From ef4d236faca7057f1de02d24223616c44d3411ab Mon Sep 17 00:00:00 2001 From: deraadt Date: Mon, 18 May 2015 13:48:37 +0000 Subject: [PATCH] enable ntpd by default at install time. We use pools and a reliable constraint to keep them in check. in the worst case of being on a dark net, nothing changes. this is being enabled by default to allow gathering of more operational information from users. and if the operational heuristics in ntpd can be suitable refined, this may stay the default into the future. if not, ntpd will become even more awesome along the way. with reyk rpe --- distrib/miniroot/install.sub | 15 +-------------- distrib/sets/lists/etc/mi | 1 + etc/Makefile | 3 ++- etc/ntpd.conf | 14 ++++++++++++++ etc/rc.conf | 4 ++-- 5 files changed, 20 insertions(+), 17 deletions(-) create mode 100644 etc/ntpd.conf diff --git a/distrib/miniroot/install.sub b/distrib/miniroot/install.sub index 9a0fde9c42c..4d3e770579b 100644 --- a/distrib/miniroot/install.sub +++ b/distrib/miniroot/install.sub @@ -1,4 +1,4 @@ -# $OpenBSD: install.sub,v 1.838 2015/05/15 07:41:30 rpe Exp $ +# $OpenBSD: install.sub,v 1.839 2015/05/18 13:48:37 deraadt Exp $ # # Copyright (c) 1997-2015 Todd Miller, Theo de Raadt, Ken Westerback # Copyright (c) 2015, Robert Peichaer @@ -1506,13 +1506,6 @@ questions() { ask_yn "Start sshd(8) by default?" yes sshd=$resp - ask_yn "Start ntpd(8) by default?" - ntpd=$resp - if [[ $resp == y ]]; then - ask "NTP server? (hostname or 'default')" default - ntpd_server=$resp - fi - aperture= resp= xdm= @@ -2044,12 +2037,6 @@ apply() { cp /tmp/sshd_config /mnt/etc/ssh/sshd_config fi - if [[ $ntpd == y ]]; then - echo "ntpd_flags=" >>/mnt/etc/rc.conf.local - [[ $ntpd_server == default ]] && ntpd_server=pool.ntp.org - echo "servers ${ntpd_server%% *}" >>/mnt/etc/ntpd.conf - fi - [[ -n $aperture ]] && echo "machdep.allowaperture=$aperture # See xf86(4)" \ >>/mnt/etc/sysctl.conf diff --git a/distrib/sets/lists/etc/mi b/distrib/sets/lists/etc/mi index 6ffa7ccec79..c50034fa078 100644 --- a/distrib/sets/lists/etc/mi +++ b/distrib/sets/lists/etc/mi @@ -24,6 +24,7 @@ ./etc/newsyslog.conf ./etc/npppd/npppd-users ./etc/npppd/npppd.conf +./etc/ntpd.conf ./etc/passwd ./etc/pf.conf ./etc/ppp/chap-secrets diff --git a/etc/Makefile b/etc/Makefile index f8b3769dbf0..afa7130e819 100644 --- a/etc/Makefile +++ b/etc/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.401 2015/03/27 18:49:50 schwarze Exp $ +# $OpenBSD: Makefile,v 1.402 2015/05/18 13:48:38 deraadt Exp $ TZDIR= /usr/share/zoneinfo LOCALTIME= Canada/Mountain @@ -97,6 +97,7 @@ distribution-etc-root-var: distrib-dirs ${INSTALL} -c -o root -g wheel -m 600 master.passwd ${DESTDIR}/etc pwd_mkdb -p -d ${DESTDIR}/etc /etc/master.passwd ${INSTALL} -c -o root -g wheel -m 600 pf.conf ${DESTDIR}/etc + ${INSTALL} -c -o root -g wheel -m 640 ntpd.conf ${DESTDIR}/etc ${INSTALL} -c -o root -g _nsd -m 640 nsd.conf ${DESTDIR}/var/nsd/etc ${INSTALL} -c -o root -g wheel -m 644 unbound.conf ${DESTDIR}/var/unbound/etc ${INSTALL} -c -o ${BINOWN} -g ${BINGRP} -m 555 \ diff --git a/etc/ntpd.conf b/etc/ntpd.conf new file mode 100644 index 00000000000..ec5a86e25d3 --- /dev/null +++ b/etc/ntpd.conf @@ -0,0 +1,14 @@ +# $OpenBSD: ntpd.conf,v 1.13 2015/05/18 13:48:38 deraadt Exp $ + +# Addresses to listen on (ntpd does not listen by default) +#listen on * + +# use a random selection of NTP Pool Time Servers +# see http://support.ntp.org/bin/view/Servers/NTPPoolServers +servers pool.ntp.org + +# use all detected timedelta sensors +sensor * + +# get the time constraint from a well-known HTTPS site +constraints from "https://www.google.com" diff --git a/etc/rc.conf b/etc/rc.conf index 66c687a9827..c4c7ca46bde 100644 --- a/etc/rc.conf +++ b/etc/rc.conf @@ -1,4 +1,4 @@ -# $OpenBSD: rc.conf,v 1.202 2015/05/04 22:25:17 schwarze Exp $ +# $OpenBSD: rc.conf,v 1.203 2015/05/18 13:48:38 deraadt Exp $ # DO NOT EDIT THIS FILE!! # @@ -40,7 +40,7 @@ mopd_flags=NO mrouted_flags=NO # be sure to enable multicast_router below npppd_flags=NO nsd_flags=NO -ntpd_flags=NO +ntpd_flags= ospfd_flags=NO ospf6d_flags=NO pflogd_flags= # add more flags, e.g. "-s 256" -- 2.20.1