Re: [Fed-Talk] OS X as NTP Server
Re: [Fed-Talk] OS X as NTP Server
- Subject: Re: [Fed-Talk] OS X as NTP Server
- From: Rex Sanders <email@hidden>
- Date: Thu, 11 May 2006 16:25:54 -0700
I'm not an expert, but I have played with NTP on Unix for many years.
- Make sure you have "Network Time" enabled in the Mac OS X built-in firewall:
System Preferences > Sharing > Firewall >
Check the "Network Time" box.
And make sure you aren't blocking UDP in the Options.
- My desktop Mac OS X 10.4.6 is an open NTP server by default. I can get
time from it, no authentication required. For example, using the Sun
server down the hall:
9* ntpdate -q -u 192.168.1.71
server 192.168.1.71, stratum 16, offset 2.381722, delay 0.02579
11 May 15:40:45 ntpdate[19555]: no server suitable for synchronization found
which means my Mac is about 2.3 seconds off. Terrible by NTP standards!
I don't have access to Mac OS X server, hope they have better ntp performance.
- Debugging NTP problems almost always requires looking at the full
/etc/ntp.conf file. You can obfuscate DNS names and IP addresses if you
are worried about security. Here's the /etc/ntp.conf file from my desktop
Mac:
server tttttt.usgs.gov minpoll 12 maxpoll 17
Definitely a non-standard server (tttttt is a local NTP server); most Macs
default point to "time.apple.com".
On NTP security:
- Just one NTP security hole was reported in the past 10 years, and that
was easily blocked with changes to ntp.conf before the patch came out.
- NTP can "leak" information if not properly configured. But the leaked
information is not that useful.
- NTP authentication *only* helps ensure you are getting time from the
correct servers, and doesn't solve any other general security problems.
Firewalls can still be your friend or enemy.
- Generally, we have much worse security problems to worry about than
anything related to NTP. Like today's Apple Security Update!
NTP protocols and software are finely tuned by world-class engineers, and
NTP has many tunable-but-very-obscure parameters, but nobody's written a
"dummy's guide" to NTP yet, and it's not easy to figure out from the
existing docs. Apple has hidden most NTP mysteries in Mac OS X to improve
the user experience.
The "official" NTP web site is www.ntp.org , though much of the content is
hosted at www.eecis.udel.edu.
Hope this helps.
-- Rex
At 5:37 PM -0400 5/11/06, Brian Raymond wrote:
>How did you configure the NTP servers on OSX? I took a quick look at the man
>page and it states by default authentication is enabled for ntpd, given that
>other clients will not be able to connect unless they authenticate. There
>are three modes of authentication supported but nothing is called out in
>ntp.conf. I assume you would either need to turn off authentication, or
>broadcast/multicast/manycast the time to clients.
>
>This site has good documentation on it.
>
>http://www.eecis.udel.edu/~ntp/ntp_spool/html/ntpd.html
>
>- Brian
>
>
>On 5/10/06 10:34 AM, "Michael Kluskens" <email@hidden> wrote:
>
>> Trying to configure two different OS X machines as NTP servers (one
>> is OS X 10.4.6 and the other is OS X 10.3.9 Server, on different
>> networks isolated from the outside world).
>>
>> ntpd is running just fine on the machines but my other machines
>> (Linux & Unix) can't seem to see the OS X ntpd server but they can
>> see a Linux ntpd server just fine (I check the standard firewall
>> issues, no problems there).
>>
>> I've done a lot of reading and searching for info about ntpd and all
>> I can find is how important it is to restrict access to your ntpd
>> server.
>>
>> *** In theory all ntpd's run as client and server by default, did
>> Apple disable the server part in their built of ntpd?
>>
>> Michael
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden