Skip to main content

Posts about ntp

RSS feed

network time security

Secure NTP with NTS

Chrony supports nts since version 4.0. I tried to build nts server and client.

server configuration

example of chrony 4.2 on ubuntu 22.04 LTS

server time.facebook.com iburst maxpoll 11
server time.google.com   iburst maxpoll 11
server time.apple.com    iburst maxpoll 11

ntsserverkey /etc/chrony/key.pem
ntsservercert /etc/chrony/crt.pem

key.pem and crt.pem are openssl private key and certificate(with intermediate ca certificate) file pair. The certificate needs to include your fqdn of your nts server.

When I put key and crt files in a sub directory of /etc/ssl, below error occured.

Could not set credentials : Error while reading file.

In /var/log/syslog, I found audit log of apparmor which shows it denied for chronyd to open the key file. When I put them in /etc/chrony, I successed to run it.

Before test from client, you have to open not only 123/udp for NTP but also 4460/tcp for NTS-KE.

$ chronyd -Q -t 8 'server mynts.example.com iburst nts'
$ sudo chronyc serverstats

client configuration

example of chrony 4.0 on Debian 11

server mynts.example.com iburst nts
server ptbtime1.ptb.de   iburst nts
server nts.time.nl       iburst nts
server nts.ntp.se        iburst nts

ntstrustedcerts /etc/chrony/cacert.crt

When you use selfsigned CA to make your certificate in the nts server, you have to show your own ca certificate file to chrony.conf in ntstrustedcerts.

chrony

chrony is an implementation of Network Time Protocol

install

apt install chrony

sample config specify ntp server at server or ntp server pool for pool

$ grep -E -v "^#|^$" /etc/chrony/chrony.conf
server 192.168.xxx.xxx iburst minpoll 6 maxpoll 10
keyfile /etc/chrony/chrony.keys
driftfile /var/lib/chrony/chrony.drift
logdir /var/log/chrony
maxupdateskew 100.0
rtcsync
makestep 1 3

reload configuration

systemctl status chronyd
journalctl -u chrony -f
systemctl force-reload chrony

show system track performance

chronyc tracking

show current time sources

chronyc sources

show information about drift rate and offset estimation process

chronyc sourcestats

show the last valid measurement and other information

chronyc ntpdata

server

For server settings, at least add a allow line. cmdallow and bindcmdaddress lines are optional which is for monitoring access

$ grep -E -v "^#|^$" /etc/chrony/chrony.conf
server 192.168.xxx.xxx iburst minpoll 6 maxpoll 10
keyfile /etc/chrony/chrony.keys
driftfile /var/lib/chrony/chrony.drift
logdir /var/log/chrony
maxupdateskew 100.0
rtcsync
makestep 1 3
allow 192.168.xxx.0/24
cmdallow 192.168.xxx.0/24
bindcmdaddress 127.0.0.1
bindcmdaddress 192.168.xxx.xxx

show list of clients

chronyc clients

specify a remote host to which chronyd is to be connected (using udp/323) default is localhost

cronyc -h 192.168.xxx.xxx