Chrony

Example chrony.conf for chrony:

server 0.pool.ntp.org
server 0.europe.pool.ntp.org
server 0.de.pool.ntp.org
server 0.north-america.pool.ntp.org

keyfile /etc/chrony/chrony.keys
commandkey 1
driftfile /var/lib/chrony/chrony.drift
log tracking measurements statistics
logdir /var/log/chrony

maxupdateskew 100.0

# Save the measurement history on exit 
dumponexit
dumpdir /var/lib/chrony

# Act as NTP server to local networks
# local stratum 10
# allow 10/8
# allow 192.168/16
# allow 172.16/12

# Note: While binding to localhost is possible, chrony won't be
# able to reach any NTP peers that way.[1]
# bindaddress 127.0.0.1

# Restrict the monitoring and command interface[2]
# bindcmdaddress /var/lib/chrony/chronyd.sock         # sockets are only supported with chronyd 2.1.1[3]
bindcmdaddress   127.0.0.1

# Disable the command port entirely.[4]
# Note: chrony will no longer be able to connect.
# cmdport 0

# To correct even bigger time differences during startup
# 100000 seconds - 1.2 days
# 200000 seconds - 2.3 days
makestep 200000 10

# Send a syslog messages for time changes greater than that
logchange 0.5

# Assume our RTC to be on UTC
rtconutc

$ systemctl restart chrony.service
$ netstat -anptu | grep chrony
udp        0      0 127.0.0.1:123           0.0.0.0:*                           8027/chronyd
udp6       0      0 :::123                  :::*                                8027/chronyd

Force^[5] chrony to update the system time:

chronyc -a "burst 4/4"                                   # If chronyd is already running
chronyd -q "server pool.ntp.org iburst"                  # If chronyd is not already running

While this will start a slow but steady adjustment, the following can be used to set the correct time at once:

chronyc -a "burst 4/4" && sleep 10 && chronyc -a makestep

NTP

NTP is the de-facto standard when it comes to time synchronization software. A very basic /etc/ntp.conf:

restrict 127.0.0.1
restrict default kod notrap nomodify nopeer noquery

server us.pool.ntp.org
server europe.pool.ntp.org
server de.pool.ntp.org

tinker panic 0
driftfile /var/lib/ntp/drift

Notice the "tinker panic 0"^[6] option, it will make sure that ntpd adjusts the time even when the difference is very large, e.g. when suspended virtual machines are resumed.^[7]

OpenNTPD

OpenNTPD is nice because it doesn't listen on any network interfaces by default, so it's perfect for a client-only setup:

$ cat /etc/openntpd/ntpd.conf
servers europe.pool.ntp.org
servers us.pool.ntp.org

Start ntpd with -s to set the time immediately at startup if the local clock is off by more than 180 seconds.^[8]

rdate

rdate is not really an NTP client but uses the Time Protocol instead. The NIST servers^[9][10] are still supporting this protocol. Crontab example:

0  *  *  *  *  rdate -s time.nist.gov | logger -t RDATE

tlsdate

tlsdate is described as a "secure parasitic rdate replacement". If it's not available as a binary package, we will have to build it from source:

sudo apt-get install git ca-certificates autoconf automake libtool libssl-dev

git clone https://github.com/ioerror/tlsdate.git tlsdate-git
cd tlsdate-git
./autogen.sh && ./configure --prefix=/opt/tlsdate
make && sudo make install

Usage:

$ tlsdate -n -V -H github.com
Sun Apr 19 18:19:36 PDT 2015

Omit -n to actually set the system time:

$ sudo tlsdate -V -H github.com
Sun Apr 19 18:21:12 PDT 2015

Note: for TLSv1.2 only servers, one can use "-P sslv23", which is a compatibility option:^[11]

$ tlsdate -n -s -P sslv23 -V -H secure.example.org
Sun Apr 19 18:50:29 PDT 2015

• www.ptb.de returning *highly* erratic timestamps
• tlsdate: Time retrieved from default host (www.ptb.de) jumping all over the place?

Links

• The NIST Authenticated NTP Service - The messages from these servers will be available only to registered users
• The NTP FAQ and HOWTO: Authentication
• How do I use pool.ntp.org?

References