On 2023-06-07 02:37, Rob Janssen wrote:
Yes I was using the "ntp" package before. I have upgraded and it installed "ntpsec". I tried to remove it as I have no need for the "security" part but it removed "ntp" as well.
And then you presumably reinstalled it. Did this result in you starting over with a default ntp.conf, where you then manually removed (or commented out) the pool lines and added your server lines?
NTPsec is a fork of NTP. Most of the security benefit of NTPsec comes from NTPsec simply removing and cleaning up decades of code cruft in NTP. NTPsec is a drop-in replacement for NTP.Please don't fall in the common trap of trying to make everything "top secure" and then making it unusable or causing problems for people that do not require that.
> It looks like "ntp" is only a dummy package.In Debian, NTPsec was packaged alongside NTP for some time. This release cycle, the Debian ntp maintainer suggested it was time to retire ntp, and the consensus was to do so and migrate existing ntp installs to ntpsec:
https://lists.debian.org/debian-devel/2022/01/msg00172.html > Probably you should put that > config line commented in the default config so people who like it can > easily enable it.This configuration exists for correctness. If a given system has two time sources and they disagree, which one is correct? There is no way to be sure. If you have three sources, then you take whichever two agree.
"A man with a watch knows what time it is. A man with two watches is never sure."
https://en.wikipedia.org/wiki/Segal%27s_lawIf you're only running your own servers, then the best practice is to run 3 (or more) servers. (Some sources say 4, so if one server is down, you can still detect a falseticker.) And I say that as someone who runs two. But my clients use my two servers plus the pool.
https://access.redhat.com/solutions/58025 https://www.tenable.com/audits/items/CIS_Cisco_NX-OS-v1.0.0_Level_2.audit:6a5be86b59dc9342bd22dfc2b7c70cb4 https://insights.sei.cmu.edu/blog/best-practices-for-ntp-services/ https://labs.ripe.net/author/christer-weinigel/best-practices-for-connecting-to-ntp-servers/ -- Richard
OpenPGP_signature
Description: OpenPGP digital signature
