Re: ntpd.conf

Wed, 13 May 2026 22:14:16 -0700 

On Wed, May 13, 2026 at 09:27:32PM +0100, Daniel wrote:

> Hello!
> Thank you for you comments.
> 
> I toke a while do read the man pages and also to make some searches...
> Man page says:
> "Time can also be fetched from TLS HTTPS servers to reduce the impact of
> unauthenticated NTP man-in-the-middle attacks."

THe time fetched from HTTPS servers is not used to set the clock, but
only to validate NTP replies.

ntpd.conf has more details on how that mechanism works.

        -Otto

> 
> So it seams that we can assume that the clock is still corrected having
> only "constrains" in ntpd.conf. Maybe that is not enough to have “ntpctl -s
> status” saying "clock synced".
> 
> This is an interesting subject and it would be great to have it really clear
> I respect you opinion. And I know I am just an openbsd rookie, but I
> believe that there can be some contradiction between what the man page says
> and your response.
> 
> Thank you and I hope that this subject can convince more "experts" to give
> their valuable feedback.
> 
> Thank you,
> 
> Daniel
> 
> On Sun, May 10, 2026 at 8:35 PM Peter Hessler <[email protected]> wrote:
> 
> > On 2026 May 10 (Sun) at 18:53:15 +0100 (+0100), Daniel wrote:
> > :Hello !!
> > :
> > :I am a beginner in openbsd.
> > :After instalI and basic configuration I am trying to configure pf. I began
> > :with something very restrictive and blocked ntpd to go out to port 123. I
> >
> > That won't work.
> >
> >
> > :did it because I understood that I can configure ntpd.conf to use only the
> > :restrictions through https (which is open in the firewall).
> >
> > Sorry, but you misunderstood how constraints work.  They will put a
> > barrier on the time window, but not be used for an actual sync.
> >
> >
> > :But when I do “ntpctl-s status” I am getting:
> > :constrain offset -1s, no peers and no sensors configured
> > :clock unsynced
> > :Does that mean that ntpd is not able to sync the clock ?
> > :If yes l, what I am doing wrong ?
> >
> > You'll need to allow udp/123 to your listed time source servers.
> >
> > (Note that if you use dynamic sources such as "pool.ntp.org", then keep
> > in mind that pf will only use what was resolved when pfctl was last ran,
> > which may or may not match what ntpd has resolved and is trying to use.)
> >
> >
> > :
> > :Thank you!!
> > :
> > :Daniel
> >
> > -peter
> >

Reply via email to