ntp vs. ntpd vs. NTPsec

albiurs · October 2024

Hello again :-)

I found that the file /etc/ntp.conf doesn't exist in Debian 12 but /etc/ntpsec/ntp.conf. So it looks like there has even more changed since the chapter 27 has been written.

While examining the files and services, I got somehow confused.

When reading the ntp info page, it says that it depends on ntpsec:

┌──(alu@nb)-[/etc]
└─$ apt info ntp
Package: ntp
Version: 1:4.2.8p15+dfsg-2~1.2.2+dfsg1-1+deb12u1
Priority: optional
Section: net
Source: ntpsec (1.2.2+dfsg1-1+deb12u1)
Maintainer: Richard Laager <rlaager@debian.org>
Installed-Size: 63.5 kB
Depends: ntpsec
Homepage: https://www.ntpsec.org
Tag: admin::benchmarking, admin::configuring, implemented-in::c,
 interface::commandline, interface::daemon, network::server,
 network::service, protocol::TODO, role::program, scope::utility,
 use::monitor, use::timekeeping
Download-Size: 22.0 kB
APT-Sources: http://deb.debian.org/debian bookworm/main amd64 Packages
Description: Network Time Protocol daemon/utilities (transitional package)
 This is a dummy transitional package to transition to NTPsec.
 It can be safely removed.

Does this package just linking to the follow-up ntpsec package and therefore, it depends on ntpsec and can be removed as mentioned in the info pages description?

In addition there are two services, which seem to be the same:

ntp.service
ntpsec.service

┌──(alu@nb)-[/etc/ntpsec]
└─$ systemctl status ntp.service 
● ntpsec.service - Network Time Service
     Loaded: loaded (/lib/systemd/system/ntpsec.service; enabled; preset: enabled)
     Active: active (running) since Wed 2024-10-16 13:40:29 CEST; 17min ago
       Docs: man:ntpd(8)
    Process: 33814 ExecStart=/usr/libexec/ntpsec/ntp-systemd-wrapper (code=exited, status=0/SUCCESS)
   Main PID: 33817 (ntpd)
      Tasks: 1 (limit: 76726)
     Memory: 2.4M
        CPU: 95ms
     CGroup: /system.slice/ntpsec.service
             └─33817 /usr/sbin/ntpd -p /run/ntpd.pid -g -N -c /run/ntpsec/ntp.conf.dhcp -u ntpsec:ntpsec
 
┌──(alu@nb)-[/etc/ntpsec]
└─$ systemctl status ntpsec.service 
● ntpsec.service - Network Time Service
     Loaded: loaded (/lib/systemd/system/ntpsec.service; enabled; preset: enabled)
     Active: active (running) since Wed 2024-10-16 13:40:29 CEST; 17min ago
       Docs: man:ntpd(8)
    Process: 33814 ExecStart=/usr/libexec/ntpsec/ntp-systemd-wrapper (code=exited, status=0/SUCCESS)
   Main PID: 33817 (ntpd)
      Tasks: 1 (limit: 76726)
     Memory: 2.4M
        CPU: 96ms
     CGroup: /system.slice/ntpsec.service
             └─33817 /usr/sbin/ntpd -p /run/ntpd.pid -g -N -c /run/ntpsec/ntp.conf.dhcp -u ntpsec:ntpsec

These two services just look to be setup as aliases. Why is that? For backwards compatibility?

And finally, in the Lab 27.1 it's written to restart the services with:

# systemctl restart ntpd
# systemctl restart ntp

What's the difference of the two and is ntpsec the replacement for the former ntpd?

Thanks,
Urs

luisviveropena · October 2024

Hi Urs,

I'll try to point to in the right direction.

What's the difference of the two and is ntpsec the replacement for the former ntpd?

That's correct. You can find more information here:

https://docs.ntpsec.org/latest/ntpsec.html

These two services just look to be setup as aliases. Why is that? For backwards compatibility?

From the URL provided:

"We retain, however, almost full compatibility and interoperation with NTP Classic. The qualification "almost" is required mainly because we do not support the Autokey (RFC 5906) public-key encryption scheme. It had interoperability and exploitable vulnerability issues too severe to be patched. We have also dropped broadcast and anycast modes because they cannot be secured".

So, it seems somethings are being kept for compatibility, let's say if you already have a full systems working with NTP, you will be able to run these operations.

For checking on the dependencies, you can do this:

apt show ntpsec

And then you will know for certain if you can remove ntp.

Also, about the services, you can see ir here:

ubuntu@master:/etc/systemd/system$ ls -l ntpd*
lrwxrwxrwx 1 root root 38 Oct 15 11:07 ntpd.service -> /usr/lib/systemd/system/ntpsec.service

So, the ntpd service is pointing to the ntpdsec service.

I hope that helps to answer your questions!!

Regards,
Luis.

albiurs · October 2024

Hi Luis,
Great, thank you very much. That's very helpful.
Regards,
Urs

luisviveropena · October 2024

Hi Urs, it's a pleasure!

Regards,
Luis.

maxima120 · February 1

I always thought that Linux exists to avoid exactly that - someone telling you how to run your systems. Isnt it what Linux is about? To give users freedom and avoid "evil corporations" meddling in every nuance of your life?

Now to the point - you want to help you users (who you obviously believe to be clueless lambs) to not get hacked. Thats fine. You quietly replaced A with B (that is not fine but nothing I can do about it). But you absolutely have to give options for users who wants ntp and not ntpsec. A script or whatever that we can run to rid off the symlinks and other shenanigans. I want to be hacked it is my machine and my decision.

luisviveropena · February 1

Hi @maxima120,

In general, software improves, evolves and get fixed. I could mention FTP/vsftpd/scp ,etc. Also SSL/TLS, in terms of security improvements. And that's good for services, servers, security of the information, organizations, etc.

Regards,
Luis.

ntp vs. ntpd vs. NTPsec

Welcome!

Answers

Welcome!

Welcome!

Quick Links

Categories

Upcoming Training

Kubernetes Administration (LFS458)

Linux System Administration (LFS301)

Open Source Virtualization (LFS462)

Linux Kernel Debugging and Security (LFD440)