At least for ntpd, another approach would be to set a non-default variable with a verification string that can be retrieved by ntpq (mode 6 NTP).
C:\ntp>nq -c ":config setvar pool.ntp.org = VerifyCodeHere"
C:\ntp>ntpq -c "rv 0 pool.ntp.org"
nq is a script which invokes ntpq with authentication options providing a
keyid (e.g. 123) and
passwd. The key ID is configured in ntp.conf with both
trustedkey 123 and
controlkey 123 and is listed in ntp.keys with an algorithm and password, e.g.
123 SHA1 MyRuntimeConfigPass
However, that’s just to illustrate the configuration change can be done without restarting ntpd. One could simply add to ntp.conf:
setvar pool.ntp.org = VerifyCodeHere
and then restart ntpd.
Note there is a widespread misconception that mode 6 is somehow dangerous to allow remotely, hence lots of example configurations have something like:
restrict default noquery limited kod
which would prevent the verification
ntpq query from being fetched remotely. This is likely due to confusion about the 2014 NTP amplification attacks using
ntpdc -c monlist which is mode 7 and support for which was removed from ntpd in 2010 in ntp-dev an a couple of years later when ntp-stable finally was released with that change. It’s sad that so few NTP servers today allow ntpq queries due to this confusion.
At any rate, that issue can be worked around by publicizing the IP address(es) from which the verification query will come and asking those using this method to allow ntpq queries with loosened ntp.conf
restrict 126.96.36.199 limited kod
restrict 2a04:4e42:77::311 limited kod
That is, whatever the default restrictions are minus
noquery. Even better would be to remove
noquery from the defaults, but I fear that bit of common wisdom is too far entrenched.
To be fair, there have been a number of security patches to ntpd over the years where the announcement advised using
noquery as a mitigation and/or as a best practice. As a mitigation until ntpd is updated, I have no qualms, but I do wish it had not be recommended as a best practice because from my perspective that was deflection from the responsibility for ntpd to be secure even if the public is allowed to query using ntpq.