Re: [chrony-users] NTS fallback?

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]



Thank you Joachim,

I see, this makes perfect sense!

Nonetheless I think there are setups where it would be helpful to have this fallback. With "authselectmode" it can be decided if unauthenticated servers will be used and how.

There could be a timeout option "authfallback" with an integer parameter giving the number of tries after which chrony should use unauthenticated queries when authentications fails. Authentication request should nevertheless be tried in parallel. An parameter of zero would be the default behavior - no fallback.

regards,
Christoph


kross@xxxxxxxxxxxxxxxxxxxx schrieb am Donnerstag, 7. August 2025 23:20:42 (+02:00):

> Hello Christoph,
> > The idea is to prevent so-called "bidding down" attacks. I.e., instead of trying to attack the protection mechanisms, the idea of such stracks is to get the client to simply not use them. Not falling back to NTP without NTS when NTS fails is a way to avoid that, i.e., is fully intended. > > Kind regards > > Joachim > > 07.08.2025 22:22:03 Christoph Schittel <christoph.schittel@xxxxxxxxx>: > > > Hello! > > > > When a server directive is specified with "nts" this server is only queried when nts service is working on this server. > > Is there no fallback to unauthenicated time transfer for servers with nts option given? Like when nts services are failing or temporarily disabled on the server. > > > > I know about "authselectmode", but this is only working between different queried servers, authenticated and not authenticated. > > > > regards
> > Christoph
> > > > -- > > To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject. > > For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
> > Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.
>
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject. For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/