Configuration ------------- The default ntp.conf file is set up for an NTP "client" that synchronizes to high-stratum NTP servers on the Internet. This should be sufficient for most installations on well-connected hosts that simply want to keep their clocks accurate. The default time servers are servers from a pool.ntp.org vendor zone. Consider replacing this if you have local time servers in your organization or network. A list of public NTP time servers is available on the web at: https://support.ntp.org/bin/view/Servers/WebHome Extra configuration work will be necessary to offer time service to other hosts, to use hardware time receivers, or to synchronize the clocks on networks that are not connected to the Internet. The documentation in the package ntpsec-doc will assist with these tasks. DHCP ---- If DHCP is used to configure the host and the DHCP server sends information about NTP servers, this information will be used automatically. This is done by making a copy of ntp.conf at /run/ntpsec/ntp.conf.dhcp, replacing the server entries with the information provided by the DHCP server, and restarting the NTP server. If you use dhclient, the "ntp-servers" option must be mentioned in the "request" statement in /etc/dhcp/dhclient.conf. This is the default. To ignore the NTP servers sent by the DHCP server, set IGNORE_DHCP to "yes" in /etc/default/ntpsec. To make the DHCP server in the Debian package isc-dhcp-server send NTP server information, add a line like the following at an appropriate place: option ntp-servers ntp1.foo.bar, ntp2.foo.bar; Firewalls --------- If your system is behind a firewall, the port you need to open up to allow the NTP protocol to work (for either ntpdate or ntpd) is UDP port 123. Server-to-server NTP packets usually use this for both source and destination: for extra security, a stateful firewall should block "new" packets with source, but not destination, port 123 from entering your network. If you are using NTS, the NTS-KE uses TCP port 4460. NTS --- Network Time Security (NTS) is "a mechanism for using Transport Layer Security (TLS) and Authenticated Encryption with Associated Data (AEAD) to provide cryptographic security for the client-server mode of the Network Time Protocol (NTP)." It has not yet been published as an RFC, but the Internet-Draft has been implemented in NTPsec and other implementations: https://tools.ietf.org/html/draft-ietf-ntp-using-nts-for-ntp-20 To configure an NTPsec client to use NTS for a particular server connection, add "nts" to that server line in /etc/ntpsec/ntp.conf: server ntp1.example.com nts iburst If the server runs NTS-KE on a different port than TCP port 123, specify the port. For example, CloudFlare uses port 1234: server time.cloudflare.com:1234 nts iburst Note that the NTP Pool Project (pool.ntp.org) does not support NTS. To configure an NTPsec server to support NTS, you must obtain a TLS certificate. Store the certificate (with chain) in /etc/ntpsec/cert-chain.pem and the key in /etc/ntpsec/key.pem. These files need to be readable by ntpd after it has dropped privileges. For example, use mode 640 and group ntpsec for /etc/ntpsec/key.pem; /etc/ntpsec/cert-chain.pem can be world-readable. Also, you need to send ntpd a SIGHUP when the certificate changes. If you want to use certbot, set the certificate name (e.g. the system's FQDN) in the NTPSEC_CERTBOT_CERT_NAME variable in /etc/default/ntpsec, use certbot to request the certificate, and the deploy hook installed by this package will handle the copying and permissioning. Then configure /etc/ntpsec/ntp.conf (or add a file in /etc/ntpsec/ntp.d) with: nts enable mintls TLS1.3 The next release of NTPsec will require TLS 1.3 by default. You need to send ntpd a SIGHUP when the certificate changes. For example, with certbot, you could create /etc/letsencrypt/renewal-hooks/deploy/ntpsec (which must be executable) with the following contents: #!/bin/sh killall -HUP ntpd 2>/dev/null || true Keys ---- When possible, use NTS to provide authenticated time. To interoperate with NTP clients or servers that do not support NTS, you can use the symmetric key method for authenticated time. This requires generating and sharing a secret key between the server and client: 1) Create /etc/ntpsec/ntp.keys: touch /etc/ntpsec/ntp.keys chgrp ntpsec /etc/ntpsec/ntp.keys chmod 640 /etc/ntpsec/ntp.keys 2) Add this line to /etc/ntpsec/ntp.conf: keys /etc/ntpsec/ntp.keys 3) For each association, generate a random key number between 1 and 65535. Generate a random key. The key may be printable ASCII excluding "#" up to 20 characters, or a hex-encoded value of 11 bytes (22 hex characters) to 32 bytes (64 hex characters). (The ntpkeys(8) utility may be useful here, though it's behavior is a bit odd.) Pick a type (an algorithm) that the hosts both support. MD5 is very widely supported. SHA1 is useful if compatibility with FIPS 140-2 is required. SHA256 is a reasonable modern choice if supported, e.g. with NTPsec. Put these values together into a single line: keyno type key 4) Add that line to /etc/ntpsec/ntp.keys. Also, add a comment (using the # character) to document which host uses this key. 5) In /etc/ntpsec/ntp.conf, add the key number to the trustedkey line, which is space separated. For example, if you are using keys 1234 and 5678 (in either client or server mode), use: trustedkey 1234 5678 6) If ntpd is acting as a client, configure the server line as follows, where ntp1.example.com is the hostname and 1234 is the key number: server ntp1.example.com key 1234 7) Restart ntpd (the ntpsec service). For more information, see ntp.keys(5). The other end must be configured similarly. For software other than ntpd, the process will be different, but the keyno, type, and key must match. Refclock Changes ---------------- There is a new syntax for configuring refclocks that uses names instead of numbers encoded in loopback IP addresses. The old syntax is accepted for backwards compatibility. Many refclock drivers have been removed upstream. Several have been disabled in this package. If you were using the Type 45 GPSD client protocol (JSON) driver, you will need to switch to the SHM driver. Two drivers have new device path prefixes: Type 4 - Generic Spectracom Receivers /dev/wwvb0 -> /dev/spectracom0 Type 29 - Trimble Palisade/Thunderbolt/Acutime GPSes /dev/palisade0 -> /dev/trimble0 Both of these drivers, plus this one have been deprecated: Type 11 - Arbiter 1088A/B GPS Receiver If you use any of these, please alert the package maintainer or the upstream NTPsec project right away. While not deprecated, if you use the Type 20 Generic NMEA GPS Receiver driver, you should strongly consider switching to the gpsd and the SHM driver. If you use the SHM driver and apparmor, see the note in: /etc/apparmor.d/usr.sbin.ntpd PPS --- This build of ntpd has been PPS enabled. You can use a PPS reference clock. To achieve better accuracy, you may need to rebuild your kernel with CONFIG_NTP_PPS, which need CONFIG_NO_HZ=n to be set. You may also add CONFIG_RCU_FAST_NO_HZ. You can find more information at: - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691672#41 - https://docs.ntpsec.org/latest/pps.html - https://docs.ntpsec.org/latest/kernpps.html Apparmor Profile ---------------- If your system uses AppArmor, please note that changes in your configuration may require changes to the installed apparmor profile. Before filing a bug, please see: https://wiki.ubuntu.com/DebuggingApparmor When configuring ntpd as an NTS server, if your certificate and key files are not already covered by /etc/apparmor.d/abstractions/ssl_certs and ssl_keys, you will need to add rules to /etc/apparmor.d/local/usr.sbin.ntpd to allow reading them. If your ntpd configuration needs access to a device (e.g. a local DCF clock), you need to add this device to: /etc/apparmor.d/tunables/ntpd For use with clocks that report via shared memory (e.g. gpsd), you may need to give ntpd access to all of shared memory, though this can be considered dangerous. See https://launchpad.net/bugs/722815 for details. To enable, add this to /etc/apparmor.d/local/usr.sbin.ntpd: capability ipc_owner, For either change, reload the AppArmor profile for the changes to take effect: apparmor_parser -r /etc/apparmor.d/usr.sbin.ntpd ntpviz ------ A visualization utility, ntpviz, is available in the ntpsec-ntpviz package. When installed, it will configure (by way of an /etc/ntp.d file) ntpd to log stats. It adds systemd units and cron jobs that generate daily and weekly graphs from those stats. If Apache is installed, these will be served at /ntpviz/ by default. Logging ------- By default, ntpd will log via syslog. The daemon will use the LOG_DAEMON facility, leading to ntpd log entries going to /var/log/daemon.log. If you define a logfile location in ntp.conf, the daemon will do direct file system writes to the specified file, avoiding syslog. Previous Debian packages of ntp (but not ntpsec) did this, with the side effect that they had to ship a weekly cron job that stopped the daemon, rotated the log, then restarted the daemon. This is suboptimal; ntpd should be allowed to run more or less forever. This mode of logging is not recommended.