Re: [chrony-dev] Diagnosing pre-shared key authentication failure

P.S. About logging, some (rate-limited) warnings against such failures would actually be very interesting to security teams. Right now there's very little visibility in this aspect, which might be worth changing really.

On Thu, Oct 13, 2022 at 12:13 PM Miroslav Lichvar <mlichvar@xxxxxxxxxx> wrote:

On Thu, Oct 13, 2022 at 12:04:26PM +0300, Avamander wrote:
> My question is, would it be possible to either log or display these types
> of failures in a more prominent manner? Reject as a falseticker for
> example? Or even a custom status, I imagine people having issues with NTS
> might also find that an useful indicator?

chronyd doesn't know if it's a misconfiguration or an attacker trying
something. If these failures were logged to the system log, attackers
could fill your disk or possibly if the logger was rate limiting,
caused an important message to be dropped.

The recommended way to debug these is to enable the rawmeasurements
log in chrony.conf and see the NTP tests. An authentication failure
would show up as "111 011" (NTP test 5 failing).

--
Miroslav Lichvar

--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.