[chrony-users] Problem with authentication algorithm

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]


Hi there,

I'm trying to configure chrony on a Debian. I need a client, a server and a packet authentication system (SHA2). If I understand, I can't use OpenSSL (because the licence is not compatible with the Chrony's GPL licence), so I need to use NSS. Am I right ?

For information, my server 's IP is 192.168.81.130, and my client's IP is 192.168.81.131

This is what I did:


1/ Installation script (Server and Client):
------------------------------------------------------------------------------
apt-get -y install build-essential libnss3 libnss3-dev
cd /tmp
wget http://download.tuxfamily.org/chrony/chrony-2.1.1.tar.gz
tar zxvf chrony-2.1.1.tar.gz
cd chrony-2.1.1
./configure  --prefix=/etc/chrony
make
make install
------------------------------------------------------------------------------



2/ Server configuration (/etc/chrony.conf)
------------------------------------------------------------------------------
bindaddress 192.168.81.130
bindcmdaddress 127.0.0.1

# IPv4/IPv6:
server clock.nyc.he.net iburst
server clock.sjc.he.net iburst

# IPv4 only:
server time.keneli.org iburst
server bonehed.lcs.mit.edu iburst
server gnomon.cc.columbia.edu iburst

# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift

# Enable kernel RTC synchronization.
rtcsync

# In first three updates step the system clock instead of slew
# if the adjustment is larger than 100 seconds.
makestep 100 3

# Allow client access from local network.
allow 192.168.81.0/24

# Serve time even if not synchronized to any NTP server.
local stratum 6

keyfile /etc/chrony/chrony.keys

# Specify the key used as password for chronyc.
commandkey 1
cmdallow 127.0.0.1

# Send a message to syslog if a clock adjustment is larger than 0.5 seconds.
logchange 0.5

logdir /var/log/chrony
log measurements statistics tracking
------------------------------------------------------------------------------



3/ Server's keyfile (/etc/chrony/chrony.keys)
-----------------------------------------------------------------------------
1 titi
42 SHA256 HEX:80e8fc5240260a81d163434234af1603c9e78c04020dc9822821ad41e41eb414
------------------------------------------------------------------------------




4/ Client's configuration
------------------------------------------------------------------------------
server 192.168.81.130 key 42
driftfile /var/lib/chrony/drift
rtcsync
keyfile /etc/chrony/chrony.keys
commandkey 2
cmdallow 127.0.0.1
initstepslew 20 192.168.81.130
logchange 0.5
logdir /var/log/chrony
log measurements statistics tracking
------------------------------------------------------------------------------




3/ Client's keyfile (/etc/chrony/chrony.keys)
------------------------------------------------------------------------------
1 toto
42 SHA256 HEX:80e8fc5240260a81d163434234af1603c9e78c04020dc9822821ad41e41eb414
------------------------------------------------------------------------------



Now, when I'm starting chrony, this is what I see (from the client, or from the server, it's the same error):

root@client-chrony:~# /etc/chrony/sbin/chronyd -d
2015-10-15T15:52:43Z chronyd version 2.1.1 starting (+CMDMON +NTP +REFCLOCK +RTC -PRIVDROP -DEBUG +ASYNCDNS +IPV6 -SECHASH)
2015-10-15T15:52:43Z Unknown hash function in key 42
2015-10-15T15:52:43Z Frequency -0.074 +/- 1000000.000 ppm read from /var/lib/chrony/drift
2015-10-15T15:52:47Z System's initial offset : 0.668897 seconds fast of true (slew)
2015-10-15T15:52:49Z Source 192.168.81.130 added with unknown key 42

"Unknown hash function in key 42"

So I suppose NSS isn't linked directly during the compilation, right ? But what is the correct option to set ? Because when I read the "configuration" file, this is what I find:

 --disable-sechash      Disable support for hashes other than MD5
  --without-nss          Don't use NSS even if it is available
  --without-tomcrypt     Don't use libtomcrypt even if it is available

Only "disable or without" things. So how can I configure Chrony to use NSS ?
For information, I have the same problem when I use "SHA1", but everything is OK when I use MD5. Strange nop ?



Thanks a lot for your answers.

PS: Sorry for my English level, it's not my mother tongue at all.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/