Re: [chrony-users] Client Authentication

[ Thread Index | Date Index | More Archives ]

On Thu, Nov 17, 2022 at 03:24:29PM -0500, Elise Atkins wrote:
> I am converting from using ntp to chrony and it's fairly straightforward
> but I have one question. In the ntp server configuration we could deny
> clients that were not authenticated. These requests  were dropped.  The
> configuration line to accomplish used restrict with the notrust flag.
> Is there a way to configure chrony to only respond to clients that use a
> valid digest?

There is no such option. How exactly it would be useful?

Please note that the "restrict notrust" in ntpd does something
different. It disables responses to requests that have no MAC, but it
responds with a crypto-NAK if the request contains an invalid MAC,
which can be used for synchronization. It doesn't prevent access to
the time service.

If the server responded only to authenticated requests, there is still
a possibility of replaying an authenticated request message if you can
get one.

Miroslav Lichvar

To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Mail converted by MHonArc 2.6.19+