.\" $OpenBSD: ntpd.conf.5,v 1.46 2020/05/16 16:58:12 jmc Exp $ .\" .\" Copyright (c) 2003, 2004 Henning Brauer .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. .\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES .\" WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER IN .\" AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT .\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" .Dd $Mdocdate: May 16 2020 $ .Dt NTPD.CONF 5 .Os .Sh NAME .Nm ntpd.conf .Nd Network Time Protocol daemon configuration file .Sh DESCRIPTION This manual page describes the format of the .Xr ntpd 8 configuration file. .Pp .Nm has the following format: .Pp Empty lines and lines beginning with the .Sq # character are ignored. .Pp Keywords may be specified multiple times within the configuration file. The basic configuration options are as follows: .Bl -tag -width Ds .It Xo Ic listen on Ar address .Op Ic rtable Ar table-id .Xc .Xr ntpd 8 has the ability to sync the local clock to remote NTP servers and, if this directive is specified, can act as NTP server itself, redistributing the local clock. .Pp Specify a local IP address or a hostname the .Xr ntpd 8 daemon should listen on to enable remote clients synchronization. If it appears multiple times, .Xr ntpd 8 will listen on each given address. If .Sq * is given as an address, .Xr ntpd 8 will listen on all local addresses using the specified routing table. .Xr ntpd 8 does not listen on any address by default. The optional .Ic rtable keyword will specify which routing table to listen on, if the operating system supports rdomains. By default .Xr ntpd 8 will listen using the current routing table. For example: .Bd -literal -offset indent listen on * .Ed .Pp or .Bd -literal -offset indent listen on 127.0.0.1 listen on ::1 listen on 127.0.0.1 rtable 4 .Ed .It Ic query from Ar sourceaddr Specify a local IP address the .Xr ntpd 8 daemon should use for outgoing queries to subsequently specified servers, which is useful on machines with multiple interfaces. For example: .Bd -literal -offset indent query from 192.0.2.1 query from 2001:db8::1 .Ed .It Xo Ic sensor Ar device .Op Ic correction Ar microseconds .Op Ic refid Ar ID-string .Op Ic stratum Ar stratum-value .Op Ic trusted .Op Ic weight Ar weight-value .Xc Specify a timedelta sensor device .Xr ntpd 8 should use, if the operating system supports sensors. The sensor can be specified multiple times: .Xr ntpd 8 will use each given sensor that actually exists. Non-existent sensors are ignored. If .Sq * is given as device name, .Xr ntpd 8 will use all timedelta sensors it finds. .Xr ntpd 8 does not use any timedelta sensor by default. For example: .Bd -literal -offset indent sensor * sensor nmea0 .Ed .Pp A .Ic correction in microseconds can be given to compensate for the sensor's offset. The maximum correction is 127 seconds. For example, if a DCF77 receiver is lagging 70ms behind actual time: .Bd -literal -offset indent sensor udcf0 correction 70000 .Ed .Pp A .Ic refid .Ar ID-string of up up to 4 ASCII characters can be given to publish the sensor type to clients. RFC 2030 suggests some common reference identifiers, but new identifiers "can be contrived as appropriate." If an .Ar ID-string is not given, .Xr ntpd 8 will use a generic reference ID. For example: .Bd -literal -offset indent sensor nmea0 refid GPS .Ed .Pp The .Ic stratum keyword can be used to change the stratum value from the default of 1. .Pp The .Ic trusted keyword indicates the time learned is secure, trustworthy, and not vulnerable to man-in-the-middle attacks, so .Ic constraints validation is skipped. This is useful for boot-time correction in environments where .Ic constraints cannot be used. .Pp The .Ic weight keyword permits finer control over the relative importance of time sources (servers or sensor devices). Weights are specified in the range 1 to 10; if no weight is given, the default is 1. A server with a weight of 5, for example, will have five times more influence on time offset calculation than a server with a weight of 1. .It Xo Ic server Ar address .Op Ic trusted .Op Ic weight Ar weight-value .Xc Specify the IP address or the hostname of an NTP server to synchronize to. If it appears multiple times, .Xr ntpd 8 will try to synchronize to all of the servers specified. If a hostname resolves to multiple IPv4 and/or IPv6 addresses, .Xr ntpd 8 uses the first address. If it does not get a reply, .Xr ntpd 8 retries with the next address and continues to do so until a working address is found. For example: .Bd -literal -offset indent server 10.0.0.2 weight 5 server ntp.example.org weight 1 .Ed .Pp To provide redundancy, it is good practice to configure multiple servers. In general, best accuracy is obtained by using servers that have a low network latency. .It Xo Ic servers Ar address .Op Ic trusted .Op Ic weight Ar weight-value .Xc As with .Cm server , specify the IP address or hostname of an NTP server to synchronize to. If it appears multiple times, .Xr ntpd 8 will try to synchronize to all of the servers specified. Should the hostname resolve to multiple IP addresses, .Xr ntpd 8 will try to synchronize to all of them. For example: .Bd -literal -offset indent servers pool.ntp.org servers pool.ntp.org weight 5 .Ed .El .Sh CONSTRAINTS .Xr ntpd 8 can be configured to query the .Sq Date from trusted HTTPS servers via TLS. This time information is not used for precision but acts as an authenticated constraint, thereby reducing the impact of unauthenticated NTP man-in-the-middle attacks. Received NTP packets with time information falling outside of a range near the constraint will be discarded and such NTP servers will be marked as invalid. .Pp Support for constraints is only available if .Xr ntpd 8 has been linked with libtls from LibreSSL. Configuring a constraint without libtls causes .Xr ntpd 8 to log a warning message on startup. .Bl -tag -width Ds .It Ic constraint from Ar url [ip...] Specify the URL, IP address or the hostname of an HTTPS server to provide a constraint. If the url is followed by one or more addresses the url and addresses will be tried until a working one is found. The url path and expected certificate name is always taken from the url specified. If .Ic constraint from is used more than once, .Xr ntpd 8 will calculate a median constraint from all the servers specified. .Bd -literal -offset indent server ntp.example.org constraint from www.example.com constraint from "https://9.9.9.9" "2620:fe::9" .Ed .It Ic constraints from Ar url As with .Ic constraint from , specify the URL, IP address or the hostname of an HTTPS server to provide a constraint. Should the hostname resolve to multiple IP addresses, .Xr ntpd 8 will calculate a median constraint from all of them. For example: .Bd -literal -offset indent servers pool.ntp.org constraints from "https://www.google.com/" .Ed .El .Sh FILES .Bl -tag -width /etc/examples/ntpd.conf -compact .It Pa /etc/ntpd.conf Default .Xr ntpd 8 configuration file. .It Pa /etc/examples/ntpd.conf Example configuration file. .El .Sh SEE ALSO .Xr ntpctl 8 , .Xr ntpd 8 , .Xr sysctl 8 .Sh HISTORY The .Nm file format first appeared in .Ox 3.6 .