NTP 是一个时间同步服务器，用于网络主机间的时钟同步，Linux上安装

yum install ntp

配置文件解释 /etc/ntp.conf

1 # Permit time synchronization with our time source, but do not  2 # permit the source to query or modify the service on this system.  3 restrict default kod nomodify notrap nopeer noquery             禁止所有主机连接，后面restrict放开  4 #restrict default modify                                          允许所有的机子连接  5 restrict -6 default kod nomodify notrap nopeer noquery  6   7 # Permit all access over the loopback interface.  This could  8 # be tightened as well, but to do so would effect some of  9 # the administrative functions. 10 restrict 127.0.0.1                                               允许环回地址 11 restrict -6 ::1 12  13 # Hosts on local network are less restricted. 14 #restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap 15 restrict 10.8.117.0 mask 255.255.255.0 nomodify                  允许10.8.117.0的网段连接，但不能修改 16 restrict 192.168.10.0 mask 255.255.255.0 nomodify notrust        允许192.168.10.0的网段连接，但默认不相信，需要认证 17 restrict 10.8.116.0 mask 255.255.255.0 nomodify 18  19 # Use public servers from the pool.ntp.org project. 20 # Please consider joining the pool (http://www.pool.ntp.org/join.html). 21 server 0.centos.pool.ntp.org                                     时钟同步服务器 22 server 1.centos.pool.ntp.org 23 server 2.centos.pool.ntp.org 24 server time.stdtime.gov.tw prefer 25 26 #broadcast 192.168.1.255 key 42     # broadcast server 27 #broadcastclient            # broadcast client 28 #broadcast 224.0.1.1 key 42     # multicast server 29 #multicastclient 224.0.1.1      # multicast client 30 #manycastserver 239.255.254.254     # manycast server 31 #manycastclient 239.255.254.254 key 42  # manycast client 32  33 # Undisciplined Local Clock. This is a fake driver intended for backup 34 # and when no outside source of synchronized time is available.  35 server  127.127.1.0 # local clock                               内部时钟同步服务器 36 fudge   127.127.1.0 stratum 10 37  38 # Drift file.  Put this in a directory which the daemon can write to. 39 # No symbolic links allowed, either, since the daemon updates the file 40 # by creating a temporary in the same directory and then rename()'ing 41 # it to the file. 42 driftfile /var/lib/ntp/drift 43  44 # Key file containing the keys and key identifiers used when operating 45 # with symmetric key cryptography.  46 keys /etc/ntp/keys                                              MD5 keys存放位置，用于认证 47  48 # Specify the key identifiers which are trusted. 49 #trustedkey 4 8 42 50 trustedkey 4 8 42                                               相信哪几个key 51  52 # Specify the key identifier to use with the ntpdc utility. 53 #requestkey 8 54  55 # Specify the key identifier to use with the ntpq utility. 56 #controlkey 8

安全

notrap：       不提供远程事件登入notrust：      客户端必需提供认证nomodify：     不提供客户端修改本地服务器的时间参数，但可以网络校准noquery：      关闭客户端时间查询ignore:        关闭所有NTP联机服务

MD5 key生成

[root@huan ~]# ntp-keygen -MUsing OpenSSL version 90802fRandom seed file /root/.rnd 1024 bytesGenerating MD5 keys...Generating new MD5 file and linkntpkey_MD5_huan.com->ntpkey_MD5key_huan.com.3696848019Generating RSA keys (512 bits)...RSA 0 8 12      1 11 24                         3 1 2Generating new host file and linkntpkey_host_huan.com->ntpkey_RSAkey_huan.com.3696848019Using host key as sign keyGenerating certificate RSA-MD5X509v3 Basic Constraints: critical,CA:TRUEX509v3 Key Usage: digitalSignature,keyCertSignGenerating new cert file and linkntpkey_cert_huan.com->ntpkey_RSA-MD5cert_huan.com.3696848019

这个key保存在~/目录下ntpkey_MD5key_huan.com.3696848019，随后把key 复制到/etc/ntp/keys中

1 #  2 # PLEASE DO NOT USE THE DEFAULT VALUES HERE.  3 #  4 #65535  M   akey  5 #1  M   pass  6 # ntpkey_MD5key_huan.com.3696848019  7 # Thu Feb 23 22:13:39 2017  8  1 MD5  4Ty+F=}TweR;KoX # MD5 key  9  2 MD5  %>\u]cuR]&{U)PM # MD5 key 10  3 MD5  }l`]~;_(=Hzjpp+ # MD5 key 11  4 MD5  +&":$)dll2IM0CA # MD5 key 12  5 MD5  `&.oX2hp'sMMD"r # MD5 key 13  6 MD5  3-QlatYBazg18tb # MD5 key 14  7 MD5  $W*ElJr=t
    _,,g^N6Vhsd # MD5 key 16  9 MD5  D&%-=qbm
    
     ]{/`0]U. # MD5 key 21 14 MD5  ChD"Gwc{[a\SMXK # MD5 key 22 15 MD5  vgU!;"XOOsps[%w # MD5 key 23 16 MD5  &G)C)
    

查看本地ntp server是否正常watch ntpq -p

[root@huan ~]# watch ntpq -pEvery 2.0s: ntpq -p                                              Thu Feb 23 15:57:06 2017     remote           refid      st t when poll reach   delay   offset  jitter============================================================================== 61-216-153-104. 211.22.103.158   3 u  277   64  260   61.655   19.030   2.011+ntp1.ams1.nl.le 130.133.1.10     2 u    9   64  377  186.245   11.931   0.344+2001:1af8:4700: 130.133.1.10     2 u   17   64  377  385.413   -1.070  19.065*2001:b031:5c02: 192.168.0.3      2 u    9   64  377  409.217   -0.232  21.774 LOCAL(0)        .LOCL.          10 l   13   64  377    0.000    0.000   0.001remote: 远程serverrefid:  远程server上一级的IP地址，远程server也是参考它上一级的时间st:     远程服务器的层级stratumt：      单位? uswhen:   上一次成功请求后到现在的秒数  poll:   本地与远程多久同步一次，一开始不稳定同步频率高，稳定后这个值会大，直到256reach:  本地与远程服务器成功连接的次数，一般要17次以上就稳定delay:  RRT本地与远程服务来回在路上的时间offset: 本地与远程服务器之间的偏差jitter: 特定连接数时的offset情况，越小越好

两台LAN 网内的PC测试， 10.8.116.111是NTP Server, 10.8.116.8是局域网主机

由于10.8.116.0网段是允许接入的                                                                           root@qa-VL:~# date -s "2011-1-1"            客户端修改时间Sat Jan  1 00:00:00 CST 2011root@qa-VL:~# dateSat Jan  1 00:00:01 CST 2011root@qa-VL:~# ntpdate 10.8.116.111          客户端向server索要同步时间23 Feb 16:32:59 ntpdate[647]: step time server 10.8.116.111 offset 194027559.388183 secroot@qa-VL:~# date                          验证Thu Feb 23 16:33:01 CST 2017

带认证的server对客户端进行时间同步

首先要把server上的/etc/ntp/keys传到本地/etc/ntp.keysroot@qa-VL:~# scp root@10.8.116.111:/etc/ntp/keys /etc/ntp.keysThe authenticity of host '10.8.116.111 (10.8.116.111)' can't be established.RSA key fingerprint is 63:57:2f:55:ab:b6:ab:cf:10:7f:d9:f9:6d:5b:ae:6a.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '10.8.116.111' (RSA) to the list of known hosts.root@10.8.116.111's password: keys                                                   100%  680     0.7KB/s   00:00 root@qa-VL:~# ntpdate -d -a 4 10.8.116.11123 Feb 16:44:07 ntpdate[674]: ntpdate 4.2.6p3@1.2290-o Tue Jun  5 20:12:12 UTC 2012 (1)Looking for host 10.8.116.111 and service ntphost found : huan.localtransmit(10.8.116.111)receive(10.8.116.111)receive: authentication passedtransmit(10.8.116.111)receive(10.8.116.111)receive: authentication passedtransmit(10.8.116.111)receive(10.8.116.111)receive: authentication passedtransmit(10.8.116.111)receive(10.8.116.111)receive: authentication passedtransmit(10.8.116.111)server 10.8.116.111, port 123stratum 11, precision -20, leap 00, trust 000refid [10.8.116.111], delay 0.02582, dispersion 0.00002transmitted 4, in filter 4reference time:    dc591ead.357266ee  Thu, Feb 23 2017 16:41:17.208originate timestamp: dc591f5d.de62f183  Thu, Feb 23 2017 16:44:13.868transmit timestamp:  dc591f5d.de0c01f0  Thu, Feb 23 2017 16:44:13.867filter delay:  0.02583  0.02582  0.02582  0.02586          0.00000  0.00000  0.00000  0.00000 filter offset: 0.001206 0.001172 0.001117 0.001127         0.000000 0.000000 0.000000 0.000000delay 0.02582, dispersion 0.00002offset 0.00117223 Feb 16:44:15 ntpdate[674]: adjust time server 10.8.116.111 offset 0.001172 sec

第三方设备防火墙同步本server上的时间 ， 10.8.117.0的网段设置为notrust

配置NTP Server 10.8.116.111NTP Auth Type: MD5Trust Key No: 4Key Number: 4password:   +&":$)dll2IM0CA                #MD5密码

抓包客户端

服务器端

注意：

server起来后需要一定的时间才能完成自己的同步，因此在这段时间内不提供服务watch ntpq -p 看reach值

对网段增加了notrust选项，在4.1时只是不相信这个主机，4.2是必需认证

参考

http://blog.csdn.net/gycool21/article/details/51746174  综合，面面俱到http://blog.chinaunix.net/uid-71729-id-605471.html  ntpq -p 参数详解