NTP

Debian packages

Debian package required to run an NTP daemon that synchronizes local time, but also provides a time sync service to clients:

ntp

Debian package required to simply synchronize local time:

ntpdate

Documentation package:

ntp-doc


References


Glossary

  • Stratum 1 = Primary Server
  • Stratum 2 = Secondary Server
  • [...]


ntpd or ntpdate?

Quoting from http://www.tldp.org/LDP/sag/html/basic-ntp-config.html:

Many people get the idea that instead of running the NTP daemon, they should just setup a cron job job to periodically run the ntpdate command. There are 2 main disadvantages of using using this method.

The first is that ntpdate does a "brute force" method of changing the time. So if your computer's time is off my 5 minutes, it immediately corrects it. In some environments, this can cause problems if time drastically changes. For example, if you are using time sensitive security software, you can inadvertently kill someones access. The NTP daemon slowly changes the time to avoid causing this kind of disruption.

The other reason is that the NTP daemon can be configured to try to learn your systems time drift and then automatically adjust for it.

So the answer clearly is: ntpd.


System time vs. hardware clock

Edit

/etc/init.d/hwclock.sh
  • Comment (= disable) the line where hwclock is run with the parameter --adjust, in order to prevent conflicts between hwclock and NTP
  • Uncomment (= enable) the line where hwclock is run with the parameter --systohc, in order to write the system time to the hardware clock on reboot

Note: I have not enabled this option.


NTP daemon

Local time sync

To activate an NTP server

  • Add the following lines to /etc/ntp.conf if they don't exist
driftfile /var/lib/ntp/ntp.drift
server ntp.foobar.org
  • Restart the NTP server
  • Wait some time until system time has been updated. The NTP server performs time synchronization in many little steps instead of in one huge fell swoop, so it may take a while until full synchronization has occurred.
  • It is important that the system time is not out-of-sync more than 1000 seconds, otherwise ntp refuses to automatically correct the system time ("time correction exceeds sanity limit")


These days, the default configuration in /etc/ntp.conf seems to work out of the box. The servers configured there are

0.debian.pool.ntp.org
1.debian.pool.ntp.org
2.debian.pool.ntp.org
3.debian.pool.ntp.org


Provide time to clients

The configuration file /etc/ntp.conf mentions that, in order to provide time to clients a "broadcast" line needs to be enabled. For instance

broadcast 192.168.1.255
broadcast 192.168.2.255

However, I did not enable these commands because so far my Mac OS X clients were perfectly able to synchronize, once I told them where they were supposed to connect to (System Preferences > Date & Time).


Note: I added a "time-servers" option to my DHCP configuration (e.g. "time-servers 192.168.1.11" on the 192.168.1.0 subnet), but at the time of writing Mac OS X did not honor this option (Mac OS X 10.6). I have not yet tested how Windows behaves.


pool.ntp.org

A long time ago, on my old server osgiliath I tried to use the server pool.ntp.org - which is supposed to assign a different NTP server to my client every time my client is restarted. Unfortunately, pool.ntp.org never seemed to work, even after several attempts to use it. The system time never got corrected - the drift grew to 40 minutes and more until I had to manually re-adjust the system time. Nowadays pool.ntp.org may work better, but I haven't tried anymore.


Prevent the NTP daemon from opening a network port

TL;DR: You can't. The NTP daemon must open a network port, or it won't synchronize time.

And now the long version. If you care about network security, then one principle should be obvious and clear: Every open TCP and UDP port is a potential risk, so if you don't need it, shut it down! Now for the NTP daemon: As long as ntpd is only "fetching" the time and is not acting itself as time server to other clients, there should be no need for ntpd to open any network ports. Right?

Apparently not. According to one of the answers to this ServerFault question

[ntpd] must bind to a routable ip address to work.

This seems pretty stupid, but I was indeed able to confirm the problem. After adding "interface ignore" statements to ntp.conf and restarting the service, ntpd seemed to be stuck in an eternal initialization loop:

root@pelargir:~# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 ds1789963.dedic .INIT.          16 -    - 1024    0    0.000    0.000   0.000
 ntp1.as34288.ne .INIT.          16 -    - 1024    0    0.000    0.000   0.000
 ch-ntp01.10g.ch .INIT.          16 -    - 1024    0    0.000    0.000   0.000
 lx.ujf.cas.cz   .INIT.          16 -    - 1024    0    0.000    0.000   0.000

So in the end I had to give up and remove all "interface ignore" statements from ntp.conf. Now the output of ntpq looks like this:

root@pelargir:/var/log# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*time.sunrise.ne 10.19.10.20      2 u    2   64    1    4.364    1.524   0.105
 one.ntp1.pw     128.105.39.11    3 u    1   64    1   96.679   -6.272   0.013
 ms21.snowflakeh 162.23.41.55     2 u    1   64    1    0.888   -3.032   0.054
 ntp0.as34288.ne 85.158.25.74     2 u    2   64    1    1.098   -2.860   0.032

For posterity's sake, here is what I tried. The main thing to know is that you can add one or more "interface ignore" statements to ntp.conf to tell the NTP daemon to not listen on a given network interface.

  • Without any such statements, ntpd listens on the following UDP ports
(result obtained from netstat -lnptu)
udp        0      0 82.195.228.21:123       0.0.0.0:*                           58099/ntpd      
udp        0      0 127.0.0.1:123           0.0.0.0:*                           58099/ntpd      
udp        0      0 0.0.0.0:123             0.0.0.0:*                           58099/ntpd      
udp6       0      0 ::1:123                 :::*                                58099/ntpd      
udp6       0      0 fe80::42a8:f0ff:fe7:123 :::*                                58099/ntpd      
udp6       0      0 :::123                  :::*                                58099/ntpd
  • interface ignore all
    • With only this, ntpd still opens the ports 127.0.0.1:123, 0.0.0.0:123, ::1:123 and :::123
  • interface ignore wildcard
    • With only this, ntpd still opens the ports 127.0.0.1:123 and ::1:123.
    • It is very strange that this prevents listening on 82.195.228.21:123 and the IPv6 port.
  • interface ignore 127.0.0.1
    • With only this, ntpd still opens the ports 127.0.0.1:123, 0.0.0.0:123, ::1:123 and :::123
    • It is very strange that this prevents listening on 82.195.228.21:123 and the IPv6 port.
  • interface ignore wildcard
    interface ignore all
    • The "ignore all" line has no effect, ntpd still opens the ports 127.0.0.1:123 and ::1:123.
  • interface ignore wildcard
    interface ignore 127.0.0.1
    • The "ignore 127.0.0.1" line has no effect, ntpd still opens the ports 127.0.0.1:123 and ::1:123.
  • interface ignore wildcard
    interface ignore ::1
    • ntpd still opens the ports 127.0.0.1:123.
  • This is the most I was able to achieve. It seems to be absolutely impossible to prevent ntpd from listening on 127.0.0.1. It is also weird (to say the least) how ntpd interprets "interface ignore" statements. But since I am forced to let ntpd listend on a public interface anyway, I am not going to pursue this any further.


ntpdate

The Debian package ntpdate provides the utility ntpdate which can be used to immediately adjust the system date at the time when the utility is run - no matter how much off the system time currently is. For instance:

ntpdate time.euro.apple.com

For continuous time sync, you can add the following crontab entry:

pelargir:~# ls -l /etc/cron.hourly/pelargir-ntpdate 
-rwxr-xr-x 1 root root 56 2011-02-09 19:15 /etc/cron.hourly/pelargir-ntpdate

pelargir:~# cat /etc/cron.hourly/pelargir-ntpdate 
#!/bin/sh

/usr/sbin/ntpdate -u -s time.euro.apple.com

There is also the utility ntpdate-debian which uses the configuration in the following file

/etc/default/ntpdate


ntpq

ntpq is the standard NTP query program. For instance, it can be used to check the current time source

ntpq -pn

(the source is the line with the asterisk)

For example:

root@pelargir:~# ntpq -pn
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
+217.147.208.1   194.242.34.149   2 u   61   64    3    9.450  -10.368  10.087
+192.33.214.57   129.194.216.1    3 u   55   64    7   13.198  -10.532   8.899
+94.23.99.155    94.23.99.153     3 u   31   64    7   27.351   -5.038   7.588
*192.33.96.102   .PPS.            1 u   24   64   17    9.889  -12.321  11.285