HP-UX Internet Services Administrator's Guide (May 2010)
IMPORTANT: The startup script automatically calculates the proper value for
authdelay for the local system and writes it into the configuration file
/etc/ntp.conf. Do not modify this value.
• -k keyfile
This option specifies the file that contains the encryption keys used by xntpd.
• -t key
This option specifies the encryption key IDs that are trusted as synchronization
sources.
Restricting Incoming NTP Packets
xntpd provides a mechanism for restricting access to the local daemon from certain
sources. In the /etc/ntp.conf file, you can define a restriction list that contains the
addresses or addresses and masks of sources that may send NTP packets to the local
host. For each address or address-mask specified in the restriction list, you can define
flags to restrict time service or queries to the local host.
The source address of each incoming NTP packet is then compared to the restriction
list. If a source address matches an entry in the restriction list, the restriction defined
by the corresponding flag is applied to the incoming packet. If an address-mask is
specified in the restriction list, the source address of each incoming NTP packet is
ANDed with the mask, and then compared with the associated address for a match.
The restriction list should not be considered an alternative to authentication. It is most
useful for keeping unwanted or broken remote time servers from affecting your local
host. An entry in the restriction list has the following format:
restrict address [mask mask] [ntpport] [flag] [flag2]...
The keyword ntpport causes the restriction list entry to be matched only if the source
port in the packet is the NTP UDP port 123.
Table 4-6 shows the flags that can be specified for xntpd:
Table 4-6 Restrict Option Flags
EffectFlag
Ignore all packets.
ignore
Ignore ntpq queries.noquery
Ignore ntpq packets that attempt to modify the state of the server.nomodify
Ignore requests for time, but permit ntpq queries.noserve
66 Configuring NTP