[systemd-devel] systemd-timesyncd - use unprivileged ports

Jędrzej Dudkiewicz jedrzej.dudkiewicz at gmail.com
Wed Mar 11 19:17:38 UTC 2020 

On Wed, Mar 11, 2020 at 5:52 PM Mantas Mikulėnas <grawity at gmail.com> wrote:
>
> Well, are you asking about the *source* port or about the *destination* port? There are two on every UDP packet.

Sorry, of course source port - I spent so much time trying to
synchronize time using systemd-timesyncd and ntpdate that I couldn't
think about any other port - well, context is everything.

> The source port is *not* from the privileged range -- systemd-timesyncd always just lets the OS choose a random port from the ephemeral range. (I have seen some other NTP clients such as Windows insist on using 123 as both source and destination, but that's not the case with systemd-timesyncd nor with most other SNTP clients.)

Ok, this seems to be an obvious solution - yet ntpd and ntpdate by
default bind to local 123 port - I see that systemd does the sensible
thing.

> The destination port has to be from the privileged range (specifically 123) because that's what NTP servers *listen on* -- the client cannot decide on a different port entirely on its own; you'd need to run your own NTP server configured to use a different port.

Yes.

> Although if you already have an NTP server listening on a different port, then unfortunately no, systemd-timesyncd does not currently have a config option for that. It seems port 123 is hardcoded in manager_connect(), most likely because that's what every public NTP server uses.

No, this is Windows server and I after running `ntpdate -u <ip>` I can
synchronize time just fine.


Now one more question - I read that to run properly, systemd-timesyncd
needs systemd-networkd successfuly started. This is true in my case -
systemd-networkd reports success. I have server IP set in
`/etc/systemd/timesyncd.conf` file like this:

[Time]
NTP=<IP>

Note that these devices run Debian 9.4, so not only old version, but
also distribution that isn't known for being on cutting edge.

And one more question: what is systemd-timedated? It seems that is
exactly same thing, but I don't think this is true?

Thanks in advance,

JD


> (Really I can't really think of any good purpose for such a block -- if anything, I'd expect to see the opposite, i.e. services on low ports allowed, the rest blocked. Does your network block DNS on port 53, too?)

> On Wed, Mar 11, 2020 at 6:34 PM Jędrzej Dudkiewicz <jedrzej.dudkiewicz at gmail.com> wrote:
>>
>> Hi,
>>
>> I have quite a few devices running Linux in client's network - so I
>> have no control over it. It seems that all privileged UDP ports are
>> blocked I have to use unprivileged port. I'd like to use
>> systemd-timesyncd to synchronize time, thought I can't find a way to
>> force it to use unprivileged port. Is there any way to do it?
>>
>> Thanks in advance,
>> --
>> Jędrzej Dudkiewicz
>>
>> I really hate this damn machine, I wish that they would sell it.
>> It never does just what I want, but only what I tell it.
>> _______________________________________________
>> systemd-devel mailing list
>> systemd-devel at lists.freedesktop.org
>> https://lists.freedesktop.org/mailman/listinfo/systemd-devel
>
>
>
> --
> Mantas Mikulėnas



-- 
Jędrzej Dudkiewicz

I really hate this damn machine, I wish that they would sell it.
It never does just what I want, but only what I tell it.

More information about the systemd-devel mailing list