13.2.4. Security with chronyc
As access to chronyc allows changing chronyd
just as editing the configuration files would, access to chronyc should be limited. Passwords can be specified in the key file, written in ASCII or HEX, to restrict the use of chronyc. One of the entries is used to restrict the use of operational commands and is referred to as the command key. In the default configuration, a random command key is generated automatically on start. It should not be necessary to specify or alter it manually.
Other entries in the key file can be used as
NTP
keys to authenticate packets received from remote
NTP
servers or peers. The two sides need to share a key with identical ID, hash type and password in their key file. This requires manually creating the keys and copying them over a secure medium, such as
SSH
. If the key ID was, for example, 10 then the systems that act as clients must have a line in their configuration files in the following format:
server w.x.y.z key 10
peer w.x.y.z key 10
The location of the key file is specified in the
/etc/chrony.conf
file. The default entry in the configuration file is:
keyfile
/etc/chrony.keys
The command key number is specified in
/etc/chrony.conf
using the
commandkey
directive, it is the key
chronyd
will use for authentication of user commands. The directive in the configuration file takes the following form:
commandkey 1
An example of the format of the default entry in the key file,
/etc/chrony.keys
, for the command key is:
1 SHA1 HEX:A6CFC50C9C93AB6E5A19754C246242FC5471BCDF
Where
1
is the key ID, SHA1 is the hash function to use,
HEX
is the format of the key, and
A6CFC50C9C93AB6E5A19754C246242FC5471BCDF
is the key randomly generated when
chronyd was started for the first time. The key can be given in hexidecimal or ASCII format (the default).
A manual entry in the key file, used to authenticate packets from certain
NTP
servers or peers, can be as simple as the following:
20 foobar
Were
20
is the key ID and
foobar
is the secret authentication key. The default hash is MD5, and ASCII is the default format for the key.
By default, chronyd
is configured to listen for commands only from localhost
(127.0.0.1
and ::1
) on port 323
. To access chronyd
remotely with chronyc, any bindcmdaddress
directives in the /etc/chrony.conf
file should be removed to enable listening on all interfaces and the cmdallow
directive should be used to allow commands from the remote IP
address, network, or subnet. In addition, port 323
has to be opened in the firewall in order to connect from a remote system. Note that the allow
directive is for NTP
access whereas the cmdallow
directive is to enable the receiving of remote commands. It is possible to make these changes temporarily using chronyc running locally. Edit the configuration file to make persistent changes.
The communication between
chronyc and
chronyd is done over
UDP
, so it needs to be authorized before issuing operational commands. To authorize, use the
authhash
and
password
commands as follows:
chronyc> authhash SHA1
chronyc> password HEX:A6CFC50C9C93AB6E5A19754C246242FC5471BCDF
200 OK
If chronyc is used to configure the local chronyd, the -a
option will run the authhash
and password
commands automatically.
Only the following commands can be used without providing a password:
activity
, authhash
, dns
, exit
, help
, password
, quit
, rtcdata
, sources
, sourcestats
, tracking
, waitsync
.