HEADS UP: ntpd changing

Theo de Raadt (deraadt@)postedto tech@:

The ntpd options -s and -S are going to be removed soon and at startupwith print: -s option no longer works and will be removed soon. Please reconfigure to use constraints or trusted servers.Probably after 6.7 we'll delete the warning. Maybe for 6.8 we'll remove-s and -S from getopt, and starting with those options will fail.Effective immediately, the -s option stops doing what you expect. It nowdoes nothing.Big improvements have happened in ntpd recently. At startup, ntpdaggressively tries to learn from NTP packets validated by constraints,and set the time.That means a smarter variation of -s is the default, but the informationis now *VALIDATED* by constraints.2 additional constraints have been added. If you have upgraded, pleasereview /etc/examples/ntpd.conf for modern useThose who cannot use https constraints, can instead tag server lineswith the keyword "trusted", which means you believe MITM attacks are notpossible on the network to those specific NTP servers. Do this only onservers directly connected over trusted network. If someone does"servers pool.ntp.org trusted", we're going to have a great laugh.We're creating something a bit complex, but our goal is for everymachine to have a close approximation of correct time. If we getthere, some good things will happen. Some serious cargo-cultingfor using -s has gotten in the way (-s performs no MITM checks).

Read more"