| Re: [chrony-users] Chronyd NTS under Ubuntu 24 - group permissions |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
- To: chrony-users@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-users] Chronyd NTS under Ubuntu 24 - group permissions
- From: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
- Date: Tue, 16 Sep 2025 08:27:08 +0200
- Cc: Lukas Märdian <lukas.maerdian@xxxxxxxxxxxxx>
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1758004056; bh=u3hbb+bJHhd217lNsrAOIdulh1TpKKUUT56rpcPvmkk=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=bk6D2dYDKk2g/quxE8+wksjCdAUNJ2ilY8BqlJcblTU+NSBUl2wGiCPZApGfx4fYg oE79U4uCTa2myx2eaivxAHGt4ke5jwVktiqLgDi2oKkvc5v3F1TuaIDxKRwSaplU+G h/wvRQjXiOi87F0RVvF2MaYWLGc0jR3o8+URg4L2Okf0f5TrpWXw8nC42VfT4AFp6T XHVcYh34sdLOHKWxby3VIrrNIBtVqnfjreA1kAApGaL9TKx+5y0MeC0iyinumYUCfo kZy6qRTFtXcVya5nIG2KWW2tUYGKIf3H2qIpCQT9lb3U8YYSOsRUPuSGJcRUATkb2O UvxoDigy428WQ==
On Tue, Sep 16, 2025 at 2:03 AM Mikhail <mikhail@xxxxxxxxxxxxx> wrote:
>
> 1) NTS keys are generated by letsencrypt/certbot and in Ubuntu are accessible to group ssl-certs.
> I can add Chrony user _chrony to group ssl-certs, and verify that user can access the certificates.
> Also, I added AppArmor exception to allow Chorny to access the keys.
> Still Chrony won't be able to access the keys as Chrony seems to be stripping group permission from itself.
>
> What is the valid path to making NTS work without actually copying/chown-ing keys on schedule?
Hi Mikhail,
per [1] the usual path is in /etc/chrony/*.pem which AFAIK (and hope)
is also matching the usual path upstream would expect and is what
you'll see in examples.
That path is already open for read-only in the apparmor rules.
At least our own automation [2][3] will automatically pass the private
keys and store them in a compatible way - so location/permissions was
never a problem I was presented with internally before.
[1]: https://documentation.ubuntu.com/server/how-to/networking/serve-ntp-with-chrony/#nts-server
[2]: https://github.com/canonical/chrony-operator/blob/main/lib/charms/tls_certificates_interface/v3/tls_certificates.py
[3]: https://discourse.charmhub.io/t/the-tls-certificate-interface-documentation/11635
> I would prefer to keep private keys in single place.
If that is your goal then I'd expect exactly what you did or considered already:
- you'd point the chrony config to that new place and adapt the
apparmor rules to allow chrony to read from there
- to not chown the files you'd need to change the other side - the
user user chrony runs with (`user` directive in chrony.conf).
But both changes appear as potential security risks to me.
Keeping the private keys together means once that path is exposed all
of them might be exposed.
Same for the permissions, I actually like that e.g. chrony can only
access its own files and only those that an extra step of chown made
clear it is meant to read.
I'm not at all challenging what and why you do - after all there is
always one more way to set up a system.
But it seems like - for the comfort of having all private keys in one
place - it could weaken some of the standard defenses, which explains
why it isn't easy (and probably should not be).
.... [snip] ...
--
Christian Ehrhardt
Director of Engineering, Ubuntu Server
Canonical Ltd
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.