Disable -s and -S functionality. -s would force time using NTP packets without

any MITM protection checks.  We've had constraint checks for MITM protection
for some time. Recent work changed the default mode to rapidly check NTP packets against constraint validation, as the default mode.
In environments where https traffic doesn't work, ethernet-near servers can
be labelled as "trusted".  trusted sensor support is also coming.
We have reasons to immediately move people away from the -s mode.
ok otto

1 files changed, 10 insertions, 5 deletions

diff --git a/usr.sbin/ntpd/ntpd.c b/usr.sbin/ntpd/ntpd.c
index f6e37edfad8..f60569eeb33 100644
--- a/usr.sbin/ntpd/ntpd.c
+++ b/usr.sbin/ntpd/ntpd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ntpd.c,v 1.126 2019/11/10 19:24:47 otto Exp $ */
+/*	$OpenBSD: ntpd.c,v 1.127 2019/11/11 01:04:55 deraadt Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -99,7 +99,7 @@ usage(void)
 		fprintf(stderr,
 		    "usage: ntpctl -s all | peers | Sensors | status\n");
 	else
-		fprintf(stderr, "usage: %s [-dnSsv] [-f file]\n",
+		fprintf(stderr, "usage: %s [-dnv] [-f file]\n",
 		    __progname);
 	exit(1);
 }
@@ -140,6 +140,7 @@ main(int argc, char *argv[])
 	char			**argv0 = argv;
 	char			*pname = NULL;
 	time_t			 settime_deadline;
+	int			 sopt = 0;
 
 	if (strcmp(__progname, "ntpctl") == 0) {
 		ctl_main(argc, argv);
@@ -166,10 +167,8 @@ main(int argc, char *argv[])
 			pname = optarg;
 			break;
 		case 's':
-			lconf.settime = 1;
-			break;
 		case 'S':
-			lconf.settime = 0;
+			sopt = ch;
 			break;
 		case 'v':
 			lconf.verbose++;
@@ -187,6 +186,12 @@ main(int argc, char *argv[])
 
 	log_init(logdest, lconf.verbose, LOG_DAEMON);
 
+	if (sopt) {
+		log_warnx("-%c option no longer works and will be removed soon.",
+		    sopt);
+		log_warnx("Please reconfigure to use constraints or trusted servers.");
+	}
+
 	argc -= optind;
 	argv += optind;
 	if (argc > 0)