The following sample shows a standard NTP log file that has no extra logging enabled. Each line of the NTP log file begins with the date, the time, the program name, and the process identification (PID). The following samples show the remainder of each log file line.

ntpd version = 4.1.0 precision = 976 usec frequency initialized -66.795 from SYS$SPECIFIC:[TCPIP$NTP]TCPIP$NTP.DRIFT time slew 0.148981 s offset: 0.008022 sec freq: 1.301 ppm poll: 128 sec error: 0.014056 offset: 0.003190 sec freq: 4.218 ppm poll: 256 sec error: 0.007071 offset: -0.000622 sec freq: 4.575 ppm poll: 512 sec error: 0.005358 offset: -0.003216 sec freq: 3.749 ppm poll: 1024 sec error: 0.005610 offset: -0.000899 sec freq: 2.823 ppm poll: 1024 sec error: 0.005710 offset: -0.000299 sec freq: 2.510 ppm poll: 1024 sec error: 0.005468 time slew -0.156010 s offset: 0.002615 sec freq: 4.022 ppm poll: 1024 sec error: 0.005297 offset: -0.002466 sec freq: 3.237 ppm poll: 1024 sec error: 0.005626 offset: 0.000100 sec freq: 1.737 ppm poll: 1024 sec error: 0.006343 offset: 0.002842 sec freq: 2.393 ppm poll: 1024 sec error: 0.006023 offset: 0.000089 sec freq: 3.204 ppm poll: 1024 sec error: 0.006199 offset: 0.001094 sec freq: 3.576 ppm poll: 1024 sec error: 0.005628

The next sample shows an NTP log file with all categories of logging enabled.

ntpd version = 4.1.0 precision = 976 usec frequency initialized 3.157 from SYS$SPECIFIC:[TCPIP$NTP]TCPIP$NTP.DRIFT system event 'event_restart' (0x01) status 'sync_alarm, sync_unspec, 1 event, event_unspec' (0xc010) peer 204.123.2.70 event 'event_reach' (0x84) status 'unreach, conf, 1 event, event_reach' (0x8014) peer 204.123.2.71 event 'event_reach' (0x84) status 'unreach, conf, 1 event, event_reach' (0x8014) peer 16.140.0.12 event 'event_reach' (0x84) status 'unreach, conf, 1 event, event_reach' (0x8014) system event 'event_peer/strat_chg' (0x04) status 'sync_alarm,sync_ntp, 2 events, event_restart' (0xc621) system event 'event_sync_chg' (0x03) status 'leap_none, sync_ntp, 3 events, event_peer/strat_chg' (0x634) system event 'event_peer/strat_chg' (0x04) status 'leap_none, sync_ntp, 4 events, event_sync_chg' (0x643) peer 16.141.40.135 event 'event_reach' (0x84) status 'unreach,conf, 1 event, event_reach' (0x8014) peer 16.141.40.135 event 'event_unreach' (0x83) status 'unreach, conf, 2 events, event_unreach' (0x8023) peer 16.141.40.135 event 'event_reach' (0x84) status 'unreach,conf, 3 events, event_reach' (0x8034) offset: 0.015558 sec freq: 4.407 ppm poll: 128 sec error: 0.008575 peer 16.141.40.135 event 'event_unreach' (0x83) status 'unreach, conf, 4 events, event_unreach' (0x8043) offset: 0.021501 sec freq: 8.734 ppm poll: 512 sec error: 0.015413 peer 16.141.40.135 event 'event_reach' (0x84) status 'unreach,conf, 5 events, event_reach' (0x8054) offset: 0.016173 sec freq: 25.014 ppm poll: 1024 sec error:0.011453 offset: -0.043169 sec freq: 13.291 ppm poll: 1024 sec error: 0.024752 offset: -0.017786 sec freq: 6.005 ppm poll: 1024 sec error:0.025309

13.6 NTP Authentication Support

Authentication support is implemented using the MD5 algorithm to compute a message digest. The servers involved in an association must agree on the key and key identifier used to authenticate their messages.

Keys and related information are specified in a key file. Keys are used for:

• Ordinary NTP associations
• The NTPQ utility program
• The NTPDC utility program

13.6.1 NTP Authentication Commands

Table 13-3 Authentication Commands

Command	Description
keys keys-file	Specifies the file name for the keys file, which contains the encryption keys and key identifiers used by NTP, NTPQ, and NTPDC when operating in authenticated mode.
trustedkey key-ID [...]	Specifies the encryption key identifiers that are trusted for the purposes of authenticating peers suitable for synchronization, as well as keys used by the NTPQ and NTPDC programs. The authentication procedures require that the local and remote servers share the same key ID and key value for this purpose, although different key values can be used with different servers. The key-ID argument is a 32-bit unsigned decimal integer from 1 to 15. Note that the NTP key 0 indicates an invalid key value or key identifier; therefore, it should not be used for any other purpose.
requestkey key-ID	Specifies the key identifier to use with the NTPDC program, which uses a proprietary protocol specific to this implementation of NTP. This program is useful in diagnosing and repairing problems that affect the operation of NTP. For information about NTPDC, see Section 13.7.3. The key-ID argument to this command is an unsigned 32-bit decimal number that identifies the trusted key in the keys file. If the requestkey command is not included in the configuration file, or if the keys do not match, any request to change a server variable is denied.
controlkey key-ID	Specifies the key identifier to use with the NTPQ program, which uses the standard protocol defined in RFC 1305. This program is useful in diagnosing and repairing problems that affect the operation of NTP. For more information about NTPQ, see Section 13.7.4. The key-ID argument to this command is a 32-bit decimal integer that identifies a trusted key in the keys file. If the controlkey command is not included in the configuration file, or if the keys do not match, any request to change a server variable is denied.

Keys are defined in a keys file, as described in Section 13.6.2.

13.6.2 Authentication Key Format

The NTP service reads keys from a keys file that is specified using the keys command in the configuration file. You can supply one or more keys from 1 to 15 in the keys file.

Key entries use the following format:

key-ID key-type key-value

Each entry contains the following:

• key-ID, which is an arbitrary, unsigned 32-bit number (in decimal). The range of possible values is 1 to 15. Key IDs are specified by the requestkey and controlkey statements in the configuration file. The key ID number 0 (56 zero bits) is reserved; it is used to indicate an invalid key ID or key value.
• key-type, which identifies the type of key value. Only one key format, M, is currently supported. This indicates that the MD5 authentication scheme is being used.
• key-value, which is an ASCII string up to 8 characters long. The following characters are not allowed:

  space
  pound sign (#)
  \t
  \n
  \0

Because this file contains authorization data, HP recommends that you limit read access to this file. In particular, you should disable world read access.

The following is a sample keys file:

# # 4 M DonTTelL 6 M hElloWrl 12 M ImASecrt

13.7 NTP Utilities

NTP provides several utility programs that help you manage and make changes to the NTP server. These utilities include:

• NTPDATE, the date and time utility that sets the local date and time by polling the specified server. Run NTPDATE manually or from the host startup script to set the clock at boot time before NTP starts.
  NTPDATE does not set the date if NTP is already running on the same host.
  For information about using NTPDATE, see Section 13.7.1.
• NTPTRACE, the trace utility that follows the chain of NTP servers back to their master time source. For information about using NTPTRACE, see Section 13.7.2.
• NTPDC, the special query program that provides extensive state and statistics information and allows you to set configuration options at run time. Run this program in interactive mode or with command-line arguments.
  For information about using NTPDC, see Section 13.7.3.
• NTPQ, the standard query program that queries NTP servers about their current state and requests changes to that state.
  For information about using NTPQ, see Section 13.7.4.
• NTP_GENKEYS, the random key generator program that generates random keys that are used by the NTP Version 3 and NTP Version 4 symmetric key authentication scheme.
  For information about using NTP_GENKEYS, see Section 13.7.5.
  To define the commands described in the following sections, run the following procedure:

  $ @SYS$MANAGER:TCPIP$DEFINE_COMMANDS.COM

The NTPDATE program sets the local date and time by polling a specified server or servers to determine the correct time. A number of samples are obtained from each of the servers specified, and a subset of the NTP clock filter and selection algorithms are applied to select the best samples. The accuracy and reliability of NTPDATE depends on the number of servers it polls, the number of polls it makes each time it runs, and the interval length between runs.

Run NTPDATE manually to set the host clock or from the host startup file to set the clock at boot time. In some cases, it is useful to set the clock manually before you start NTP. The NTPDATE program makes time adjustments (called "stepping the time") by calling the OpenVMS routine SYS$SETIME.

Enter specific commands using the following format:

NTPDATE [option...] host [host...]

For example, the following command sets the clock based on the time provided from one of the specified hosts (BIRDY, OWL, or FRED):

$ NTPDATE BIRDY OWL FRED

NTP sets the date and time by polling the servers you specify as arguments to the command. Samples are obtained from each of the specified servers. NTP then analyzes the results to select the best server to use as a time source. Table 13-4 describes the NTPDATE command options.

Table 13-4 NTPDATE Options

Option	Description
-d	Changes the time and prints information useful for debugging.
-o version	Specifies the NTP version (1, 2, or 3) for outgoing packets (for compatibility with older versions of NTP). Version 4 is the default.
-p n	Specifies the number of samples NTPDATE acquires from each server. The default is 4. You can specify from 1 to 8.
-q	Specifies a query only; does not set the clock.

13.7.2 Tracing a Time Source with NTPTRACE

Use the NTPTRACE utility to determine the source from which an NTP server obtains its time. NTPTRACE follows the chain of time servers back to the master time source.

Use the following syntax when entering commands:

NTPTRACE [option...]

The following example shows output from an NTPTRACE command. In the following example, the chain of servers is from the local host to the stratum 1 server FRED, which is synchronizing to a GPS reference clock:

$ NTPTRACE LOCALHOST: stratum 3, offset -0.000000, synch distance1.50948 parrot.birds.com: stratum 2, offset -0.126774, synch distance 0.00909 fred.birds.com: stratum 1, offset -0.129567, synch distance 0.00168, refid 'GPS'

All times are in seconds. The output fields on each line are as follows:

• Host name
• Host stratum
• Time offset between the host and the local host (not always zero for LOCALHOST).
• Synchronization distance
• Reference clock ID (only for stratum 1 servers)

Table 13-5 describes the NTPTRACE command options.

Table 13-5 NTPTRACE Options

Option	Description
-d	Enables debugging output.
-n	Displays IP addresses instead of host names. This may be necessary if a name server is down.
-r retries	Sets the number of retransmission attempts for each host. The default is 5.
-t timeout	Sets the retransmission timeout (in seconds). The default is 2.
-v	Displays additional information about the NTP servers.

13.7.3 Making Run-Time Requests with NTPDC

You can make run-time changes to NTP with query commands by running the NTPDC utility. NTPDC displays time values in seconds.

Run-time requests are always authenticated requests. Authentication not only provides verification that the requester has permission to make such changes, but also gives an extra degree of protection against transmission errors.

The reconfiguration facility works well with a server on the local host and between time-synchronized hosts on the same LAN. The facility works poorly for more distant hosts. Authenticated requests include a timestamp. The server compares the timestamp to its receive timestamp. If they differ by more than a small amount, the request is rejected for the following reasons:

• To make it more difficult for an intruder to overhear traffic on your LAN.
• To make it more difficult for topologically remote hosts to request configuration changes to your server.

To run NTPDC, enter the following command:

$ NTPDC NTPDC>

At the NTPDC> prompt, enter the appropriate type of command from the following list:

• Interactive commands
• Control commands
• Run-time configuration request commands

The following sections describe the NTPDC commands.

13.7.3.1 NTPDC Interactive Commands

Interactive commands consist of a command name followed by one or more keywords. The interactive commands include:

• help [command-keyword]
  Enter a question mark (?) to display a list of all the command keywords known to this version of NTPDC. Enter a question mark followed by a command keyword to display information about the function and use of the command.
• host hostname
  Sets the host to which future queries will be sent. The hostname can be either a host name or a numeric address.
• hostnames [ yes | no ]
  If you specify yes , host names are displayed. If you specify no , numeric addresses are displayed. The default is yes unless you include the -n option on the command line, as described in Table 13-5.
• keyid key-ID
  Specifies the key number to be used to authenticate configuration requests. This must correspond to a key number the server has been configured to use for this purpose.
• quit
  Exits NTPDC.
• passwd
  Prompts you to enter a password (not echoed) to be used to authenticate configuration requests. The password must correspond to the key configured for use by the NTP server for this purpose.
• timeout milliseconds
  Specify a timeout period for responses to server queries. The default is about 8000 milliseconds (8 seconds). Because NTPDC retries each query once after a timeout, the total waiting time for a timeout is twice the timeout value set.

Control message commands request information about the server. These are read-only commands in that they make no modification of the server configuration state.

The NTPDC control message commands include:

• listpeers
  Displays a brief list of the peers for which the server is maintaining state. These include all configured peer associations as well as peers whose stratum is such that the server considers them to be possible future synchronization candidates.
• peers
  Obtains a list of peers for which the server is maintaining state, along with a summary of that state. The summary information includes:
  • The address of the remote peer
  • The local interface address (0.0.0.0 if a local address has not been determined)
  • The stratum of the remote peer (a stratum of 16 indicates the remote peer is unsynchronized)
  • The polling interval (in seconds)
  • The reachability register (in octal)
  • The current estimated delay, offset, and dispersion of the peer (in seconds)
  
  In addition, the character in the left margin indicates the operating mode of this peer entry, as follows:

  Plus sign (+) denotes symmetric active.
  Minus sign (-) indicates symmetric passive.
  Equals sign (=) means the remote server is being polled in client mode.
  Up arrow (^) indicates that the server is broadcasting to this address.
  Tilde (~) denotes that the remote peer is sending broadcasts.
  Asterisk (*) marks the peer to which the server is currently synchronizing.

  
  The contents of the host field can be one of the following four forms:
  • Host name
  • IP address
  • Reference clock implementation name with its parameter
  • REFCLK (implementation number parameter)
  
  If you specify hostnames no , only IP addresses are displayed.
• dmpeers
  Displays a slightly different peer summary list, identical to the output of the peers command except for the character in the leftmost column. Characters appear only beside peers that were included in the final stage of the clock selection algorithm:

  Dot (.) indicates that this peer was rejected in the "falseticker" detection.
  Plus sign (+) indicates that the peer was accepted.
  Asterisk (*) denotes the peer to which the server is currently synchronizing.

• showpeer peer-address [...]
  Shows a detailed display of the current peer variables for one or more peers.
• pstats peer-address [...]
  Shows per-peer statistics counters associated with the specified peers.
• loopinfo [ oneline | multiline ]
  Displays the values of selected loop-filter variables. The loop filter is the part of NTP that adjusts the local system clock. These options include:
  • offset --- the last offset given to the loop filter by the packet processing code.
  • frequency --- the frequency error of the local clock (in parts per million).
  • time_const --- controls the stiffness of the phase-lock loop and, therefore, the speed at which it can adapt to oscillator drift.
  • watchdog timer --- the number of seconds that have elapsed since the last sample offset was given to the loop filter.
  
  The oneline and multiline options specify the format in which this information is to be displayed; multiline is the default.
• sysinfo
  Displays a variety of system state variables, such as the state related to the local server. These variables include:
  • system flags --- shows various system flags, some of which can be set and cleared by the enable and disable configuration commands, respectively. These are the auth , bclient , monitor , ntp , and stats flags.
  • stability --- the residual frequency error remaining after the system frequency correction is applied. It is intended for maintenance and debugging.
  • broadcastdelay --- shows the default broadcast delay as set by the broadcastdelay configuration command.
  • authdelay --- shows the default authentication delay as set by the authdelay configuration command.
• sysstats
  Displays statistics counters maintained in the protocol module.
• memstats
  Displays statistics counters related to memory allocation code.
• iostats
  Displays statistics counters maintained in the input/output module.
• timerstats
  Displays statistics counters maintained in the timer/event queue support code.
• reslist
  Displays the server's restriction list. This list is displayed in the order in which the restrictions are applied.
• monlist [ version]
  Displays traffic counts collected. This information is maintained by the monitor facility. Normally you do not need to specify the version number.