[chrony-dev] Experimental NTS support

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


I've been working on an implementation of the new NTP public-key
authentication called Network Time Security (NTS). Its specification
will hopefully be finalized in near future.

If anyone wants to play with it, the code is available here:
https://github.com/mlichvar/chrony-nts

Currently, it can interoperate with itself and few other NTS
implementations which were recently tested at the IETF 104 hackathlon.
The code is still highly experimental. It needs more work, some
redesign, and testing before it can be merged to the official chrony
repo.

Nettle and gnutls development files are needed to build chrony with
NTS support. Building with --enable-debug and running with -d -d
options should help when things don't work.

Configuration of an NTS server:

ntsserverkey /etc/chrony/server.key
ntsservercert /etc/chrony/server.crt

Configuration of an NTS client:

server foo.example.net iburst nts

If the server's certificate is not signed by one of the system's
trusted authorities (e.g. Let's encrypt), the CA certificate can be
specified with the ntscacert directive.

The default NTS-KE port is 11443. It can be changed with the ntsport
directive on server and the ntsport option on client.

Suggestions are welcome. Please report if you see anything
interesting. Successful authentication is interesting too at this
point :).

-- 
Miroslav Lichvar

-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/