From 8882fb21e0e4effcfbf782da965c9d73efe03c51 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 22 Jun 2020 14:45:42 +0200 Subject: [PATCH] example: update chrony.conf examples Add some new directives, remove dumponexit (it's a no-op), remove broadcast (to not encourage its use), fix a typo, and remove a OS-specific limitation. --- examples/chrony.conf.example2 | 6 ++++ examples/chrony.conf.example3 | 52 +++++++++++++++++++++++------------ 2 files changed, 41 insertions(+), 17 deletions(-) diff --git a/examples/chrony.conf.example2 b/examples/chrony.conf.example2 index 21be153..6628236 100644 --- a/examples/chrony.conf.example2 +++ b/examples/chrony.conf.example2 @@ -25,9 +25,15 @@ rtcsync # Serve time even if not synchronized to a time source. #local stratum 10 +# Require authentication (nts or key option) for all NTP sources. +#authselectmode require + # Specify file containing keys for NTP authentication. #keyfile /etc/chrony.keys +# Save NTS keys and cookies. +ntsdumpdir /var/lib/chrony + # Get TAI-UTC offset and leap seconds from the system tz database. #leapsectz right/UTC diff --git a/examples/chrony.conf.example3 b/examples/chrony.conf.example3 index c04f871..5e0f630 100644 --- a/examples/chrony.conf.example3 +++ b/examples/chrony.conf.example3 @@ -57,6 +57,20 @@ ! maxdrift 100 +# By default, chronyd allows synchronisation to an unauthenticated NTP +# source (i.e. specified without the nts and key options) if it agrees with +# a majority of authenticated NTP sources, or if no authenticated source is +# specified. If you don't want chronyd to ever synchronise to an +# unauthenticated NTP source, uncomment the first from the following lines. +# If you don't want to synchronise to an unauthenticated NTP source only +# when an authenticated source is specified, uncomment the second line. +# If you want chronyd to ignore authentication in the source selection, +# uncomment the third line. + +! authselectmode require +! authselectmode prefer +! authselectmode ignore + ####################################################################### ### FILENAMES ETC # Chrony likes to keep information about your computer's clock in files. @@ -72,22 +86,37 @@ driftfile /var/lib/chrony/drift ! keyfile /etc/chrony.keys +# If you specify an NTP server with the nts option to enable authentication +# with the Network Time Security (NTS) mechanism, or enable server NTS with +# the ntsservercert and ntsserverkey directives below, the following line will +# allow the client/server to save the NTS keys and cookies in order to reduce +# the number of key establishments (NTS-KE sessions). + +ntsdumpdir /var/lib/chrony + +# If chronyd is configured to act as an NTP server and you want to enable NTS +# for its clients, you will need a TLS certificate and private key. Uncomment +# and edit the following lines to specify the locations of the certificate and +# key. + +! ntsservercert /etc/.../foo.example.net.crt +! ntsserverkey /etc/.../foo.example.net.key + # chronyd can save the measurement history for the servers to files when -# it it exits. This is useful in 2 situations: +# it exits. This is useful in 2 situations: # -# 1. On Linux, if you stop chronyd and restart it with '-r' (e.g. after +# 1. If you stop chronyd and restart it with the '-r' option (e.g. after # an upgrade), the old measurements will still be relevant when chronyd # is restarted. This will reduce the time needed to get accurate -# gain/loss measurements, especially with a dial-up link. +# gain/loss measurements. # -# 2. Again on Linux, if you use the RTC support and start chronyd with +# 2. On Linux, if you use the RTC support and start chronyd with # '-r -s' on bootup, measurements from the last boot will still be # useful (the real time clock is used to 'flywheel' chronyd between # boots). # -# Enable these two options to use this. +# Uncomment the following line to use this. -! dumponexit ! dumpdir /var/lib/chrony # chronyd writes its process ID to a file. If you try to start a second @@ -135,8 +164,6 @@ driftfile /var/lib/chrony/drift ####################################################################### ### ACTING AS AN NTP SERVER # You might want the computer to be an NTP server for other computers. -# e.g. you might be running chronyd on a dial-up machine that has a LAN -# sitting behind it with several 'satellite' computers on it. # # By default, chronyd does not allow any clients to access it. You need # to explicitly enable access using 'allow' and 'deny' directives. @@ -152,15 +179,6 @@ driftfile /var/lib/chrony/drift # You can have as many allow and deny directives as you need. The order # is unimportant. -# If you want chronyd to act as an NTP broadcast server, enable and edit -# (and maybe copy) the following line. This means that a broadcast -# packet is sent to the address 192.168.1.255 every 60 seconds. The -# address MUST correspond to the broadcast address of one of the network -# interfaces on your machine. If you have multiple network interfaces, -# add a broadcast line for each. - -! broadcast 60 192.168.1.255 - # If you want to present your computer's time for others to synchronise # with, even if you don't seem to be synchronised to any NTP servers # yourself, enable the following line. The value 10 may be varied