diff options
author | deraadt <deraadt@openbsd.org> | 2019-11-11 01:04:55 +0000 |
---|---|---|
committer | deraadt <deraadt@openbsd.org> | 2019-11-11 01:04:55 +0000 |
commit | 9c3418732fbf2b3725f3b248c48e5c036580656d (patch) | |
tree | 30f06a23e2167130b8d39a0152d4fae112c2f4fb /usr.sbin/ntpd | |
parent | update ntpd example configuration (diff) | |
download | wireguard-openbsd-9c3418732fbf2b3725f3b248c48e5c036580656d.tar.xz wireguard-openbsd-9c3418732fbf2b3725f3b248c48e5c036580656d.zip |
Disable -s and -S functionality. -s would force time using NTP packets without
any MITM protection checks. We've had constraint checks for MITM protection
for some time. Recent work changed the default mode to rapidly check NTP packets against constraint validation, as the default mode.
In environments where https traffic doesn't work, ethernet-near servers can
be labelled as "trusted". trusted sensor support is also coming.
We have reasons to immediately move people away from the -s mode.
ok otto
Diffstat (limited to 'usr.sbin/ntpd')
-rw-r--r-- | usr.sbin/ntpd/ntpd.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/usr.sbin/ntpd/ntpd.c b/usr.sbin/ntpd/ntpd.c index f6e37edfad8..f60569eeb33 100644 --- a/usr.sbin/ntpd/ntpd.c +++ b/usr.sbin/ntpd/ntpd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ntpd.c,v 1.126 2019/11/10 19:24:47 otto Exp $ */ +/* $OpenBSD: ntpd.c,v 1.127 2019/11/11 01:04:55 deraadt Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -99,7 +99,7 @@ usage(void) fprintf(stderr, "usage: ntpctl -s all | peers | Sensors | status\n"); else - fprintf(stderr, "usage: %s [-dnSsv] [-f file]\n", + fprintf(stderr, "usage: %s [-dnv] [-f file]\n", __progname); exit(1); } @@ -140,6 +140,7 @@ main(int argc, char *argv[]) char **argv0 = argv; char *pname = NULL; time_t settime_deadline; + int sopt = 0; if (strcmp(__progname, "ntpctl") == 0) { ctl_main(argc, argv); @@ -166,10 +167,8 @@ main(int argc, char *argv[]) pname = optarg; break; case 's': - lconf.settime = 1; - break; case 'S': - lconf.settime = 0; + sopt = ch; break; case 'v': lconf.verbose++; @@ -187,6 +186,12 @@ main(int argc, char *argv[]) log_init(logdest, lconf.verbose, LOG_DAEMON); + if (sopt) { + log_warnx("-%c option no longer works and will be removed soon.", + sopt); + log_warnx("Please reconfigure to use constraints or trusted servers."); + } + argc -= optind; argv += optind; if (argc > 0) |