| Re: [chrony-users] how to create a hashed chrony command password, it does not seem to work.. |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
On Sat, Feb 08, 2014 at 02:05:32PM +0100, Ferry de Jong wrote:
> Hello chrony users,
>
> How do I generate a hashed password for the /etc/chrony.keys file? The
> instructions in the man pages and documentation I found seem incomplete and
> my 'normal' hashing method leads to "Reply not authenticated" errors.
>
> Assuming a password of foobar , I assume to generate a hash like this:
> echo -n foobar | md5sum
> 3858f62230ac3c915f300c664312c63f -
>
> But if I add to /etc/chrony.keys
>
> 99 MD5 HEX:3858f62230ac3c915f300c664312c63f
The string in the keyfile is the password, it's not a hash of a
password. The hash function specified in the file is used to generate
and verify message authentication codes (MAC) in the NTP and control
packet.
I agree this should be explained better in the documentation.
> Now I restart the chronyd so the changed content of both files is read, but
> the password is not accepted.
>
> chronyc> password
> Password: [typing foobar]
It should be HEX:3858f62230ac3c915f300c664312c63f here, not foobar.
It's better to use the -a option to let chronyc get the password from
the keyfile and authenticate automatically.
> 501 Not authorised --- Reply not authenticated
>
> What is puzzling me is that on http://chrony.tuxfamily.org/manual.html in
> the "4.2.10 commandkey" section it states that the hash for foobar is a
> different one, being B028F91EA5C38D06C2E140B26C7F41EC.
I'll fix that. Thanks.
--
Miroslav Lichvar
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.