The translation is temporarily closed for contributions due to maintenance, please come back later.
English Persian
An attacker on the network can attempt to disrupt a service by sending `NTP` packets with incorrect time information. On systems using the public pool of `NTP` servers, this risk is mitigated by having more than three `NTP` servers in the list of public `NTP` servers in `/etc/ntp.conf`. If only one time source is compromised or spoofed, `ntpd` will ignore that source. You should conduct a risk assessment and consider the impact of incorrect time on your applications and organization. If you have internal time sources you should consider steps to protect the network over which the `NTP` packets are distributed. If you conduct a risk assessment and conclude that the risk is acceptable, and the impact to your applications minimal, then you can choose not to use authentication.
The broadcast and multicast modes require authentication by default. If you have decided to trust the network then you can disable authentication by using [command]#disable auth# directive in the `ntp.conf` file. Alternatively, authentication needs to be configured by using SHA1 or MD5 symmetric keys, or by public (asymmetric) key cryptography using the Autokey scheme. The Autokey scheme for asymmetric cryptography is explained in the `ntp_auth(8)` man page and the generation of keys is explained in `ntp-keygen(8`). To implement symmetric key cryptography, see xref:Configuring_NTP_Using_ntpd.adoc#s2_Configuring_Symmetric_Authentication_Using_a_Key[Configuring Symmetric Authentication Using a Key] for an explanation of the [option]`key` option.
Managing the Time on Virtual Machines
Virtual machines cannot access a real hardware clock and a virtual clock is not stable enough as the stability is dependent on the host systems work load. For this reason, para-virtualized clocks should be provided by the virtualization application in use (for more information see _[Libvirt Managed Timers]_ in the _Virtualization Administration Guide_). On {MAJOROS} with [application]*KVM* the default clock source is [option]`kvm-clock`. See the [citetitle]_link:++[KVM guest timing management]_ chapter of the [citetitle]_Virtualization Host Configuration and Guest Installation Guide_.
Understanding Leap Seconds
Greenwich Mean Time (GMT) was derived by measuring the solar day, which is dependent on the Earth's rotation. When atomic clocks were first made, the potential for more accurate definitions of time became possible. In 1958, International Atomic Time (TAI) was introduced based on the more accurate and very stable atomic clocks. A more accurate astronomical time, Universal Time 1 (UT1), was also introduced to replace GMT. The atomic clocks are in fact far more stable than the rotation of the Earth and so the two times began to drift apart. For this reason UTC was introduced as a practical measure. It is kept within one second of UT1 but to avoid making many small trivial adjustments it was decided to introduce the concept of a _leap second_ in order to reconcile the difference in a manageable way. The difference between UT1 and UTC is monitored until they drift apart by more than half a second. Then only is it deemed necessary to introduce a one second adjustment, forward or backward. Due to the erratic nature of the Earth's rotational speed, the need for an adjustment cannot be predicted far into the future. The decision as to when to make an adjustment is made by the [citetitle]_link:++[International Earth Rotation and Reference Systems Service (IERS)]_. However, these announcements are important only to administrators of Stratum 1 servers because `NTP` transmits information about pending leap seconds and applies them automatically.
Understanding the ntpd Configuration File
The daemon, `ntpd`, reads the configuration file at system start or when the service is restarted. The default location for the file is `/etc/ntp.conf` and you can view the file by entering the following command:
~]${nbsp}pass:attributes[{blank}][command]#less /etc/ntp.conf#
The configuration commands are explained briefly later in this chapter, see xref:Configuring_NTP_Using_ntpd.adoc#s1-Configure_NTP[Configure NTP], and more verbosely in the `ntp.conf(5)` man page.
Here follows a brief explanation of the contents of the default configuration file:
The driftfile entry
A path to the drift file is specified, the default entry on {MAJOROS} is:
driftfile /var/lib/ntp/drift
If you change this be certain that the directory is writable by `ntpd`. The file contains one value used to adjust the system clock frequency after every system or service start. See xref:Configuring_NTP_Using_ntpd.adoc#s1-Understanding_the_Drift_File[Understanding the Drift File] for more information.
The access control entries
The following line sets the default access control restriction:
restrict default nomodify notrap nopeer noquery
The [option]`nomodify` options prevents any changes to the configuration.
The [option]`notrap` option prevents `ntpdc` control message protocol traps.