| Re: [chrony-users] Client Authentication |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
- To: chrony-users@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-users] Client Authentication
- From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
- Date: Mon, 21 Nov 2022 10:20:21 +0100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1669022425; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=8OI0iUDM0t40ULdEk1tfMk6lDdKpGsKFEU7nUaDYz7I=; b=B5+WXEQ/X2dYYIYXF50Z+eBW+o2OVGvx3GoZD4JNHyx0ZXjq35r2DixRFwA7y001tf/o+3 Zgd/DnPIU0gslZdD15+ZF++zBA6purQTt/BCs7V3q/+ADD/NqneCYdkTy39QpuFHPK2Fpn Cy6jTEAWQUYGIIx4T3Sy1HuGd3gizgA=
On Thu, Nov 17, 2022 at 03:24:29PM -0500, Elise Atkins wrote:
> I am converting from using ntp to chrony and it's fairly straightforward
> but I have one question. In the ntp server configuration we could deny
> clients that were not authenticated. These requests were dropped. The
> configuration line to accomplish used restrict with the notrust flag.
>
> Is there a way to configure chrony to only respond to clients that use a
> valid digest?
There is no such option. How exactly it would be useful?
Please note that the "restrict notrust" in ntpd does something
different. It disables responses to requests that have no MAC, but it
responds with a crypto-NAK if the request contains an invalid MAC,
which can be used for synchronization. It doesn't prevent access to
the time service.
If the server responded only to authenticated requests, there is still
a possibility of replaying an authenticated request message if you can
get one.
--
Miroslav Lichvar
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.