On 2016-03-17 10:29, Per Jessen wrote:
Carlos E. R. wrote:
It must be this configuration paragraph:
# Clients from this (example!) subnet have unlimited access, but only # if cryptographically authenticated. restrict 192.168.1.0 mask 255.255.255.0 notrust
So I need to add that crypto auth. How? :-?
In ntp, that's probably done by adding a key to /etc/ntp.keys:
<k> M sometexttexttexttext (max 20 I think).
The key needs to be configured on both ends.
Why not just comment out that restrict?
There was a vulnerability some time ago and that was recommended. Actually, I do not need to give full access to the LAN. I just need access to time clients. This is the full config paragraph: # Access control configuration; see /usr/share/doc/packages/ntp/html/accopt.html for # details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions> # might also be helpful. # # Note that "restrict" applies to both servers and clients, so a configuration # that might be intended to block requests from certain clients could also end # up blocking replies from your own upstream servers. # By default, exchange time with everybody, but don't allow configuration. restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery # Local users may interrogate the ntp server more closely. restrict 127.0.0.1 restrict ::1 # Clients from this (example!) subnet have unlimited access, but only if # cryptographically authenticated. restrict 192.168.1.0 mask 255.255.255.0 notrust I understand it allows access to clients :-? -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)