Re: [chrony-users] Problem with authentication algorithm

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

Thx Miroslav for your answer.

If I list all my installed packets, this is what I have:

root@client-chrony:/tmp/chrony-2.1.1#  dpkg-query -l | grep nss
ii  insserv                            1.14.0-5                      amd64        boot sequence organizer using LSB init.d script dependency information
ii  libnss3:amd64                      2:3.14.5-1+deb7u5             amd64        Network Security Service libraries
ii  libnss3-dev                        2:3.14.5-1+deb7u5             amd64        Development files for the Network Security Service libraries
ii  openssh-blacklist                  0.4.1+nmu1                    all          list of default blacklisted OpenSSH RSA and DSA keys
ii  openssh-blacklist-extra            0.4.1+nmu1                    all          list of non-default blacklisted OpenSSH RSA and DSA keys
ii  openssh-client                     1:6.0p1-4+deb7u2              amd64        secure shell (SSH) client, for secure access to remote machines
ii  openssh-server                     1:6.0p1-4+deb7u2              amd64        secure shell (SSH) server, for secure access from remote machines
ii  openssl                            1.0.1e-2+deb7u17              amd64        Secure Socket Layer (SSL) binary and related cryptographic tools
root@client-chrony:/tmp/chrony-2.1.1#

--------------------------------------------------------------------------------------------------------

If I configure again:

root@client-chrony:/tmp/chrony-2.1.1# ./configure  --prefix=/etc/chrony
Configuring for  Linux-x86_64
Checking for 64-bit time_t : Yes
NTP time mapped to 1965-10-27T20:13:31Z/2101-12-04T02:41:47Z
Checking for math : No
Checking for math in -lm : Yes
Checking for <stdint.h> : Yes
Checking for <inttypes.h> : Yes
Checking for IPv6 support : Yes
Checking for in6_pktinfo : No
Checking for in6_pktinfo with _GNU_SOURCE : Yes
Checking for getaddrinfo() : Yes
Checking for pthread : Yes
Checking for <sys/timepps.h> : No
Checking for <timepps.h> : No
Checking for libcap : No
Checking for <linux/rtc.h> : Yes
Checking for <linux/ptp_clock.h> : Yes
Checking for clock_gettime() : No
Checking for clock_gettime() in -lrt : Yes
Checking for sched_setscheduler() : Yes
Checking for mlockall() : Yes
Checking for editline : No
Checking for readline : No
Checking for readline with -lncurses : No
Checking for NSS : No
Checking for tomcrypt : No
Features : +CMDMON +NTP +REFCLOCK +RTC -PRIVDROP -DEBUG -READLINE +ASYNCDNS +IPV6 -SECHASH
Creating Makefile
Creating chrony.conf.5
Creating chrony.texi
Creating chronyc.1
Creating chronyd.8

--------------------------------------------------------------------------------------------------------

If I check the config.log I have this kind of error:

docheck.c:
#include <nss.h>
#include <hasht.h>
#include <nsslowhash.h>
int main(int argc, char **argv) {
NSSLOWHASH_Begin(NSSLOWHASH_NewContext(NSSLOW_Init(), HASH_AlgSHA512));
return 0; }
gcc -O2 -g -Wmissing-prototypes -Wall -pthread -o docheck docheck.c -lfreebl3
docheck.c:2:19: fatal error: hasht.h: Aucun fichier ou dossier de ce type
compilation terminated.

--------------------------------------------------------------------------------------------------------

If I try to access the NSS include directory:

root@client-chrony:/tmp# cd /usr/include/nss/
root@client-chrony:/usr/include/nss# l
total 1196
-rw-r--r-- 1 root root  1226 août  16 20:30 base64.h
-rw-r--r-- 1 root root 12071 août  16 20:30 blapit.h
-rw-r--r-- 1 root root  2511 août  16 20:30 certdb.h
-rw-r--r-- 1 root root 53104 août  16 20:30 cert.h
-rw-r--r-- 1 root root 44798 août  16 20:30 certt.h
-rw-r--r-- 1 root root  2386 août  16 20:30 ciferfam.h
-rw-r--r-- 1 root root 43019 août  16 20:30 cmmf.h
-rw-r--r-- 1 root root  2392 août  16 20:30 cmmft.h
-rw-r--r-- 1 root root 38799 août  16 20:30 cms..h
-rw-r--r-- 1 root root   954 août  16 20:30 cmsreclist.h
-rw-r--r-- 1 root root 17359 août  16 20:30 cmst.h
-rw-r--r-- 1 root root 63980 août  16 20:30 crmf.h
-rw-r--r-- 1 root root  5601 août  16 20:30 crmft.h
-rw-r--r-- 1 root root 14398 août  16 20:30 cryptohi.h
-rw-r--r-- 1 root root   495 août  16 20:30 cryptoht.h
[...]

--------------------------------------------------------------------------------------------------------

The file /usr/include/nss/hasht.h exist:

root@client-chrony:/usr/include/nss# l | grep hasht.h
-rw-r--r-- 1 root root  1756 août  16 20:30 hasht.h
root@client-chrony:/usr/include/nss#

--------------------------------------------------------------------------------------------------------

The file /usr/include/nss/nsslowhash.h exist too:

root@client-chrony:/usr/include/nss# l | grep nsslowhash.h
-rw-r--r-- 1 root root  1172 août  16 20:30 nsslowhash.h
root@client-chrony:/usr/include/nss#

--------------------------------------------------------------------------------------------------------

I have nothing about "nss-softokn-devel" or "nss-softokn-freebl" or "freebl" onmy system. Nothing on Internet, except http://linuxsoft.cern.ch/cern/updates/slc6X/i386/RPMS/repoview/nss-softokn-freebl-devel.html but it's only for RedHat (and I'm on Debian).

So I don't understand.

Any ideas ?

Thanks a lot.



2015-10-19 10:27 GMT+02:00 Miroslav Lichvar <mlichvar@xxxxxxxxxx>:
On Fri, Oct 16, 2015 at 04:04:22PM +0200, Steven Liegaux wrote:
> Hi there,
>
> I'm trying to configure chrony on a Debian. I need a client, a server and a
> packet authentication system (SHA2). If I understand, I can't use OpenSSL
> (because the licence is not compatible with the Chrony's GPL licence), so I
> need to use NSS. Am I right ?

NSS or tomcrypt. OpenSSL is not supported. The issue with licensing is
the main reason.

> root@client-chrony:~# /etc/chrony/sbin/chronyd -d
> 2015-10-15T15:52:43Z chronyd version 2.1.1 starting (+CMDMON +NTP +REFCLOCK
> +RTC -PRIVDROP -DEBUG +ASYNCDNS +IPV6 -SECHASH)

-SECHASH means it wasn't compiled with NSS or tomcrypt support.

>  --disable-sechash      Disable support for hashes other than MD5
>   --without-nss          Don't use NSS even if it is available
>   --without-tomcrypt     Don't use libtomcrypt even if it is available
>
> Only "disable or without" things. So how can I configure Chrony to use NSS ?
> For information, I have the same problem when I use "SHA1", but everything
> is OK when I use MD5. Strange nop ?

The SECHASH feature is enabled automatically if the configure script
can find the NSS or tomcrypt development files. MD5 is always
available as there is an internal MD5 implementation included in the
chrony source code.

Check config.log for errors. It will probably be a missing devel file.

It needs the freebl library and nsslowhash.h from NSS. In Fedora, for
instance, they are in the nss-softokn-devel and nss-softokn-freebl
packages.

--
Miroslav Lichvar

--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.



Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/