On Sun, Nov 10, 2019 at 05:03:02PM -0700, Theo de Raadt wrote:
> The ntpd options -s and -S are going to be removed soon and at startup
> with print:
>
> -s option no longer works and will be removed soon.
> Please reconfigure to use constraints or trusted servers.
>
> Probably after 6.7 we'll delete the warning. Maybe for 6.8 we'll remove
> -s and -S from getopt, and starting with those options will fail.
>
> Effective immediately, the -s option stops doing what you expect. It now
> does nothing.
>
> Big improvements have happened in ntpd recently. At startup, ntpd
> aggressively tries to learn from NTP packets validated by constraints,
> and set the time.
>
> That means a smarter variation of -s is the default, but the information
> is now *VALIDATED* by constraints.
>
> 2 additional constraints have been added. If you have upgraded, please
> review /etc/examples/ntpd.conf for modern use
>
> Those who cannot use https constraints, can instead tag server lines
> with the keyword "trusted", which means you believe MITM attacks are not
> possible on the network to those specific NTP servers. Do this only on
> servers directly connected over trusted network. If someone does
> "servers pool.ntp.org trusted", we're going to have a great laugh.
>
> We're creating something a bit complex, but our goal is for every
> machine to have a close approximation of correct time. If we get
> there, some good things will happen. Some serious cargo-culting
> for using -s has gotten in the way (-s performs no MITM checks).
>
So if you are running current do the following. Likely you can stop
after step 2.
1. remove -s from ntpd_flags
2. check if the default ntpd.config works for you; it most lilely will,
*including setting the time on boot*.
3. if you cannot use constraints because https to the world is not possible,
consider running ntpd on your local net and use that as a peer marked as
trusted or if availabel use a sensor marked as trusted.
4. Still having problems? Report so we can look at you use-case and
find a solution.
-Otto
