Chrony symmetric authentication

Chrony

Chrony is a powerful and fastest time server, mostly used as a time synchronization agent/server on the client system. In this article, we’ll configure a chrony server and a chrony client to provide symmetric security mechanism. Refer to the solution section for more information.

Topic

  • How to configure chrony for symmetric authentication?
  • Chrony symmetric authentication.
  • How to configure chrony authentication?
  • How to encrypt NTP traffic using chrony?

apt

  • Centos
  • RHEL
  • Scientific Linux
  • Debian
  • Ubuntu

Solution


LAB details

  • Both server and client system uses chrony for time synchronization.
  • Chrony server IP address 192.168.0.1
  • Client subnet 192.168.0.0/16


Chrony server configuration

  1. Configuration snippet of /etc/chrony.conf:

    $ cat /etc/chrony.conf 

    server 0.asia.pool.ntp.org
    server 1.asia.pool.ntp.org
    server 2.asia.pool.ntp.org
    server 3.asia.pool.ntp.org

    driftfile /var/lib/chrony/drift
    makestep 1.0 3
    rtcsync

    allow 192.168.0.0/16 # This makes chrony as a NTP server and allows time synchronization to clients in 192.168.0.0/16 network. 

    keyfile /etc/chrony.keys # Here we create or store all symmetric keys to be used for authentication. 
    logdir /var/log/chrony

  1. Steps to create generate symmetric keys.

    $ man chronyc

    keygen [id [type [bits]]]

    The keygen command generates a key that can be added to the key file (specified with the keyfile directive) to allow NTP authentication between server and client, or peers. The key is generated from the /dev/urandom device and it is printed to standard output.

    The command has three optional arguments. The first argument is the key number (by default 1), which will be specified with the key option of the server or peer directives in the configuration file. The second argument is the hash function (by default SHA1 or MD5 if SHA1 is not available) and the third argument is the number of bits the key should have, between 80 and 4096 bits (bydefault 160 bits).

    An example is:
    keygen 73 SHA1 256

    which generates a 256-bit SHA1 key with number 73. The printed line should then be securely transferred and added to the key files on both server and client, or peers.Create symmetric key on chrony server which will be used by all client for symmetric authentication.

  1. Create symmetric key on chrony server and this will be used by all client systems for symmetric authentication.
$ chronyc keygen 80 SHA1 256

  1. Once the key is generated from the above command, copy the content of the command output to /etc/chrony.keys file.

  1. The file /etc/chrony.keys should look as following after adding the symmetric key content.

$ cat /etc/chrony.keys
80 SHA1 HEX:R9ZXC9AF7E268212346789A9BDC498D5D5EF89271F05C65AB7D86CDD3B0B57809010

  1. Now restart chrony service on the server system


Chrony Client configuration

  1. Copy the same symmetric key content of server system to /etc/chrony.keys file on the client system.
  2. The file /etc/chrony.keys should look as following after adding the symmetric key content.
$ cat /etc/chrony.keys
80 SHA1 HEX:R9ZXC9AF7E268212346789A9BDC498D5D5EF89271F05C65AB7D86CDD3B0B57809010

  1. We need to uncomment the line keyfile /etc/chrony.keys in /etc/chrony.conf file.
  2. We need to make sure NTP server line on client system uses the key ID to connect to the NTP|chrony server.
server 192.168.0.1 key 80 iburst

Note:
192.168.0.1 is the NTP server IP address and 80 is the key ID present in /etc/chrony.keys

  1. Final configuration should look like below:
$ cat /etc/chrony.conf
server 192.168.0.1 key 80 iburst
driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync
keyfile /etc/chrony.keys
logdir /var/log/chronyc

Testing

# chronyc -n sources
210 Number of sources = 1
MS Name/IP address Stratum Poll Reach LastRx Last sample 
==============================================================
^* 192.168.0.1 3 6 377 13 -2207us[-1981us] +/- 158ms

You May Also Like

avatar

About the Author: TekFik

TekFik is a technical blogging site helps techies and engineers to solve their day to day issues and also allows everyone to share knowledge and feedback. Please feel free to contact us at tekfik.rd@gmail.com if there is anything.

Leave a Reply

Your email address will not be published. Required fields are marked *