summaryrefslogtreecommitdiffstats
path: root/usr.sbin/ntp/doc/ntp.conf.5
diff options
context:
space:
mode:
Diffstat (limited to 'usr.sbin/ntp/doc/ntp.conf.5')
-rw-r--r--usr.sbin/ntp/doc/ntp.conf.577
1 files changed, 70 insertions, 7 deletions
diff --git a/usr.sbin/ntp/doc/ntp.conf.5 b/usr.sbin/ntp/doc/ntp.conf.5
index 3f075a1..343f574 100644
--- a/usr.sbin/ntp/doc/ntp.conf.5
+++ b/usr.sbin/ntp/doc/ntp.conf.5
@@ -1,11 +1,11 @@
-.Dd January 7 2016
+.Dd January 20 2016
.Dt NTP_CONF 5 File Formats
.Os
.\" EDIT THIS FILE WITH CAUTION (ntp.mdoc)
.\"
.\" $FreeBSD$
.\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:30:57 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:18:07 AM by AutoGen 5.18.5
.\" From the definitions ntp.conf.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
@@ -2395,16 +2395,18 @@ a 6\-bit code. The default value is 46, signifying Expedited Forwarding.
.Oo
.Cm auth | Cm bclient |
.Cm calibrate | Cm kernel |
-.Cm mode7 | monitor |
-.Cm ntp | Cm stats
+.Cm mode7 | Cm monitor |
+.Cm ntp | Cm stats |
+.Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early
.Oc
.Xc
.It Xo Ic disable
.Oo
.Cm auth | Cm bclient |
.Cm calibrate | Cm kernel |
-.Cm mode7 | monitor |
-.Cm ntp | Cm stats
+.Cm mode7 | Cm monitor |
+.Cm ntp | Cm stats |
+.Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early
.Oc
.Xc
Provides a way to enable or disable various server options.
@@ -2478,6 +2480,67 @@ See the
section for further information.
The default for this flag is
.Ic disable .
+.It Cm unpeer_crypto_early
+By default, if
+.Xr ntpd 8
+receives an autokey packet that fails TEST9,
+a crypto failure,
+the association is immediately cleared.
+This is almost certainly a feature,
+but if, in spite of the current recommendation of not using autokey,
+you are
+.B still
+using autokey
+.B and
+you are seeing this sort of DoS attack
+disabling this flag will delay
+tearing down the association until the reachability counter
+becomes zero.
+You can check your
+.Cm peerstats
+file for evidence of any of these attacks.
+The
+default for this flag is
+.Ic enable .
+.It Cm unpeer_crypto_nak_early
+By default, if
+.Xr ntpd 8
+receives a crypto\-NAK packet that
+passes the duplicate packet and origin timestamp checks
+the association is immediately cleared.
+While this is generally a feature
+as it allows for quick recovery if a server key has changed,
+a properly forged and appropriately delivered crypto\-NAK packet
+can be used in a DoS attack.
+If you have active noticable problems with this type of DoS attack
+then you should consider
+disabling this option.
+You can check your
+.Cm peerstats
+file for evidence of any of these attacks.
+The
+default for this flag is
+.Ic enable .
+.It Cm unpeer_digest_early
+By default, if
+.Xr ntpd 8
+receives what should be an authenticated packet
+that passes other packet sanity checks but
+contains an invalid digest
+the association is immediately cleared.
+While this is generally a feature
+as it allows for quick recovery,
+if this type of packet is carefully forged and sent
+during an appropriate window it can be used for a DoS attack.
+If you have active noticable problems with this type of DoS attack
+then you should consider
+disabling this option.
+You can check your
+.Cm peerstats
+file for evidence of any of these attacks.
+The
+default for this flag is
+.Ic enable .
.El
.It Ic includefile Ar includefile
This command allows additional configuration commands
@@ -2836,7 +2899,7 @@ A snapshot of this documentation is available in HTML format in
.Sh "AUTHORS"
The University of Delaware and Network Time Foundation
.Sh "COPYRIGHT"
-Copyright (C) 1992\-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992\-2016 The University of Delaware and Network Time Foundation all rights reserved.
This program is released under the terms of the NTP license, <http://ntp.org/license>.
.Sh BUGS
The syntax checking is not picky; some combinations of
OpenPOWER on IntegriCloud