On Sun, Nov 10, 2019 at 05:03:02PM -0700, Theo de Raadt wrote: > The ntpd options -s and -S are going to be removed soon and at startup > with print: > > -s option no longer works and will be removed soon. > Please reconfigure to use constraints or trusted servers. > > Probably after 6.7 we'll delete the warning. Maybe for 6.8 we'll remove > -s and -S from getopt, and starting with those options will fail. > > Effective immediately, the -s option stops doing what you expect. It now > does nothing. > > Big improvements have happened in ntpd recently. At startup, ntpd > aggressively tries to learn from NTP packets validated by constraints, > and set the time. > > That means a smarter variation of -s is the default, but the information > is now *VALIDATED* by constraints. > > 2 additional constraints have been added. If you have upgraded, please > review /etc/examples/ntpd.conf for modern use > > Those who cannot use https constraints, can instead tag server lines > with the keyword "trusted", which means you believe MITM attacks are not > possible on the network to those specific NTP servers. Do this only on > servers directly connected over trusted network. If someone does > "servers pool.ntp.org trusted", we're going to have a great laugh. > > We're creating something a bit complex, but our goal is for every > machine to have a close approximation of correct time. If we get > there, some good things will happen. Some serious cargo-culting > for using -s has gotten in the way (-s performs no MITM checks). >
So if you are running current do the following. Likely you can stop after step 2. 1. remove -s from ntpd_flags 2. check if the default ntpd.config works for you; it most lilely will, *including setting the time on boot*. 3. if you cannot use constraints because https to the world is not possible, consider running ntpd on your local net and use that as a peer marked as trusted or if availabel use a sensor marked as trusted. 4. Still having problems? Report so we can look at you use-case and find a solution. -Otto