Re: [chrony-dev] Chrony and NSS support

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


On Tue, Mar 22, 2016 at 04:33:50PM -0600, Mark Post wrote:
> I'm currently in the process of trying to build and package chrony for SUSE.  I've run into a problem with segfaults happening if NSS support is built in, so I'm currently using "--without-nss" in the call to the configure script.  I'm assuming that we'll figure out what the problem is eventually and get it fixed, but in the meantime, just what functionality will be missing when compiling using --without-nss?  Are there any pointers to documentation or prior discussion that would help me explain the result to my team?

The NSS (and libtomcrypt) support enable the "SECHASH" feature, which
is support for other crypto hashes than MD5. When disabled, chrony
will be compiled with the bundled MD5 implementation and the only
allowed key type in the key file (used for authentication with
symmetric keys) will be MD5. I think it's not a critical feature. Very
few users have authentication enabled and there is also a question
whether the known problems in MD5 have any security implications on
the NTP authentication.

This and the other --enable/--disable options should probably be
explained in the installation document.

-- 
Miroslav Lichvar

-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/