Re: [chrony-users] NTS fallback?

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

To: chrony-users@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [chrony-users] NTS fallback?
From: Christoph Schittel <christoph.schittel@xxxxxxxxx>
Date: Fri, 08 Aug 2025 08:28:45 +0000
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1754641568; x=1755246368; darn=chrony.tuxfamily.org; h=mime-version:content-transfer-encoding:user-agent:references :in-reply-to:date:subject:to:from:message-id:from:to:cc:subject:date :message-id:reply-to; bh=mdA8F9jpX2Z5lNTcyAzeLI7ba5Mq9k1d12MBOFvGvsw=; b=fHlDy/K0HAK8vVKnDDsBN1lIglMEpsHbYKcER8iLWf1ONi+7kecCtuHYfsqgVmww7C mG5jV9Q0aoHO5NfivqtuzB8jRx33JRrNvDdrohGgoJlCQ+QPlhDC673mx8poWBHHZVlc N0rjNv24TVwEtuJL8VUFlqPlmZn81ByNbWhKJAM9b3U57sVLmyr3IOu6oQwLDyQJzzHX vGGlzchFSPFfjYQe21Dl3vLw2z2iehKR8ebdjSCPypvtooOWX+MYWZfBc3V/kFLb06az TGSLXWD5uOhwL2aqY9TLXhf8FgpxQMqScuwlhCr4noCvWNhRp6qMdF4co42QlioWCGlm b2AA==


Thank you Joachim,

I see, this makes perfect sense!

Nonetheless I think there are setups where it would be helpful to have thisfallback. With "authselectmode" it can be decided if unauthenticatedservers will be used and how.

There could be a timeout option "authfallback" with an integer parametergiving the number of tries after which chrony should use unauthenticatedqueries when authentications fails. Authentication request shouldnevertheless be tried in parallel. An parameter of zero would be thedefault behavior - no fallback.


regards,
Christoph

kross@xxxxxxxxxxxxxxxxxxxx schrieb am Donnerstag, 7. August 2025 23:20:42(+02:00):


> Hello Christoph,

>> The idea is to prevent so-called "bidding down" attacks. I.e., insteadof trying to attack the protection mechanisms, the idea of such stracks isto get the client to simply not use them. Not falling back to NTP withoutNTS when NTS fails is a way to avoid that, i.e., is fully intended.>> Kind regards>> Joachim>> 07.08.2025 22:22:03 Christoph Schittel <christoph.schittel@xxxxxxxxx>:>> > Hello!> >> > When a server directive is specified with "nts" this server is onlyqueried when nts service is working on this server.> > Is there no fallback to unauthenicated time transfer for servers withnts option given? Like when nts services are failing or temporarilydisabled on the server.> >> > I know about "authselectmode", but this is only working betweendifferent queried servers, authenticated and not authenticated.> >> > regards

> > Christoph

> >> > --> > To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx with"unsubscribe" in the subject.> > For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx with "help"in the subject.

> > Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

>

--

To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxxwith "unsubscribe" in the subject.For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxxwith "help" in the subject.

Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Follow-Ups:
- Re: [chrony-users] NTS fallback?
  - From: kross

References:
- Re: [chrony-users] NTS fallback?
  - From: kross

Messages sorted by: [ date | thread ]
Prev by Date: Re: [chrony-users] NTS fallback?
Next by Date: Re: [chrony-users] NTS fallback?
Previous by thread: Re: [chrony-users] NTS fallback?
Next by thread: Re: [chrony-users] NTS fallback?

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/