| Re: [chrony-users] Chrony and NTP hardening |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
- To: chrony-users@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-users] Chrony and NTP hardening
- From: Rob Janssen <chrony-users@xxxxxxxxx>
- Date: Wed, 4 Feb 2026 17:27:04 +0100
- Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=pe1chl.nl; s=pe1chl; t=1770222425; bh=a2xVZNcEVdss73S2NmNbpo2sj2H2tK/Sx/U0wkoWxPo=; h=Date:Subject:To:References:From:In-Reply-To:From; b=OozbsLw0WbEzkr8oCRF/wkZxnAuBoMKTGdzwMogKfBA0xiIHOdoU6NTKqoBxUyzno KC9ZXdtsca2LRRRHIlijTsW0tK3CDDIsQDUNteTc24wXH1r+/tZzG5ZlSPSaYK7H9B 7i7LSAQmxlDdqnEQtA0CUtvLss854G6PtEchGxHWfN96gHpOyjKU5P5XBaB9UdFrEG 35laauJI/5C82hyWwfwFRt1cH/3avnmiKQEdTST1HEEDI3jWA5h5IHvi45wzj6S80J ooQrrVF6SoMY2lj+0mKHIqJ2Jjx18DMwju/y5rSdKZv3MLxXlX5MxvMLugVMm0jFol LCxfWIwIRNRFQ==
- Organization: PE1CHL
On 2026-02-04 16:57, Bernd Brandstetter wrote:
>
> Specifically, the NTP daemon shall be prevented from accepting dates that set the clock to a time earlier than the build date of the system
Ok that seems reasonable...
> or a last-known-good time, which will be saved to a file once a day.
But that would be disaster waiting to happen!
What when your system syncs to an invalid time in the future?
>
> My main problem is that I can see no way to reliably detect if the time is acceptable before Chrony has already synchronized.
Yeah, such simplistic checks are most applicable to systems using SNTP, i.e. query a single server and jam the received time into the clock.
With a more advanced system using NTP (like ntpd or chrony) with several servers and with limited time step, there isn't much risk that things go wrong.
Rob
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.