<p>Authenticated requests always include a timestamp in the packet data, which is included in the computation of the authentication code. This timestamp is compared by the server to its receive time stamp. If they differ by more than a small amount the request is rejected. This is done for two reasons. First, it makes simple replay attacks on the server, by someone who might be able to overhear traffic on your LAN, much more difficult. Second, it makes it more difficult to request configuration changes to your server from topologically remote hosts. While the reconfiguration facility will work well with a server on the local host, and may work adequately between time-synchronized hosts on the same LAN, it will work very poorly for more distant hosts. As such, if reasonable passwords are chosen, care is taken in the distribution and protection of keys and appropriate source address restrictions are applied, the run time reconfiguration facility should provide an adequate level of security.</p>
<p>The following commands all make authenticated requests.</p>
<dl>
- <dt><tt>addpeer <i>peer_address</i> [ <i>keyid</i> ] [ <i>version</i> ] [ <i>prefer</i> ]</tt>
- <dd>Add a configured peer association at the given address and operating in symmetric active mode. Note that an existing association with the same peer may be deleted when this command is executed, or may simply be converted to conform to the new configuration, as appropriate. If the optional <tt>keyid</tt> is a nonzero integer, all outgoing packets to the remote server will have an authentication field attached encrypted with this key. If the value is 0 (or not given) no authentication will be done. The <tt>version#</tt> can be 1, 2 or 3 and defaults to 3. The <tt>prefer</tt> keyword indicates a preferred peer (and thus will be used primarily for clock synchronisation if possible). The preferred peer also determines the validity of the PPS signal - if the preferred peer is suitable for synchronisation so is the PPS signal.
- <dt><tt>addserver <i>peer_address</i> [ <i>keyid</i> ] [ <i>version</i> ] [ <i>prefer</i> ]</tt>
+ <dt><tt>addpeer <i>peer_address</i> [
+ <i>keyid</i> ] [ <i>version</i> ] [
+ <i>minpoll|prefer|iburst|burst</i> [...] ]</tt>
+ <dd>Add a configured peer association at the
+ given address and operating in symmetric
+ active mode. Note that an existing association
+ with the same peer may be deleted when this
+ command is executed, or may simply be
+ converted to conform to the new configuration,
+ as appropriate. If the optional <tt>keyid</tt>
+ is a nonzero integer, all outgoing packets to
+ the remote server will have an authentication
+ field attached encrypted with this key. If the
+ value is 0 (or not given) no authentication
+ will be done. The <tt>version#</tt> can be 1,
+ 2 or 3 and defaults to 3. The remaining
+ options are either a numeric value for <tt>minpoll</tt> or
+ a literal string <tt>prefer</tt>, <tt>iburst</tt>, or
+ <tt>burst</tt>, and have the action as specified in the
+ <tt>peer</tt> configuration file command of
+ ntpd. See the <a href="confopt.html">Server Options</a> page for further information.
+ Each flag (or its absence) replaces the
+ previous setting. The <tt>prefer</tt> keyword indicates a preferred peer (and thus will be used primarily for clock synchronisation if possible). The preferred peer also determines the validity of the PPS signal - if the preferred peer is suitable for synchronisation so is the PPS signal.
+ <dt><tt>addserver <i>peer_address</i> [ <i>keyid</i> ] [ <i>version</i> ] [ [ <i>minpoll|prefer|iburst|burst</i> [...] ]</tt>
<dd>Identical to the addpeer command, except that the operating mode is client.
- <dt><tt>broadcast <i>peer_address</i> [ <i>keyid</i> ] [ <i>version</i> ] [ <i>prefer</i> ]</tt>
+ <dt><tt>broadcast <i>peer_address</i> [
+ <i>keyid</i> ] [ <i>version</i> ] [ <i>prefer</i> ]</tt>
<dd>Identical to the addpeer command, except that the operating mode is broadcast. In this case a valid key identifier and key are required. The <tt>peer_address</tt> parameter can be the broadcast address of the local network or a multicast group address assigned to NTP. If a multicast address, a multicast-capable kernel is required.
<dt><tt>unconfig <i>peer_address</i> [...]</tt>
<dd>This command causes the configured bit to be removed from the specified peer(s). In many cases this will cause the peer association to be deleted. When appropriate, however, the association may persist in an unconfigured mode if the remote peer is willing to continue on in this fashion.
<script type="text/javascript" language="javascript" src="scripts/footer.txt"></script>
</body>
-</html>
\ No newline at end of file
+</html>
!(inpkt->implementation == IMPL_XNTPD &&
inpkt->request == REQ_CONFIG &&
temp_size == sizeof(struct old_conf_peer))) {
+#ifdef DEBUG
if (debug > 2)
printf("process_private: wrong item size, received %d, should be %d or %d\n",
temp_size, proc->sizeofitem, proc->v6_sizeofitem);
+#endif
req_ack(srcadr, inter, inpkt, INFO_ERR_FMT);
return;
}
if ((proc->sizeofitem != 0) &&
((temp_size * INFO_NITEMS(inpkt->err_nitems)) >
(rbufp->recv_length - REQ_LEN_HDR))) {
+#ifdef DEBUG
if (debug > 2)
printf("process_private: not enough data\n");
+#endif
req_ack(srcadr, inter, inpkt, INFO_ERR_FMT);
return;
}
struct sockaddr_storage addr;
extern struct peer *sys_peer;
- printf("peer_stats: called\n");
+#ifdef DEBUG
+ if (debug)
+ printf("peer_stats: called\n");
+#endif
items = INFO_NITEMS(inpkt->err_nitems);
ipl = (struct info_peer_list *) inpkt->data;
ip = (struct info_peer_stats *)prepare_pkt(srcadr, inter, inpkt,
#ifdef HAVE_SA_LEN_IN_STRUCT_SOCKADDR
addr.ss_len = SOCKLEN(&addr);
#endif
- printf("peer_stats: looking for %s, %d, %d\n", stoa(&addr),
+#ifdef DEBUG
+ if (debug)
+ printf("peer_stats: looking for %s, %d, %d\n", stoa(&addr),
ipl->port, ((struct sockaddr_in6 *)&addr)->sin6_port);
+#endif
ipl = (struct info_peer_list *)((char *)ipl +
INFO_ITEMSIZE(inpkt->mbz_itemsize));
if ((pp = findexistingpeer(&addr, (struct peer *)0, -1)) == 0)
continue;
- printf("peer_stats: found %s\n", stoa(&addr));
+#ifdef DEBUG
+ if (debug)
+ printf("peer_stats: found %s\n", stoa(&addr));
+#endif
if (pp->srcadr.ss_family == AF_INET) {
ip->dstadr = (pp->processed) ?
pp->cast_flags == MDF_BCAST ?
&& temp_cp.hmode != MODE_BROADCAST)
fl = 1;
if (temp_cp.flags & ~(CONF_FLAG_AUTHENABLE | CONF_FLAG_PREFER
- | CONF_FLAG_BURST | CONF_FLAG_SKEY))
+ | CONF_FLAG_BURST | CONF_FLAG_IBURST | CONF_FLAG_SKEY))
fl = 1;
cp = (struct conf_peer *)
((char *)cp + INFO_ITEMSIZE(inpkt->mbz_itemsize));
fl |= FLAG_PREFER;
if (temp_cp.flags & CONF_FLAG_BURST)
fl |= FLAG_BURST;
+ if (temp_cp.flags & CONF_FLAG_IBURST)
+ fl |= FLAG_IBURST;
if (temp_cp.flags & CONF_FLAG_SKEY)
fl |= FLAG_SKEY;
if (client_v6_capable && temp_cp.v6_flag != 0) {
#endif
found = 0;
peer = (struct peer *)0;
- printf("searching for %s\n", stoa(&peeraddr));
+#ifdef DEBUG
+ if (debug)
+ printf("searching for %s\n", stoa(&peeraddr));
+#endif
while (!found) {
peer = findexistingpeer(&peeraddr, peer, -1);
if (peer == (struct peer *)0)
i++;
}
+ /* Any extra args are assumed to be "OPT|NTP_STR". */
+ for ( ; i < MAXARGS + MOREARGS;) {
+ if ((i+ti) >= ntok)
+ break;
+ rval = getarg(tokens[i+ti], (int)(OPT|NTP_STR), &pcmd.argval[i]);
+ if (rval == -1) {
+ ti++;
+ continue;
+ }
+ if (rval == 0)
+ return;
+ pcmd.nargs++;
+ i++;
+ }
+
i += ti;
if (i < ntok && *tokens[i] == '>') {
char *fname;
* Maximum number of arguments
*/
#define MAXARGS 4
-
+#define MOREARGS 4
/*
* Flags for forming descriptors.
*/
*/
struct parse {
char *keyword;
- arg_v argval[MAXARGS];
+ arg_v argval[MAXARGS + MOREARGS];
int nargs;
};
{ "", "", "", "" },
"display event timer subsystem statistics" },
{ "addpeer", addpeer, { NTP_ADD, OPT|NTP_UINT, OPT|NTP_UINT, OPT|NTP_STR },
- { "addr", "keyid", "version", "minpoll|prefer" },
+ { "addr", "keyid", "version", "minpoll|prefer|burst ..." },
"configure a new peer association" },
{ "addserver", addserver, { NTP_ADD, OPT|NTP_UINT, OPT|NTP_UINT, OPT|NTP_STR },
- { "addr", "keyid", "version", "minpoll|prefer" },
+ { "addr", "keyid", "version", "minpoll|prefer|burst|iburst ..." },
"configure a new server" },
{ "addrefclock",addrefclock, { NTP_ADD, OPT|NTP_UINT, OPT|NTP_STR, OPT|NTP_STR },
{ "addr", "mode", "minpoll|prefer", "minpoll|prefer" },
flags |= CONF_FLAG_PREFER;
else if (STREQ(pcmd->argval[items].string, "burst"))
flags |= CONF_FLAG_BURST;
+ else if (STREQ(pcmd->argval[items].string, "iburst"))
+ flags |= CONF_FLAG_IBURST;
else {
long val;
if (!atoint(pcmd->argval[items].string, &val)) {
projects / thirdparty / ntp.git / commitdiff
