[70637] in North American Network Operators' Group
Re: ntp config tech note
daemon@ATHENA.MIT.EDU (Jared Mauch)
Thu May 20 19:13:01 2004
Date: Thu, 20 May 2004 19:12:27 -0400
From: Jared Mauch <jared@puck.nether.net>
To: "C. Jon Larsen" <jlarsen@richweb.com>
Cc: nanog@nanog.org
In-Reply-To: <Pine.LNX.4.44.0405201833270.20245-100000@pologrounds.richweb.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, May 20, 2004 at 06:37:23PM -0400, C. Jon Larsen wrote:
> 
> 
> On Thu, 20 May 2004, Jared Mauch wrote:
> 
> > 
> > 
> > 	I've found it useful on older machines (PCs with cheap clocks and
> > oscilators) to cron ntpdate once an hour to prevent the clock from
> > getting too far off by itself.  I've found the daemon doesn't do good enough
> > of a job to sync on it's own...
> 
> Isn't that a lot safer anyway than running a daemon (ntpd) as root ?  I do 
> this on my systems (run ntpdate from cron), even though the xntpd 
> docs IIRC specifically advised against this hack. One less 
> vulnerability waiting to be exploited ... is the way I see it.
	well, it does help if your clock goes nicely (or poorly) askew.
problem is any timestamps you may have on that host (radius, smtp, etc..) 
that you use to track down the (l)users on your network can cause a problem.
	all you have to be concerned with is "am i doing ntpdate from something
that can be poisoned".  that's amongst many reasons to have the "your clock is
too far off, you must reset manually" log messages.
	- jared
-- 
Jared Mauch  | pgp key available via finger from jared@puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.