[chrony-users] Can we deny non-NTS client?

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

To: "chrony-users@xxxxxxxxxxxxxxxxxxxx" <chrony-users@xxxxxxxxxxxxxxxxxxxx>
Subject: [chrony-users] Can we deny non-NTS client?
From: "Akihiko.Izumi@xxxxxxxx" <Akihiko.Izumi@xxxxxxxx>
Date: Mon, 19 Dec 2022 11:59:55 +0000
Accept-language: ja-JP, en-US
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sony.com; dmarc=pass action=none header.from=sony.com; dkim=pass header.d=sony.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=DfsYO4n1n7FUivIyMVdTqM8Syy0WyMaQEZgN6bm+BW0=; b=BmXWCvyhK6QcUEIoFR7z+71MBswUsUZKzUIwYfRD5W8P5Ytk/I1dwVaHEXPhxTMYp1KqxTE9KBlBimH/xNz9q5Q7IdXPA64norwnCKNSEWMCPw/Hsd+imPFJyDwzmat6sCj6yCeNapOOY2UBC0X+tzb6/x8iMpFAEi3YIYpodVXLvHAQAKAIk1NB0WjB3SgatMJlrgmRAYtmoDwzmUi7YloqGqJFq/nISKTRvuzxScef0lfyGOOvSNaBh4aXB4j3R06eyZCU1uwXDKSY7tjoiEDnsWtpjUMAxoPDScGoBjuVHwqZj13IvD9REJrCRftQyphYEWGSNsqvEAJLIMouFQ==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fQxLF4Z5q72UYbmK8uf3AYMegG/wuR65AqWUeOGU00w5cKgrf4ZaE2SNYhBE4jlD2g+50S5lVrxwwI51Mc8NyK9v+pnGJChx4pO2bQ6+xJaxLvxH1jLXSfcMrL+n72YLhKobo1AWoUlvVppSkg2gfa0VK4hsaOH3zdQtXPzP0It+l1gsZl7OXc+HXyWQRXpz2ZyI67ZoV59g7s9rWer2fdvhCjfUptjnP2v/u8Fv8gmrDLlNzMWkP2uLKce/ASTAasYbRokkeUaqjIH7UGdMGaHiQbFO036Jdxg2zF3SZLPoEw5/YvSskDOTPdcf43z5uorIoHyO8rPXYuPqHTGdFA==
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sony.com; h=from : to : subject : date : message-id : content-type : content-transfer-encoding : mime-version; s=S1; bh=DfsYO4n1n7FUivIyMVdTqM8Syy0WyMaQEZgN6bm+BW0=; b=j+eQ3E2r1icIxrfHIry8E9MFjeq9WIpQtEvelf5QvLLqIaqZr0GC4zwg7m+YTUMv9oBT ubPJVV2wzUAtmJWtg//lf8xErM7cQwjed3w4yEue9egKp1ViYvyH6XL0zZsT7hGpSyXR g0ZckZ6DuVxCguaXNdUzttrwYDOdMrYcBKIjXkin1UHPIfxKBOSFFCc3IfXaMbZw+0F8 pxABzvUD8xOtsY6pCRdboCL+tZMoZsT9FTnHC5fFb7Fy7aL5zIGzpIIML9j5/ndOCVaQ 13iNuSLCB4maIQXyQZnAip5l4RlV2tBGmDWa2HIsdiT2SyWIi8v/KsSjG02yjokP+FFs zQ==
Thread-index: AdkToT3TsRUSiNm2TZKwhNLLOQ9yig==
Thread-topic: Can we deny non-NTS client?

Hello,

When we run Chrony as public NTP server, is it possible to deny NTP clients which do not support NTS?
If it possible, I would like to know how to setup so.

A public NTP server which accept both normal(non-NTS) NTP request and NTS request may suffer attacks both to normal NTP servers and to NTS-KE servers.
To reduce vulunerablity, I would like to set up NTS servers which do not accept non-NTS NTP requests.

Best Regards,
A.Izumi

--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Follow-Ups:
- [chrony-users] 答复: Can we deny non-NTS client?
  - From: chengyechun

Messages sorted by: [ date | thread ]
Prev by Date: Re: [chrony-users] Marking a refclock unusable / changing its precision at runtime
Next by Date: [chrony-users] 答复: Can we deny non-NTS client?
Previous by thread: Re: [chrony-users] Marking a refclock unusable / changing its precision at runtime
Next by thread: [chrony-users] 答复: Can we deny non-NTS client?

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/