1.\" $OpenBSD: ntpd.conf.5,v 1.47 2021/01/06 13:03:13 jmc Exp $ 2.\" 3.\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> 4.\" 5.\" Permission to use, copy, modify, and distribute this software for any 6.\" purpose with or without fee is hereby granted, provided that the above 7.\" copyright notice and this permission notice appear in all copies. 8.\" 9.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13.\" WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER IN 14.\" AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT 15.\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16.\" 17.Dd $Mdocdate: January 6 2021 $ 18.Dt NTPD.CONF 5 19.Os 20.Sh NAME 21.Nm ntpd.conf 22.Nd Network Time Protocol daemon configuration file 23.Sh DESCRIPTION 24This manual page describes the format of the 25.Xr ntpd 8 26configuration file. 27.Pp 28.Nm 29has the following format: 30.Pp 31Empty lines and lines beginning with the 32.Sq # 33character are ignored. 34.Pp 35Keywords may be specified multiple times within the configuration file. 36The basic configuration options are as follows: 37.Bl -tag -width Ds 38.It Xo Ic listen on Ar address 39.Op Ic rtable Ar table-id 40.Xc 41Specify a local IP address or a hostname the 42.Xr ntpd 8 43daemon should listen on. 44If it appears multiple times, 45.Xr ntpd 8 46will listen on each given address. 47If 48.Sq * 49is given as an address, 50.Xr ntpd 8 51will listen on all local addresses using the specified routing table. 52.Xr ntpd 8 53does not listen on any address by default. 54The optional 55.Ic rtable 56keyword will specify which routing table to listen on. 57By default 58.Xr ntpd 8 59will listen using the current routing table. 60For example: 61.Bd -literal -offset indent 62listen on * 63.Ed 64.Pp 65or 66.Bd -literal -offset indent 67listen on 127.0.0.1 68listen on ::1 69listen on 127.0.0.1 rtable 4 70.Ed 71.It Ic query from Ar sourceaddr 72Specify a local IP address the 73.Xr ntpd 8 74daemon should use for outgoing queries to subsequently specified servers, 75which is useful on machines with multiple interfaces. 76For example: 77.Bd -literal -offset indent 78query from 192.0.2.1 79query from 2001:db8::1 80.Ed 81.It Xo Ic sensor Ar device 82.Op Ic correction Ar microseconds 83.Op Ic refid Ar ID-string 84.Op Ic stratum Ar stratum-value 85.Op Ic trusted 86.Op Ic weight Ar weight-value 87.Xc 88Specify a timedelta sensor device 89.Xr ntpd 8 90should use. 91The sensor can be specified multiple times: 92.Xr ntpd 8 93will use each given sensor that actually exists. 94Non-existent sensors are ignored. 95If 96.Sq * 97is given as device name, 98.Xr ntpd 8 99will use all timedelta sensors it finds. 100.Xr ntpd 8 101does not use any timedelta sensor by default. 102For example: 103.Bd -literal -offset indent 104sensor * 105sensor nmea0 106.Ed 107.Pp 108A 109.Ic correction 110in microseconds can be given to compensate 111for the sensor's offset. 112The maximum correction is 127 seconds. 113For example, if a DCF77 receiver is lagging 70ms behind 114actual time: 115.Bd -literal -offset indent 116sensor udcf0 correction 70000 117.Ed 118.Pp 119A 120.Ic refid 121.Ar ID-string 122of up to 4 ASCII characters can be 123given to publish the sensor type to clients. 124RFC 2030 suggests some common reference identifiers, but new identifiers 125"can be contrived as appropriate." 126If an 127.Ar ID-string 128is not given, 129.Xr ntpd 8 130will use a generic reference ID. 131For example: 132.Bd -literal -offset indent 133sensor nmea0 refid GPS 134.Ed 135.Pp 136The 137.Ic stratum 138keyword can be used to change the stratum value from the default of 1. 139.Pp 140The 141.Ic trusted 142keyword indicates the time learned is secure, trustworthy, 143and not vulnerable to man-in-the-middle attacks, so 144.Ic constraints 145validation is skipped. 146This is useful for boot-time correction in environments where 147.Ic constraints 148cannot be used. 149.Pp 150The 151.Ic weight 152keyword permits finer control over the relative importance 153of time sources (servers or sensor devices). 154Weights are specified in the range 1 to 10; 155if no weight is given, 156the default is 1. 157A server with a weight of 5, for example, 158will have five times more influence on time offset calculation 159than a server with a weight of 1. 160.It Xo Ic server Ar address 161.Op Ic trusted 162.Op Ic weight Ar weight-value 163.Xc 164Specify the IP address or the hostname of an NTP 165server to synchronize to. 166If it appears multiple times, 167.Xr ntpd 8 168will try to synchronize to all of the servers specified. 169If a hostname resolves to multiple IPv4 and/or IPv6 addresses, 170.Xr ntpd 8 171uses the first address. 172If it does not get a reply, 173.Xr ntpd 8 174retries with the next address and continues to do so until a working address 175is found. 176For example: 177.Bd -literal -offset indent 178server 10.0.0.2 weight 5 179server ntp.example.org weight 1 180.Ed 181.Pp 182To provide redundancy, it is good practice to configure multiple servers. 183In general, best accuracy is obtained by using servers that have a low 184network latency. 185.It Xo Ic servers Ar address 186.Op Ic trusted 187.Op Ic weight Ar weight-value 188.Xc 189As with 190.Cm server , 191specify the IP address or hostname of an NTP server to synchronize to. 192If it appears multiple times, 193.Xr ntpd 8 194will try to synchronize to all of the servers specified. 195Should the hostname resolve to multiple IP addresses, 196.Xr ntpd 8 197will try to synchronize to all of them. 198For example: 199.Bd -literal -offset indent 200servers pool.ntp.org 201servers pool.ntp.org weight 5 202.Ed 203.El 204.Sh CONSTRAINTS 205.Xr ntpd 8 206can be configured to query the 207.Sq Date 208from trusted HTTPS servers via TLS. 209This time information is not used for precision but acts as an 210authenticated constraint, 211thereby reducing the impact of unauthenticated NTP 212man-in-the-middle attacks. 213Received NTP packets with time information falling outside of a range 214near the constraint will be discarded and such NTP servers 215will be marked as invalid. 216.Bl -tag -width Ds 217.It Ic constraint from Ar url [ip...] 218Specify the URL, IP address or the hostname of an HTTPS server to 219provide a constraint. 220If the url is followed by one or more addresses the url and addresses will be 221tried until a working one is found. 222The url path and expected certificate name is always taken from the 223url specified. 224If 225.Ic constraint from 226is used more than once, 227.Xr ntpd 8 228will calculate a median constraint from all the servers specified. 229.Bd -literal -offset indent 230server ntp.example.org 231constraint from www.example.com 232constraint from "https://9.9.9.9" "2620:fe::9" 233.Ed 234.It Ic constraints from Ar url 235As with 236.Ic constraint from , 237specify the URL, IP address or the hostname of an HTTPS server to 238provide a constraint. 239Should the hostname resolve to multiple IP addresses, 240.Xr ntpd 8 241will calculate a median constraint from all of them. 242For example: 243.Bd -literal -offset indent 244servers pool.ntp.org 245constraints from "https://www.google.com/" 246.Ed 247.El 248.Sh FILES 249.Bl -tag -width /etc/examples/ntpd.conf -compact 250.It Pa /etc/ntpd.conf 251Default 252.Xr ntpd 8 253configuration file. 254.It Pa /etc/examples/ntpd.conf 255Example configuration file. 256.El 257.Sh SEE ALSO 258.Xr ntpctl 8 , 259.Xr ntpd 8 , 260.Xr sysctl 8 261.Sh HISTORY 262The 263.Nm 264file format first appeared in 265.Ox 3.6 . 266