From 789817cd91695cbb9e8b4f1e90a0393c147c2c70 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 7 Jul 2021 16:45:46 +0200 Subject: [PATCH] doc: improve ntsserverkey/cert description The files are read after dropping root privileges. They need to be readable by the chrony user. The error message "Could not set credentials : Error while reading file." does not make this requirement very obvious. --- doc/chrony.conf.adoc | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/doc/chrony.conf.adoc b/doc/chrony.conf.adoc index 9134fb5..bd4f70d 100644 --- a/doc/chrony.conf.adoc +++ b/doc/chrony.conf.adoc @@ -1604,7 +1604,8 @@ The port will be open only when a certificate and key is specified by the This directive specifies a file containing a certificate in the PEM format for *chronyd* to operate as an NTS server. The file should also include any intermediate certificates that the clients will need to validate the -server's certificate. +server's certificate. The file needs to be readable by the user under which +*chronyd* is running after dropping root privileges. + This directive can be used multiple times to specify multiple certificates for different names of the server. @@ -1616,7 +1617,9 @@ recommended for a near-seamless server operation. [[ntsserverkey]]*ntsserverkey* _file_:: This directive specifies a file containing a private key in the PEM format -for *chronyd* to operate as an NTS server. +for *chronyd* to operate as an NTS server. The file needs to be readable by +the user under which *chronyd* is running after dropping root privileges. For +security reasons, it should not be readable by other users. + This directive can be used multiple times to specify multiple keys. The number of keys must be the same as the number of certificates and the corresponding