HP-UX Reference (11i v1 00/12) - 1M System Administration Commands N-Z (vol 4)

__________________________________________________________________________________________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________________________________________________________________________________________
STANDARD Printed by: Nora Chuang [nchuang] STANDARD
/build/1111/BRICK/man1m/naaagt.1m
________________________________________________________________
___ ___
x
xntpdc(1M) xntpdc(1M)
RUNTIME CONFIGURATION REQUESTS
All requests which cause state changes in the server are authenticated by the server using a configured
NTP key. This facility is disabled if the NTP key is not configured. The key number and the corresponding
key must also be made known to xtnpdc. This can be done using the keyid and passwd commands, the
latter of which will prompt at the terminal for a password to use as the encryption key. You will also be
prompted automatically for both the key number and password the first time a command which would
result in an authenticated request to the server is given. Authentication not only provides verification that
the requester has permission to make such changes, but also gives an extra degree of protection against
transmission errors.
Authenticated requests always include a timestamp in the packet data, which is included in the computa-
tion of the authentication code. This timestamp is compared by the server to its receive time stamp. If they
differ by more than a small amount the request is rejected. This is done for two reasons. First, it makes
simple replay attacks on the server, by someone who might be able to overhear traffic on your LAN, much
more difficult. Second, it makes it more difcult to request configuration changes to your server from topo-
logically remote hosts. While the reconfiguration facility will work well with a server on the local host, and
may work adequately between time-synchronized hosts on the same LAN, it will work very poorly for more
distant hosts. As such, if reasonable passwords are chosen, care is taken in the distribution and protection
of keys and appropriate source address restrictions are applied, the run time reconfiguration facility should
provide an adequate level of security.
The following commands all make authenticated requests.
addpeer peer_address
[keyid][version][prefer]
Add a configured peer association at the given address and operating in symmetric active
mode. Note that an existing association with the same peer may be deleted when this com-
mand is executed, or may simply be converted to conform to the new configuration, as
appropriate. If the optional
keyid is a nonzero integer, all outgoing packets to the remote
server will have an authentication field (encrypted) attached with this key. If the value is 0
(or not given) no authentication will be done. The
version # can be 1, 2 or 3 and defaults to
3. The
prefer keyword indicates a preferred peer (and thus will be used primarily for clock
synchronization if possible). The preferred peer also determines the validity of the PPS signal
- if the preferred peer is suitable for synchronization so is the PPS signal.
addserver peer_address
[keyid][version][prefer]
Identical to the addpeer command, except that the operating mode is client.
broadcast peer_address
[keyid][version][prefer]
Identical to the
addpeer command, except that the operating mode is broadcast. In this
case a valid key identifier and key are required. The peer_address parameter can be the
broadcast address of the local network or a multicast group address assigned to NTP. If using
a multicast address, a multicast-capable kernel is required.
unconfig peer_address [...]
This command causes the configured bit to be removed from the specified peer(s). In many
cases this will cause the peer association to be deleted. When appropriate, however, the asso-
ciation may persist in an unconfigured mode if the remote peer is willing to continue on in
this fashion.
fudge peer_address
[time1][time2][stratum][refid]
This command provides a way to set certain data for a reference clock. See the source listing
for further information.
enable [flag][...]
disable [flag][... ]
These commands operate in the same way as the enable and disable configuration file
commands of xntpd. Described below are the flags supported.
auth Enables the server to synchronize with unconfigured peers only if the peer has been
correctly authenticated using a trusted key and key identifier. The default for this
flag is enable.
bclient
Enables the server to listen for a message from a broadcast or multicast server, as in
the multicastclient command with default address. The default for this flag is dis-
able.
Section 1M1074 4 HP-UX Release 11i: December 2000
___
___