From 9c0a3ce4ff0c8bc00dbb8497193c2fc5f015c5aa Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Thu, 3 Mar 2016 22:45:52 -0600 Subject: NTP configuration cleanup and add documentation for new vars. --- templates/ntp.conf.j2 | 78 +++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 63 insertions(+), 15 deletions(-) (limited to 'templates/ntp.conf.j2') diff --git a/templates/ntp.conf.j2 b/templates/ntp.conf.j2 index b0ddb0c..cc1e0f0 100644 --- a/templates/ntp.conf.j2 +++ b/templates/ntp.conf.j2 @@ -1,22 +1,70 @@ # {{ ansible_managed }} -# Default NTP servers for the operating system. +# For more information about this file, see the man pages +# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5). + +driftfile /var/lib/ntp/drift + +# Enable this if you want statistics to be logged. +#statsdir /var/log/ntpstats/ + +statistics loopstats peerstats clockstats +filegen loopstats file loopstats type day enable +filegen peerstats file peerstats type day enable +filegen clockstats file clockstats type day enable + +# Use public servers from the pool.ntp.org project. +# Please consider joining the pool (http://www.pool.ntp.org/join.html). {% for item in ntp_servers %} server {{ item }} {% endfor %} -# Security: -# -# By default, only allow time queries and block all other requests -# from unauthenticated clients. -# -# See http://support.ntp.org/bin/view/Support/AccessRestrictions -# for more information. -# -restrict default kod limited nomodify notrap nopeer noquery -restrict -6 default kod limited nomodify notrap nopeer noquery - -# The following settings allow unrestricted access from the localhost +# Permit time synchronization with our time source, but do not +# permit the source to query or modify the service on this system. +restrict default nomodify notrap nopeer noquery + +# Permit all access over the loopback interface. This could +# be tightened as well, but to do so would effect some of +# the administrative functions. restrict 127.0.0.1 -restrict -6 ::1 -restrict 127.127.1.0 +restrict ::1 + +# Clients from this (example!) subnet have unlimited access, but only if +# cryptographically authenticated. +#restrict 192.168.123.0 mask 255.255.255.0 notrust + +# Enable public key cryptography. +#crypto + +#includefile /etc/ntp/crypto/pw + +# Key file containing the keys and key identifiers used when operating +# with symmetric key cryptography. +#keys /etc/ntp/keys + +# Specify the key identifiers which are trusted. +#trustedkey 4 8 42 + +# Specify the key identifier to use with the ntpdc utility. +#requestkey 8 + +# Specify the key identifier to use with the ntpq utility. +#controlkey 8 + +# Enable writing of statistics records. +#statistics clockstats cryptostats loopstats peerstats + +# Disable the monitoring facility to prevent amplification attacks using ntpdc +# monlist command when default restrict does not include the noquery flag. See +# CVE-2013-5211 for more details. +# Note: Monitoring will not be disabled with the limited restriction flag. +disable monitor + +# If you want to provide time to your local subnet, change the next line. +# (Again, the address is an example only.) +#broadcast 192.168.123.255 + +# If you want to listen to time broadcasts on your local subnet, de-comment the +# next lines. Please do this only if you trust everybody on the network! +#disable auth +#broadcastclient -- cgit v1.2.3