| Re: [chrony-users] Chrony and NTP hardening |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
- To: chrony-users@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-users] Chrony and NTP hardening
- From: Bernd Brandstetter <kde-bbrand@xxxxxxxxxxxx>
- Date: Wed, 4 Feb 2026 17:50:02 +0100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kabelmail.de; s=vfde-mb-mr2-23sep; t=1770223805; bh=ZOdnp6Uhap5Sr8OTdOqYNTGxubdfcziAmvDRGhi2b88=; h=Message-ID:Date:User-Agent:Subject:To:References:Content-Language: From:In-Reply-To:Content-Type:From; b=WLQbvjqqpqoTQJAd9/7NEY0HPCbAMGEHsRQ8qIGdiRYo1lzgwjkSNeJgCXeBEAwZW hQNw/gEeoRJyHpBPgRqVy/Bi1tGsEDGuopX0tAeZqkO7yIWu64BNKcPQh9/+A8uH7y amp20j12FfGxpQObL5RAcLjfbfFgTcWun+mZiMBE=
Hello.
On 2/4/26 17:27, Rob Janssen wrote:
or a last-known-good time, which will be saved to a file once a day.
But that would be disaster waiting to happen!
What when your system syncs to an invalid time in the future?
I thought this could be avoided via the maxchange instruction.
With a more advanced system using NTP (like ntpd or chrony) with several servers and with limited time step, there isn't much risk that things go wrong.
Yeah, I should have mentioned that this is a (mostly) closed network (a
train actually). There will be only one master and one backup time
server in the train, which (optionally) synchronize with GPS. All other
devices then synchronize with only these two servers.
But it cannot be ruled out that an attacker gets access to the network,
either from within the train or a maintenance connection.
Thanks and best regards,
Bernd
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.