |