Re: [chrony-dev] Multiple NTS keys on server

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


On Tue, Feb 2, 2021 at 5:04 PM Miroslav Lichvar <mlichvar@xxxxxxxxxx> wrote:
>
> I'd like to add support for multiple keys to the NTS server to enable
> virtual hosting as is common with web servers. A use case which I
> thought it could enable would be servers that run only for a limited
> time to support different products or versions of the product (like an
> OS), where each has its own certificate included in the installation
> and is fully trusted to avoid the issues with wrong or missing RTC and
> failing time checks in certificate verification. This would allow the
> server keys to be rotated as the products/versions reach their
> end-of-line and it would also limit the number of devices that need to
> be updated/fixed when a key is compromised.
>
> I'm not sure how it should be configured. I see the following options:
>
> 1) allow multiple files to be specified in ntsservercert and
> ntsserverkey directives
> - long lines are not great for inspection and editing
> - maximum number of keys/certs is limited by the maximum line length
> 2) allow multiple ntsserverkey/ntsservercert directives
> - sensitive to order (few directives in chrony have this property)
> 3) allow glob patterns in ntsserverkey/ntsservercert directive
> - certs and keys need to have the same naming scheme to pair correctly
>
> I think 1) is just not acceptable. From 2) and 3) I'm not sure what is
> better.
>
> For example:
>
> ntsservercert /etc/pki/tls/certs/nts-1.example.net
> ntsserverkey /etc/pki/tls/private/nts-1.example.net
> ntsservercert /etc/pki/tls/certs/nts-2.example.net
> ntsserverkey /etc/pki/tls/private/nts-2.example.net
> ntsservercert /etc/pki/tls/certs/nts-3.example.net
> ntsserverkey /etc/pki/tls/private/nts-3.example.net
>
> vs
>
> ntsservercert /etc/pki/tls/certs/nts-*.example.net
> ntsserverkey /etc/pki/tls/private/nts-*.example.net
>
> Any suggestions?

You already have subfile inclusion with globbing like "include
/etc/chrony/chrony.d/*.conf".
Which means users could keep each individual cert-config small and
simple - also less in-file-edit if you programmatically place&remove
them.
But for that to help in this case it would have to be option (2) of your list.

Also TBH, (2) and (3) are not mutually exclusive - so you could do a
combination of the two.
But if I'd have to select just one I'd personally pick (2) for helping
me with the split-config-files approach.

Just an opinion while doing the morning-mail-check - kind regards,
Christian

> --
> Miroslav Lichvar
>
>
> --
> To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
> For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
> Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.
>


-- 
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd

-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/