Re: [chrony-users] Is restrict option supported in chrony.conf 2.1

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]


On Tue, Dec 27, 2016 at 09:30:37AM -0500, Robert Moskowitz wrote:
> allow 192.168.128/24
> 
> Does this allow open up the server to updates from local hosts as well as
> permitting them to get the time?

If by updates you mean chronyc commands (similar to ntpq/ntpdc), then
no. The allow directive only allows NTP queries from NTP clients,
nothing else. The cmdallow directive allows chronyc commands and the
default is denied for everything except localhost. Also, chronyd by
default binds the command sockets to localhost (127.0.0.1, ::1), which
needs to be changed by the bindcmdaddress directive in order to allow
remote access.

> Additionally, ntpd provides protection from upstream servers:
> 
> # Permit time synchronization with our time source, but do not
> # permit the source to query or modify the service on this system.
> restrict default kod nomodify notrap nopeer noquery
> 
> Is this an issue with chronyd?

No. The defaults are safe. Unless you add a cmdallow directive
together with "bindcmdaddress 0.0.0.0" (or ::) to the configuration
file, all command packets from network will be dropped.

-- 
Miroslav Lichvar

-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/