From: Ray Van Tassle Date: Fri, 24 Feb 2006 02:08:52 +0000 (+0000) Subject: ntpdc options update X-Git-Tag: NTP_4_2_0B_RC1~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5ea2b26e6057c8ce76be0d3a0a84ca46405b606a;p=thirdparty%2Fntp.git ntpdc options update bk: 43fe6ab48BNRqsoA2vz_lWpmUEA5Sw --- diff --git a/html/ntpdc.html b/html/ntpdc.html index 800127eef..d6b7ab9e9 100644 --- a/html/ntpdc.html +++ b/html/ntpdc.html @@ -60,7 +60,19 @@
hostnames [ yes | no ]
If yes is specified, host names are printed in information displays. If no is specified, numeric addresses are printed instead. The default is yes, unless modified using the command line -n switch.
keyid keyid -
This command allows the specification of a key number to be used to authenticate configuration requests. This must correspond to a key number the server has been configured to use for this purpose. +
This command allows the specification of a + key number to be used to authenticate configuration + requests from ntpdc to the host(s). This must + correspond to a key number which the host/server has + been configured to use for this purpose (server + options: trustedkey, and + requestkey). If authentication is not + enabled on the host(s) for ntpdc + commands, the command + "keyid 0" should be given; otherwise the + keyid of the next subsequent addpeer/addserver/broadcast + command will + be used.
quit
Exit ntpdc.
passwd @@ -115,34 +127,53 @@

Authenticated requests always include a timestamp in the packet data, which is included in the computation of the authentication code. This timestamp is compared by the server to its receive time stamp. If they differ by more than a small amount the request is rejected. This is done for two reasons. First, it makes simple replay attacks on the server, by someone who might be able to overhear traffic on your LAN, much more difficult. Second, it makes it more difficult to request configuration changes to your server from topologically remote hosts. While the reconfiguration facility will work well with a server on the local host, and may work adequately between time-synchronized hosts on the same LAN, it will work very poorly for more distant hosts. As such, if reasonable passwords are chosen, care is taken in the distribution and protection of keys and appropriate source address restrictions are applied, the run time reconfiguration facility should provide an adequate level of security.

The following commands all make authenticated requests.

-
addpeer peer_address [ +
addpeer peer_address [ keyid ] [ version ] [ - minpoll|prefer|iburst|burst [...] ] + minpoll# | prefer | iburst | burst | minpoll + N | maxpoll N [...] ] +
addpeer peer_address [ + prefer | iburst | burst | minpoll + N | maxpoll N | keyid + N | version N [...] ]
Add a configured peer association at the given address and operating in symmetric active mode. Note that an existing association with the same peer may be deleted when this command is executed, or may simply be converted to conform to the new configuration, - as appropriate. If the optional keyid - is a nonzero integer, all outgoing packets to + as appropriate. If the keyid + is nonzero, all outgoing packets to the remote server will have an authentication field attached encrypted with this key. If the value is 0 (or not given) no authentication - will be done. The version# can be 1, - 2 or 3 and defaults to 3. The remaining + will be done. If ntpdc's key number has not + yet been set (e.g., by the keyid + command), it will be set to this value. + The version# can be 1 through 4 and defaults to 3. The remaining options are either a numeric value for minpoll or - a literal string prefer, iburst, or - burst, and have the action as specified in the + literals prefer, iburst, + burst, minpoll N, + keyid N, version N, or + maxpoll N (where N is a numeric value), and have the action as specified in the peer configuration file command of ntpd. See the Server Options page for further information. Each flag (or its absence) replaces the previous setting. The prefer keyword indicates a preferred peer (and thus will be used primarily for clock synchronisation if possible). The preferred peer also determines the validity of the PPS signal - if the preferred peer is suitable for synchronisation so is the PPS signal. -
addserver peer_address [ keyid ] [ version ] [ [ minpoll|prefer|iburst|burst [...] ] +
addserver peer_address [ + keyid ] [ version ] [ + minpoll# | prefer | iburst | burst | minpoll + N | maxpoll N [...] ] +
addserver peer_address [ + prefer | iburst | burst | minpoll + N | maxpoll N | keyid + N | version N [...] ] +
Identical to the addpeer command, except that the operating mode is client.
broadcast peer_address [ keyid ] [ version ] [ prefer ] -
Identical to the addpeer command, except that the operating mode is broadcast. In this case a valid key identifier and key are required. The peer_address parameter can be the broadcast address of the local network or a multicast group address assigned to NTP. If a multicast address, a multicast-capable kernel is required. +
Identical to the addpeer command, except + that the operating mode is broadcast. In this + case a valid non-zero key identifier and key are required. The peer_address parameter can be the broadcast address of the local network or a multicast group address assigned to NTP. If a multicast address, a multicast-capable kernel is required.
unconfig peer_address [...]
This command causes the configured bit to be removed from the specified peer(s). In many cases this will cause the peer association to be deleted. When appropriate, however, the association may persist in an unconfigured mode if the remote peer is willing to continue on in this fashion.
fudge peer_address [ time1 ] [ time2 ] [ stratum ] [ refid ] diff --git a/include/ntp.h b/include/ntp.h index e01f8508a..74b910eb1 100644 --- a/include/ntp.h +++ b/include/ntp.h @@ -754,6 +754,7 @@ struct pkt { #define LOOP_ALLAN 8 /* set minimum Allan intercept */ #define LOOP_HUFFPUFF 9 /* set huff-n'-puff filter length */ #define LOOP_FREQ 10 /* set initial frequency */ +#define LOOP_KERN_CLEAR 11 /* reset kernel pll parameters */ /* * Configuration items for the stats printer diff --git a/include/ntp_request.h b/include/ntp_request.h index 1b75f70de..497dbc2f2 100644 --- a/include/ntp_request.h +++ b/include/ntp_request.h @@ -290,6 +290,7 @@ struct resp_pkt { #define INFO_FLAG_AUTHENABLE 0x20 #define INFO_FLAG_SEL_CANDIDATE 0x40 #define INFO_FLAG_SHORTLIST 0x80 +#define INFO_FLAG_IBURST 0x100 /* * Flags in the system information returns diff --git a/ntpd/ntp_loopfilter.c b/ntpd/ntp_loopfilter.c index 33a328d42..85dde2a20 100644 --- a/ntpd/ntp_loopfilter.c +++ b/ntpd/ntp_loopfilter.c @@ -994,6 +994,24 @@ loop_config( ntp_adjtime(&ntv); } #endif /* KERNEL_PLL */ +#endif /* LOCKCLOCK */ + break; + + case LOOP_KERN_CLEAR: +#ifndef LOCKCLOCK +#ifdef KERNEL_PLL + /* Completely turn off the kernel time adjustments. */ + if (pll_control) { + memset((char *)&ntv, 0, sizeof(ntv)); + ntv.modes = MOD_BITS | MOD_FREQUENCY; + ntv.status = STA_UNSYNC; + ntp_adjtime(&ntv); + NLOG(NLOG_SYNCEVENT | NLOG_SYSEVENT) + msyslog(LOG_INFO, + "kernel time sync disabled %04x", + ntv.status); + } +#endif /* KERNEL_PLL */ #endif /* LOCKCLOCK */ break; diff --git a/ntpd/ntp_peer.c b/ntpd/ntp_peer.c index e24a645e8..8947ea6ae 100644 --- a/ntpd/ntp_peer.c +++ b/ntpd/ntp_peer.c @@ -426,13 +426,18 @@ peer_config( * First search from the beginning for an association with given * remote address and mode. If an interface is given, search * from there to find the association which matches that - * destination. + * destination. If the given interface is "any", track down + * the actual interface, because that's what gets put into the + * peer structure. */ peer = findexistingpeer(srcadr, (struct peer *)0, hmode); if (dstadr != 0) { while (peer != 0) { if (peer->dstadr == dstadr) break; + if (dstadr == ANY_INTERFACE_CHOOSE(srcadr) && + peer->dstadr == findinterface(srcadr)) + break; peer = findexistingpeer(srcadr, peer, hmode); } } diff --git a/ntpdc/ntpdc.c b/ntpdc/ntpdc.c index 4c73b001b..5ac496e9d 100644 --- a/ntpdc/ntpdc.c +++ b/ntpdc/ntpdc.c @@ -47,6 +47,7 @@ static const char * prompt = "ntpdc> "; /* prompt to ask him about */ * Keyid used for authenticated requests. Obtained on the fly. */ static u_long info_auth_keyid; +static int keyid_entered = 0; /* * Type of key md5 @@ -154,7 +155,7 @@ static struct xcmd builtins[] = { #define MAXCMDS 100 /* maximum commands on cmd line */ #define MAXHOSTS 200 /* maximum hosts on cmd line */ #define MAXLINE 512 /* maximum line length */ -#define MAXTOKENS (1+1+MAXARGS+2) /* maximum number of usable tokens */ +#define MAXTOKENS (1+1+MAXARGS+MOREARGS+2) /* maximum number of usable tokens */ #define SCREENWIDTH 78 /* nominal screen width in columns */ /* @@ -860,7 +861,7 @@ sendrequest( qpkt.mbz_itemsize = MBZ_ITEMSIZE(0); } - if (!auth) { + if (!auth || (keyid_entered && info_auth_keyid == 0)) { qpkt.auth_seq = AUTH_SEQ(0, 0); return sendpkt((char *)&qpkt, req_pkt_size); } else { @@ -1106,7 +1107,7 @@ docmd( const char *cmdline ) { - char *tokens[1+MAXARGS+2]; + char *tokens[1+MAXARGS+MOREARGS+2]; struct parse pcmd; int ntok; int i, ti; @@ -1696,12 +1697,15 @@ keyid( ) { if (pcmd->nargs == 0) { - if (info_auth_keyid == 0) + if (info_auth_keyid == 0 && !keyid_entered) (void) fprintf(fp, "no keyid defined\n"); + else if (info_auth_keyid == 0 && keyid_entered) + (void) fprintf(fp, "no keyid will be sent\n"); else (void) fprintf(fp, "keyid is %lu\n", (u_long)info_auth_keyid); } else { info_auth_keyid = pcmd->argval[0].uval; + keyid_entered = 1; } }