This article aims to provide an introduction on how to install and configure a simple installation of the NTP daemon on the Linux operating system. The article attempts to cover the following points:
- Where to Obtain the NTP Source Code
- Installing NTP
- Configuring the Daemon
- NTP Authentication
- Controlling the NTP Daemon
The Network Time Protocol (NTP) distribution provides a suite of applications to install, configure, implement and debug the NTP protocol. The application provides a means of precisely synchronising the time of client computers to external hardware time sources or an external NTP servers. Many installations are configured to synchronise to internet based time servers, of which there are a large number available often free of charge. Initially provided for the Linux operating system, ports are now available for most Microsoft Windows platforms.
Where to Obtain the NTP Source Code
The NTP distribution is freely available as open source software. It can be downloaded, installed and used completely free of charge, providing you agree to the open source licensing requirements. NTP is often installed by default on many Linux distributions, such as Debian, Redhat and Ubuntu. If it is not already installed on your Linux machine, it is probably available as an installable package. Generally, the installable packages are pre-compiled and only need to be configured before use.
For Linux machines where an installable package is not available, NTP needs to be compiled from source code. This is easily achieved by downloading the latest source code from the NTP web-site, www.ntp.org.
The NTP application is primarily configured either from command line options or more usually using a configuration file. There are a host of configuration commands that can be specified. However, the most useful is the ‘server’ command which instructs NTP to synchronise with a specified external NTP server – local or internet. The command requires either a fully qualified domain name or IP address of a NTP server. Any number of servers can be specified on separate lines, eg:
server 0.uk.pool.ntp.org # Internet based pooled server 0
server 1.uk.pool.ntp.org # Internet based pooled server 1
server 192.168.0.200 # Local intranet NTP server
NTP security is performed by ‘symmetric key cryptography’ or ‘authentication’ as it is more commonly known. It allows a client to authenticate a server for trusted information exchange.
Authentication is based on a number of agreed keys, or passwords, that are available to both client and server. When a message is transferred from server to client, it is appended with an encrypted version of one of the keys. Keys are stored in a file called ‘ntp.keys’. The keys are stored in the file in the following format:
1 M AgreedKey
2 M ceNTigraDE541
8 M DeliBERate244
12 M TAIlored
15 M phySIcally
16 M ScaLES723
The first field is a unique key number indicator. The second field denotes the encryption algorithm that should be used to encrypt the key, ‘M’ indicates the most common MD5 encryption. The final field is the actual key itself. Any number of keys can be specified.
As well as the agreed keys, you can also specify which of the keys are trusted. Therefore, a subset of the keys can be specified for use at any particular time. For instance keys 2, 8 and 15 above can be used for use for a specific period. Trusted keys are specified in the NTP configuration file, ‘ntp.conf’, using the trustedkey command with space-separated key numbers:
trustedkey 2 8 15
Controlling the NTP Daemon
Once NTP has been installed and configured, a number of scripts are available to control the application:
ntpd start – starts the ntp daemon.
ntpd stop – stops the ntp daemon.
ntpd restart – stops and restarts the daemon.
Any changes to the NTP configuration files will not take effect until the application is restarted.
A number of utilities are provided that can be used to debug a NTP installation. Probably the most useful being the ‘ntpq’ program. This is an application that will query an NTP server and can be used to find out if it is working within expected parameters. By using the ntpq program with the ‘-p’ option and specifying the network address of a server:
> ntpq – p 192.168.0.200 # where 192.168.0.200 is the IP address of a NTP server
You should see a response similar to below:
remote refid st t when poll reach delay offset jitter
LOCAL(0) .INIT. 16 l 21 64 377 0.000 0.000 0.001
*SHM(0) .GPS. 0 l 53 64 377 0.000 0.009 0.001
SHM(1) .LFa. 0 l – 64 0 0.000 0.000 4000.00
The response indicates the time references that the server is currently utilising and which is its currently preferred reference.
Internet Based Public NTP Servers
There are a large number of internet based NTP servers that are freely available for public use. Most are run by government agencies and universities. Also gaining more traction is the NTP pool project, which is a large virtual cluster of time servers. The pool project provides tens of millions of clients access to accurate time for their computers. For many Linux distributions, it has become the default time server for pre-installed NTP software. Pooled servers are available on a regional basis, with most areas in the world having some representation. More information on the pooled server project is available at www.pool.ntp.org.
Andrew Everett has worked in the Computer Time and Frequency sector for almost his entire career. He now leads TimeTools development department. Andrew has written many articles that help IT professionals make informed decisions about network and computer systems timing solutions.