| [chrony-users] Chrony and NTP hardening |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
- To: "chrony-users@xxxxxxxxxxxxxxxxxxxx" <chrony-users@xxxxxxxxxxxxxxxxxxxx>
- Subject: [chrony-users] Chrony and NTP hardening
- From: Bernd Brandstetter <kde-bbrand@xxxxxxxxxxxx>
- Date: Wed, 4 Feb 2026 16:57:27 +0100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kabelmail.de; s=vfde-mb-mr2-23sep; t=1770220651; bh=hqlvxuXU2Yl5LH1l7VyJiR0zt0uFnFlNSoXVhheaNqk=; h=Message-ID:Date:User-Agent:Content-Language:To:From:Subject: Content-Type:From; b=TpXBuoXsl/SNMKMnBcGDst7rbn2erLTPjYAyK2a1Qu9+rhZZYnaeyTl3FcG8NtcDq WSbnJSYlcl/zm5nM5KEseO+skh08eahcwrSa0aPL19Zz7iA//AEmmIJYwKWYgBHvNR WireQerb96suh+qSq7MgXI13M+Ddd6cIxExBG4zo=
Hello,
I'm supposed to implement a couple of NTP security requirements as
suggested by RFC8633.
Specifically, the NTP daemon shall be prevented from accepting dates
that set the clock to a time earlier than the build date of the system
or a last-known-good time, which will be saved to a file once a day.
I'm wondering how this could best be achieved with Chrony. My main
problem is that I can see no way to reliably detect if the time is
acceptable before Chrony has already synchronized. Moreover, since we
would also like to use rtcsync, this would mean that then also the RTC
could be set to the wrong time and we'd therefore have no means to
recover, and activating rtcsync only afterwards is unfortunately not
supported.
Is there a better way to achieve this? I somehow doubt that we're the
first ones with this problem but could not find a solution on the internet.
Best regards,
Bernd
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.