<<On Wed, 26 Mar 2014 07:08:57 +0200, Kimmo Paasiala <[email protected]> said: > I believe Gary was talking about changing the control/status port > and not the actual service port (UDP 123). That should be doable > without breaking compatibility with existing NTP tools. NTP does not have a separate "control/status port"; all NTP operations that could be called "control" and "status" use the NTP protocol and the NTP port. If you configure your NTP server correctly (or start from a good default configuration), these operations will be restricted using NTP's built-in authentication and access-control mechanisms. In NTP-speak, the relevant packets are known as "mode 6" and "mode 7" messages. ntpq and ntpdc, since they run as non-root, will obviously use an ephemeral source port. Historically (not sure if it's still true), ntpd would generate a random key on startup and then fork a process to read the configuration file and handle DNS resolution; the child process would then use mode 7 messages to add associations in the main server process as each host name was resolved. -GAWollman _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"