Re: [chrony-users] Chrony and NTP hardening

[Miroslav Lichvar <mlichvar@xxxxxxxxxx>]

On Wed, Feb 04, 2026 at 04:57:27PM +0100, Bernd Brandstetter wrote:
> Specifically, the NTP daemon shall be prevented from accepting dates that
> set the clock to a time earlier than the build date of the system or a
> last-known-good time, which will be saved to a file once a day.

You could set the mapping of the NTP interval at build time to start at
the current time like this:

../configure --with-ntp-era=$(date +%s)

That would change jumps to past to jumps to distant future (up to 136
years). I'm not sure how that is better.

> I'm wondering how this could best be achieved with Chrony. My main problem
> is that I can see no way to reliably detect if the time is acceptable before
> Chrony has already synchronized. Moreover, since we would also like to use
> rtcsync, this would mean that then also the RTC could be set to the wrong
> time and we'd therefore have no means to recover, and activating rtcsync
> only afterwards is unfortunately not supported.

You could disable automatic steps by removing the makestep directive
from the config and execute chronyc makestep in a script after
verifying that the offset printed by chronyc tracking is acceptable.

See other recommendations in the FAQ:
https://chrony-project.org/faq.html#_how_can_i_make_the_system_clock_more_secure

-- 
Miroslav Lichvar


-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.