commit 5f0708bbe7d2edd6fb23d9e61731b80e39323e69 Author: Stephen Wadeley <swadeley(a)redhat.com&gt; Date: Tue Nov 12 09:56:36 2013 +0100 Updating section IDs to be title case to match the titles en-US/Configuring_NTP_Using_ntpd.xml en-US/Configuring_NTP_Using_ntpd.xml | 36 +++++++++++++++++----------------- 1 files changed, 18 insertions(+), 18 deletions(-) --- diff --git a/en-US/Configuring_NTP_Using_ntpd.xml b/en-US/Configuring_NTP_Using_ntpd.xml index 457a9bc..3783a66 100644 --- a/en-US/Configuring_NTP_Using_ntpd.xml +++ b/en-US/Configuring_NTP_Using_ntpd.xml @@ -138,7 +138,7 @@ Some software may fail or produce an error if the time is changed backwards. For systems that are sensitive to step changes in the time, the threshold can be changed to 600s instead of 128ms using the <option>-x</option> option (unrelated to the <option>-g</option> option). Using the <option>-x</option> option to increase the stepping limit from 0.128s to 600s has a drawback because a different method of controlling the clock has to be used. It disables the kernel clock discipline and may have a negative impact on the clock accuracy. The <option>-x</option> option can be added to the <filename>/etc/sysconfig/ntpd</filename> configuration file.</para> </section> -<section id="s1-Understanding_the_drift_file"> +<section id="s1-Understanding_the_Drift_File"> <title>Understanding the Drift File</title> <para> The drift file is used to store the frequency offset between the system clock running at its nominal frequency and the frequency required to remain in synchronization with UTC. If present, the value contained in the drift file is read at system start and used to correct the clock source. Use of the drift file reduces the time required to achieve a stable and accurate time. The value is calculated, and the drift file replaced, once per hour by <systemitem class="daemon">ntpd</systemitem>. The drift file is replaced, rather than just updated, and for this reason the drift file must be in a directory for which the <systemitem class="daemon">ntpd</systemitem> has write permissions. @@ -158,7 +158,7 @@ </section> -<section id="s1-Authentication_options_for_NTP"> +<section id="s1-Authentication_Options_for_NTP"> <title>Authentication Options for NTP</title> <para> <systemitem class="protocol">NTPv4</systemitem> added support for the Autokey Security Architecture, which is based on public asymmetric cryptography while retaining support for symmetric key cryptography. The Autokey Security Architecture is described in <ulink url="http://www.rfc-editor.org/info/rfc5906"><citetitle pubwork="webpage">RFC5906 Network Time Protocol Version 4: Autokey Specification</citetitle></ulink>. The man page <filename>ntp_auth(5)</filename> describes the authentication options and commands for <systemitem class="daemon">ntpd</systemitem>. @@ -167,11 +167,11 @@ An attacker on the network can attempt to disrupt a service by sending <systemitem class="protocol">NTP</systemitem> packets with incorrect time information. On systems using the public pool of <systemitem class="protocol">NTP</systemitem> servers, this risk is mitigated by having more than three <systemitem class="protocol">NTP</systemitem> servers in the list of public <systemitem class="protocol">NTP</systemitem> servers in <filename>/etc/ntp.conf</filename>. If only one time source is compromised or spoofed, <systemitem class="daemon">ntpd</systemitem> will ignore that source. You should conduct a risk assessment and consider the impact of incorrect time on your applications and organization. If you have internal time sources you should consider steps to protect the network over which the <systemitem class="protocol">NTP</systemitem> packets are distributed. If you conduct a risk assessment and conclude that the risk is acceptable, and the impact to your applications minimal, then you can choose not to use authentication. </para> <para> - The broadcast and multicast modes require authentication by default. If you have decided to trust the network then you can disable authentication by using <command>disable auth</command> directive in the <filename>ntp.conf</filename> file. Alternatively, authentication needs to be configured by using SHA1 or MD5 symmetric keys, or by public (asymmetric) key cryptography using the Autokey scheme. The Autokey scheme for asymmetric cryptography is explained in the <filename>ntp_auth(8)</filename> man page and the generation of keys is explained in <filename>ntp-keygen(8</filename>). To implement symmetric key cryptography, see <xref linkend="s2_Configuring_symmetric_authentication_using_a_key" /> for an explanation of the <option>key</option> option. + The broadcast and multicast modes require authentication by default. If you have decided to trust the network then you can disable authentication by using <command>disable auth</command> directive in the <filename>ntp.conf</filename> file. Alternatively, authentication needs to be configured by using SHA1 or MD5 symmetric keys, or by public (asymmetric) key cryptography using the Autokey scheme. The Autokey scheme for asymmetric cryptography is explained in the <filename>ntp_auth(8)</filename> man page and the generation of keys is explained in <filename>ntp-keygen(8</filename>). To implement symmetric key cryptography, see <xref linkend="s2_Configuring_Symmetric_Authentication_Using_a_Key" /> for an explanation of the <option>key</option> option. </para> </section> -<section id="s1-Managing_the_time_on_Virtual_Machines"> +<section id="s1-Managing_the_Time_on_Virtual_Machines"> <title>Managing the Time on Virtual Machines</title> <para> Virtual machines cannot access a real hardware clock and a virtual clock is not stable enough as the stability is dependent on the host systems work load. For this reason, para-virtualized clocks should be provided by the virtualization application in use. On &MAJOROS; with <application>KVM</application> the default clock source is <option>kvm-clock</option>. See the <ulink url="http://docs.fedoraproject.org/en-US/Fedora/13/html/Virtualizati... pubwork="chapter">KVM guest timing management</citetitle></ulink> chapter of the <citetitle pubwork="book">Virtualization Host Configuration and Guest Installation Guide</citetitle>. @@ -202,7 +202,7 @@ Virtual machines cannot access a real hardware clock and a virtual clock is not <screen>driftfile /var/lib/ntp/drift</screen> If you change this be certain that the directory is writable by <systemitem class="daemon">ntpd</systemitem>. The file contains one value used to adjust the system clock frequency after every system or service start. - See <link linkend="s1-Understanding_the_drift_file">Understanding the Drift File</link> for more information. + See <link linkend="s1-Understanding_the_Drift_File">Understanding the Drift File</link> for more information. </para> </listitem> </varlistentry> @@ -272,7 +272,7 @@ server 3.rhel.pool.ntp.org iburst</screen> </note> </section> -<section id="s1-Understanding_the_ntpd_sysconfig_file"> +<section id="s1-Understanding_the_ntpd_Sysconfig_File"> <title>Understanding the ntpd Sysconfig File</title> <para> The file will be read by the <systemitem class="daemon">ntpd</systemitem> init script on service start. The default contents is as follows: @@ -302,7 +302,7 @@ To check the status of <systemitem class="daemon">chronyd</systemitem>, issue th </section> - <section id="s1-Checking_if_ntpd_is_installed"> + <section id="s1-Checking_if_the_NTP_Daemon_is_Installed"> <title>Checking if the NTP Daemon is Installed</title> <para> To check if <systemitem class="service">ntpd</systemitem> is installed, enter the following command as root: @@ -311,7 +311,7 @@ To check the status of <systemitem class="daemon">chronyd</systemitem>, issue th </para> </section> - <section id="s1-Installing_the_NTP_daemon_ntpd"> + <section id="s1-Installing_the_NTP_Daemon_ntpd"> <title>Installing the NTP Daemon (ntpd)</title> <para> To install <systemitem class="service">ntpd</systemitem>, enter the following command as <systemitem class="username">root</systemitem>: @@ -344,7 +344,7 @@ synchronised to NTP server (10.5.26.10) at stratum 2 </para> </section> -<section id="s1-Configure_the_firewall_to_allow_incoming_ntp_packets"> +<section id="s1-Configure_the_Firewall_to_Allow_Incoming_NTP_Packets"> <title>Configure the Firewall to Allow Incoming NTP Packets</title> <para> The <systemitem class="protocol">NTP</systemitem> traffic consists of <systemitem class="protocol">UDP</systemitem> packets on port <literal>123</literal> and needs to be permitted through network and host-based firewalls in order for <systemitem class="protocol">NTP</systemitem> to function. @@ -465,7 +465,7 @@ synchronised to NTP server (10.5.26.10) at stratum 2 </para> </section> - <section id="s2_Configure_Rate_Limiting_Access_to_an_NTP_service "> + <section id="s2_Configure_Rate_Limiting_Access_to_an_NTP_Service"> <title>Configure Rate Limiting Access to an NTP Service</title> <para> To rate limit access to the <systemitem class="protocol">NTP</systemitem> service running on a system, make use of the <command>discard</command> command in the <filename>ntp.conf</filename> file. See the commented out example:<screen> @@ -533,7 +533,7 @@ synchronised to NTP server (10.5.26.10) at stratum 2 To add a broadcast or multicast address for sending, that is to say, the address to broadcast or multicast <systemitem class="protocol">NTP</systemitem> packets to, make use of the <command>broadcast</command> command in the <filename>ntp.conf</filename> file. </para> <para> - The broadcast and multicast modes require authentication by default. See <xref linkend="s1-Authentication_options_for_NTP" />.</para> + The broadcast and multicast modes require authentication by default. See <xref linkend="s1-Authentication_Options_for_NTP" />.</para> <para> The <command>broadcast</command> command takes the following form:</para> <synopsis><command>broadcast</command> <replaceable>address</replaceable></synopsis> @@ -573,7 +573,7 @@ synchronised to NTP server (10.5.26.10) at stratum 2 The <command>broadcastclient</command> command takes the following form:</para> <synopsis><command>broadcastclient</command></synopsis> <para> - Enables the receiving of broadcast messages. Requires authentication by default. See <xref linkend="s1-Authentication_options_for_NTP" />. + Enables the receiving of broadcast messages. Requires authentication by default. See <xref linkend="s1-Authentication_Options_for_NTP" />. </para> <para> This command configures a system to act as an <systemitem class="protocol">NTP</systemitem> client. Systems can be both client and server at the same time. @@ -630,7 +630,7 @@ synchronised to NTP server (10.5.26.10) at stratum 2 </para> </section> -<section id="s2_Configuring_the_iburst_option"> +<section id="s2_Configuring_the_iburst_Option"> <title>Configuring the iburst Option</title> <para> To improve the time taken for initial synchronization, add the following option to the end of a server command: @@ -642,7 +642,7 @@ synchronised to NTP server (10.5.26.10) at stratum 2 </para> </section> -<section id="s2_Configuring_symmetric_authentication_using_a_key"> +<section id="s2_Configuring_Symmetric_Authentication_Using_a_Key"> <title>Configuring Symmetric Authentication Using a Key</title> <para> To configure symmetric authentication using a key, add the following option to the end of a server or peer command: @@ -660,12 +660,12 @@ broadcast 192.168.1.255 key 20 manycastclient 239.255.254.254 key 30</screen> </para> <para> - See also <xref linkend="s1-Authentication_options_for_NTP" />. + See also <xref linkend="s1-Authentication_Options_for_NTP" />. </para> </section> -<section id="s2_Configuring_the_poll_interval"> +<section id="s2_Configuring_the_Poll_Interval"> <title>Configuring the Poll Interval</title> <para> To change the default poll interval, add the following options to the end of a server or peer command: @@ -677,7 +677,7 @@ manycastclient 239.255.254.254 key 30</screen> </section> -<section id="s2_Configuring_server_preference"> +<section id="s2_Configuring_Server_Preference"> <title>Configuring Server Preference</title> <para> To specify that a particular server should be preferred above others of similar statistical quality, add the following option to the end of a server or peer command: @@ -711,7 +711,7 @@ manycastclient 239.255.254.254 key 30</screen> </section> </section> -<section id="s1-Configuring_the_hardware_clock_update"> +<section id="s1-Configuring_the_Hardware_Clock_update"> <title>Configuring the Hardware Clock Update</title> <para> To configure the system clock to update the hardware clock once after executing <application>ntpdate</application>, add the following line to <filename>/etc/sysconfig/ntpdate</filename>: