How to Configure your Linux NTP Server

Network Time Protocol (NTP) provides algorithms and defines messages for the synchronisation of time clients to an accurate time reference. This article discusses how to configure a Linux NTP Time Server to synchronise time with an Internet based public NTP Server.

NTP server systems fall into two categories: primary reference servers and secondary reference servers. Primary reference servers use an external timing reference to provide time, such as GPS or radio clocks. Secondary reference servers synchronise with primary reference NTP servers and offer slightly reduced accuracy. Primary reference servers are designated stratum 1 servers, while secondary servers have a stratum greater than 1.

The NTP Distribution

The NTP source code is freely available from the Network Time Protocol web site. The current version available for download is 4.2.4. NTP is available for the Linux operating systems with ports available for Windows NT. Once the source code is downloaded, it should be configured, compiled and installed on the host machine. Many Linux operating systems, such as RedHat, offer NTP RPM packages.

Configuring NTP

The ‘ntp.conf' file is main source of configuration information for a NTP server installation. Amongst other things, it contains a list of reference clocks that the installation is to synchronise. A list of NTP server references is specified with the ‘server' configuration command thus:

server time-a.nist.gov # NIST, Gaithersburg, Maryland NTP server
server time-c.timefreq.bldrdoc.gov # NIST, Boulder, Colorado NTP server

Controlling the NTP Server Daemon

Once configured, the NTP daemon can be started, stopped and restarted using the commands: ‘ntpd start'; ‘ntpd stop' and ‘ntpd restart'. The NTP server daemon can be queried using the ‘ntpq -p' command. The ntpq command queries the NTP server for synchronisation status and provides a list of servers with synchronisation information for each server.

NTP Access Control

Access to the NTP server can be restricted using the ‘restrict' directive in the ntp.conf file. You can restrict all access to the NTP server with:

restrict default ignore

To only allow machines on your own network to synchronize with the server use:

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

Multiple restrict directives can be specified in the ntp.conf file to restrict access to a specified range of computers.

Authentication Options

Authentication allows a matching passwords to be specified by the NTP server and associated clients. NTP keys are stored in the ntp.keys file in the following format: Key-number M Key (The M stands for MD5 encryption), e.g.:

1 M secret
5 M RaBBit
7 M TiMeLy
10 M MYKEY

In the NTP configuration file ntp.conf, specify which of the keys specified above are trusted, i.e. are secure and you want to use. Any keys specified in the keys file but not trusted will not be used for authentication, e.g.:

trustedkey 1 7 10

The NTP server is now configured for authentication.

Client Configuration for Authentication

The client needs to be configured with similar information as the server, however, you may use a subset of the keys specified on the server. A different subset of keys can be used on different clients, e.g.:

Client A)
1 M secret
7 M TiMeLy

trustedkey 1 7

Client B)
1 M secret
5 M RaBBit
7 M TiMeLy
10 M MYKEY

trustedkey 7 10

Essentially authentication is used by the client to authenticate that the time server is who he says he is, and that no rogue server intervenes. The key is encrypted and sent to the client by the server where it is unencrypted and checked against the client keys to ensure a match.