How To Install and Configure OpenNTPd on FreeBSD 10.2
NTP, the Network Time Protocol, is a standardized protocol providing ways to synchronize time on various operating systems. OpenNTPd is a free and easy-to-use implementation of the Network Time Protocol (NTP), originally developed as part of the OpenBSD project. It provides the ability to sync the local clock from remote NTP servers and can also act as server itself.
This tutorial will show you how to install OpenNTPd on FreeBSD.
To follow this tutorial, you need to have:
- One FreeBSD 10.2 Droplet with a root user; the default freebsd user on DigitalOcean is fine.
A FreeBSD Droplet requires an SSH key for remote access. For help on setting up an SSH key, read How To Configure SSH Key-Based Authentication on a FreeBSD Server. To learn more about logging into your FreeBSD Droplet and basic management, check out the Getting Started with FreeBSD tutorial series.
Step 1 — Installing OpenNTPd
Before installing OpenNTPd, update the repository information used by
- sudo pkg update
Then install the OpenNTPd package:
- sudo pkg install openntpd
The default OpenNTPd configuration uses
pool.ntp.org as its default time servers and is configured to work only as a client machine. The rest of this tutorial will show how to change the time server used and how to configure OpenNTPd as a time server.
Step 2 — Changing the Time Server ((Optional)
The next several steps will edit
/usr/local/etc/ntpd.conf, the default configuration file. Use
vi, or your favorite text editor to edit the configuration file.
- sudo ee /usr/local/etc/ntpd.conf
Powered by the Ask Bjørn Hansen’s GeoDNS,
pool.ntp.org will usually return IP addresses for servers in or close to your country. For most users this will give the best results.
Alternatively, you can also use a country zone like
ru.pool.ntp.org to force/limit results to fit in your personal needs. To read more about the NTP Pool Project, visit pool.ntp.org.
For the example in this tutorial, we will use NTP.br, a project in Brazil that preserves and distributes the legal time in Brazilian territory. If you are not in Brazil, use a similar project in your country or region.
Define your desired time server like this, substituting
pool.ntp.br with your chosen time server.
# $OpenBSD: ntpd.conf,v 1.2 2015/02/10 06:40:08 reyk Exp $ # sample ntpd configuration file, see ntpd.conf(5) # Addresses to listen on (ntpd does not listen by default) #listen on * # sync to a single server #server ntp.example.org # use a random selection of NTP Pool Time Servers # see http://support.ntp.org/bin/view/Servers/NTPPoolServers servers pool.ntp.br # use a specific local timedelta sensor (radio clock, etc) #sensor nmea0 # use all detected timedelta sensors #sensor * # get the time constraint from a well-known HTTPS site #constraints from "https://www.google.com/search?q=openntpd"
Step 3 — Changing the Constraints
A custom client setup can also add support to constraints so
ntpd can query the
Date: headers from trusted HTTPS servers via TLS.
ntpd.conf(5) manpage says: “Received NTP packets with time information falling outside of a range near the constraint will be discarded and such NTP servers will be marked as invalid”. This prevents against some MITM attacks while preserving the clock accuracy.
Add the constraints to
/usr/local/etc/ntpd.conf. Be sure to use one or more reliable, well-known HTTPS sites. You can uncomment the example line provided in the file by deleting the first
# character higlighted below:
# $OpenBSD: ntpd.conf,v 1.2 2015/02/10 06:40:08 reyk Exp $ # sample ntpd configuration file, see ntpd.conf(5) # Addresses to listen on (ntpd does not listen by default) #listen on * # sync to a single server #server ntp.example.org # use a random selection of NTP Pool Time Servers # see http://support.ntp.org/bin/view/Servers/NTPPoolServers servers pool.ntp.br # use a specific local timedelta sensor (radio clock, etc) #sensor nmea0 # use all detected timedelta sensors #sensor * # get the time constraint from a well-known HTTPS site # constraints from "https://www.google.com/search?q=openntpd"
Step 4 — Configuring OpenNTPd as a Time Server
This section shows you how to change the default behavior of OpenNTPd and turn FreeBSD to an NTP server capable of serving time over IPv4 and IPv6.
The final results for a server configuration should look like this, with
your_server_ip replaced with the IPv4 or IPv6 address of your server.
# $OpenBSD: ntpd.conf,v 1.2 2015/02/10 06:40:08 reyk Exp $ # sample ntpd configuration file, see ntpd.conf(5) # Addresses to listen on (ntpd does not listen by default) listen on your_server_ip # sync to a single server #server ntp.example.org # use a random selection of NTP Pool Time Servers # see http://support.ntp.org/bin/view/Servers/NTPPoolServers servers pool.ntp.br # use a specific local timedelta sensor (radio clock, etc) #sensor nmea0 # use all detected timedelta sensors #sensor * # get the time constraint from a well-known HTTPS site #constraints from "https://www.google.com/search?q=openntpd"
Step 5 — Starting OpenNTPd at Boot
The default service configuration for OpenNTPd will not start the daemon during the FreeBSD’s boot process. To add the NTP service provided by
ntpd on FreeBSD, execute the following:
- sudo sysrc openntpd_enable="YES"
The output should be:
Outputopenntpd_enable: -> YES
If you want to set the time immediately at startup, add
-v can also be used so that all calls to
adjtime will be logged. Passing
ntpd will cause the daemon to stay in the foreground for up to 15 seconds waiting for one of the configured NTP servers to reply. This is not the default, and a custom setup like this should be configure as so:
- sudo sysrc openntpd_flags="-s -v"
The output should be:
Outputopenntpd_flags: -> -s -v
Step 6 — Managing the OpenNTPd Service
Now that you have the configuration file edited and customized to fit all your needs, you can start the service provided by OpenNTPd.
To start the service:
- sudo service openntpd start
If it starts successfully, you will see:
If the OpenNTPd daemon’s flags are configured to log debug information, starting the output should look like this:
OutputStarting openntpd. constraint certificate verification turned off ntp_adjtime returns frequency of 8.643158ppm
You can manage the OpenNTPd service with the usual commands:
Step 7 — Troubleshooting (Optional)
OpenNTPd uses two binaries:
ntpctl. The first one is the daemon itself and is responsible for the NTP service provided to the client or server machine. The second one is used to display information about the running daemon.
This section will show you how to use
sockstat to troubleshoot the NTP service provided by OpenNTPd and its daemon. If you have a running service, or just want a different way to check if your service is running, use this section.
Getting Status and Peers
ntpctl uses a local socket for communicating with the OpenNTPd daemon. It defaults to
/var/run/ntpd.sock. This tutorial will cover two kinds of queries you can run with
status shows the status of peers and sensors as well as whether the system clock is synced. When the system clock is synced, the stratum is displayed. When the system clock is not synced, the offset of the system clock, as reported by the
adjtime system call, is displayed. When the median constraint is set, the offset to the local time is displayed.
To show the status using ntpctl:
- sudo ntpctl -s status
The output should be similar to the following:
8/8 peers valid, clock synced, stratum 2
peers shows the following information about each peer: weight(wt), trustlevel(tl), stratum(st), and the number of seconds until the next update to the peer (next poll). The offset, network delay, and network jitter values are in milliseconds. When the system clock is synced to a peer, an asterisk(*) is displayed to the left of the weight column for that peer.
To show peers information using
- sudo ntpctl -s peers
The following output shows you the information that OpenNTPd is running and synced to the stratum 1 server responding as ‘126.96.36.199’ (resolved from pool.ntp.br), and your OpenNTPd daemon will be updating the time via NTP in 31 seconds:
Outputpeer wt tl st next poll offset delay jitter 188.8.131.52 from pool pool.ntp.br 1 10 2 8s 30s -0.005ms 44.814ms 0.023ms 184.108.40.206 from pool pool.ntp.br * 1 10 1 26s 31s -0.012ms 44.814ms 0.027ms 220.127.116.11 from pool pool.ntp.br 1 10 1 18s 31s 0.023ms 37.481ms 0.031ms . . .
You can use
sockstat to list open IPv4, IPv6, and UNIX domain sockets. To list the listening sockets related to NTP over IPv4 and IPv6:
- sudo sockstat -4 -6 -p 123
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS _ntp ntpd 44208 7 udp4 203.0.113.123:16987 18.104.22.168:123 _ntp ntpd 44208 8 udp4 203.0.113.123:38739 22.214.171.124:123 . . .
If you are running OpenNTPd to serve time over the network, the
LOCAL ADDRESS column would show you a line with your IP addresses;
your_ipv4_address:123, representing the IPv4 socket, and
your_ipv6_address:123, showing a listening IPv6 socket.
Connecting to the Internet
nc to troubleshoot not only NTP but lots of network daemons and their sockets (UNIX, TCP, or UDP). The manpage says: “Unlike
telnet, netcat scripts nicely and separates error messages onto standard error instead of sending them to standard output as
telnet does with some”.
To check if you can reach a NTP server, or pool host, over IPv4:
- sudo nc pool.ntp.br 123 -z -4 -u -v
OutputConnection to pool.ntp.br 123 port [udp/ntp] succeeded!
To check if you can reach a NTP server, or pool host, over IPv6:
- sudo nc pool.ntp.br 123 -z -6 -u -v
OutputConnection to pool.ntp.br 123 port [udp/ntp] succeeded!
ntpdate to troubleshoot some of the servers you may want to use. You can get some information about the machine running the NTP service:
- sudo ntpdate -q -4 ntp.cais.rnp.br
The output will look similar to:
Outputserver 126.96.36.199, stratum 3, offset -0.000049, delay 0.09001 1 Sep 17:28:54 ntpdate: adjust time server 188.8.131.52 offset -0.000049 sec
Note that the functionality of
ntpdate is now available in the FreeBSD’s
ntpd program. See the
-q command line option in the FreeBSD’s
ntpd manpage, or use
ntpdate utility will be retired soon.
Reading Manual Pages
ntpctl are not part of FreeBSD’s base system, so its manual pages are also not part of the operating system’s default
MANPATH. To be sure you will be reading the OpenNTPd’s manual pages, you should run
-M /usr/local/man. Don’t be confused with FreeBSD’s default
- man -M /usr/local/man ntpd
Repeat the same procedure to read OpenNTPd’s
Time is inherently important to the function of workstations, servers, routers, and networks. Without synchronized time, accurately correlating information between devices becomes difficult, if not impossible. When it comes to security, if you cannot successfully compare logs between each of your routers and all your network servers, you will find it very hard to develop a reliable picture of an incident.