Hi there,
I'm trying to configure chrony on a Debian. I need a client, a server and a packet authentication system (SHA2). If I understand, I can't use OpenSSL (because the licence is not compatible with the Chrony's GPL licence), so I need to use NSS. Am I right ?
For information, my server 's IP is 192.168.81.130, and my client's IP is 192.168.81.131
This is what I did:
1/ Installation script (Server and Client):
------------------------------------------------------------------------------
apt-get -y install build-essential libnss3 libnss3-dev
cd /tmp
wget
http://download.tuxfamily.org/chrony/chrony-2.1.1.tar.gztar zxvf chrony-2.1.1.tar.gz
cd chrony-2.1.1
./configure --prefix=/etc/chrony
make
make install
------------------------------------------------------------------------------
2/ Server configuration (/etc/chrony.conf)
------------------------------------------------------------------------------
bindaddress 192.168.81.130
bindcmdaddress 127.0.0.1
# IPv4/IPv6:
server
clock.nyc.he.net iburst
server
clock.sjc.he.net iburst
# IPv4 only:
server
time.keneli.org iburst
server
bonehed.lcs.mit.edu iburst
server
gnomon.cc.columbia.edu iburst
# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift
# Enable kernel RTC synchronization.
rtcsync
# In first three updates step the system clock instead of slew
# if the adjustment is larger than 100 seconds.
makestep 100 3
# Allow client access from local network.
allow
192.168.81.0/24# Serve time even if not synchronized to any NTP server.
local stratum 6
keyfile /etc/chrony/chrony.keys
# Specify the key used as password for chronyc.
commandkey 1
cmdallow 127.0.0.1
# Send a message to syslog if a clock adjustment is larger than 0.5 seconds.
logchange 0.5
logdir /var/log/chrony
log measurements statistics tracking
------------------------------------------------------------------------------
3/ Server's keyfile (/etc/chrony/chrony.keys)
-----------------------------------------------------------------------------
1 titi
42 SHA256 HEX:80e8fc5240260a81d163434234af1603c9e78c04020dc9822821ad41e41eb414
------------------------------------------------------------------------------
4/ Client's configuration
------------------------------------------------------------------------------
server 192.168.81.130 key 42
driftfile /var/lib/chrony/drift
rtcsync
keyfile /etc/chrony/chrony.keys
commandkey 2
cmdallow 127.0.0.1
initstepslew 20 192.168.81.130
logchange 0.5
logdir /var/log/chrony
log measurements statistics tracking
------------------------------------------------------------------------------
3/ Client's keyfile (/etc/chrony/chrony.keys)
------------------------------------------------------------------------------
1 toto
42 SHA256 HEX:80e8fc5240260a81d163434234af1603c9e78c04020dc9822821ad41e41eb414
------------------------------------------------------------------------------
Now, when I'm starting chrony, this is what I see (from the client, or from the server, it's the same error):
root@client-chrony:~# /etc/chrony/sbin/chronyd -d
2015-10-15T15:52:43Z chronyd version 2.1.1 starting (+CMDMON +NTP +REFCLOCK +RTC -PRIVDROP -DEBUG +ASYNCDNS +IPV6 -SECHASH)
2015-10-15T15:52:43Z Unknown hash function in key 42
2015-10-15T15:52:43Z Frequency -0.074 +/- 1000000.000 ppm read from /var/lib/chrony/drift
2015-10-15T15:52:47Z System's initial offset : 0.668897 seconds fast of true (slew)
2015-10-15T15:52:49Z Source 192.168.81.130 added with unknown key 42
"Unknown hash function in key 42"
So I suppose NSS isn't linked directly during the compilation, right ? But what is the correct option to set ? Because when I read the "configuration" file, this is what I find:
--disable-sechash Disable support for hashes other than MD5
--without-nss Don't use NSS even if it is available
--without-tomcrypt Don't use libtomcrypt even if it is available
Only "disable or without" things. So how can I configure Chrony to use NSS ?
For information, I have the same problem when I use "SHA1", but everything is OK when I use MD5. Strange nop ?
Thanks a lot for your answers.
PS: Sorry for my English level, it's not my mother tongue at all.