ntp: time alteration

If ntpd is always started with the -g option, which is common and
against long-standing recommendation, and if at the moment ntpd is
restarted an attacker can immediately respond to enough requests from
enough sources trusted by the target, which is difficult and not common,
there is a window of opportunity where the attacker can cause ntpd to
set the time to an arbitrary value.
Similarly, if an attacker is able to respond to enough requests from
enough sources trusted by the target, the attacker can cause ntpd to
abort and restart, at which point it can tell the target to set the time
to an arbitrary value if and only if ntpd was re-started against
long-standing recommendation with the -g flag, or if ntpd was not given
the -g flag, the attacker can move the target system’s time by at most
900 seconds’ time per attack.