diff --git a/examples/chrony.conf.example2 b/examples/chrony.conf.example2 index 7c61b0a..659d676 100644 --- a/examples/chrony.conf.example2 +++ b/examples/chrony.conf.example2 @@ -18,14 +18,8 @@ rtcsync # Serve time even if not synchronized to any NTP server. #local stratum 10 -# Specify file containing keys for NTP and command authentication. -keyfile /etc/chrony.keys - -# Specify key number for command authentication. -commandkey 1 - -# Generate new command key on start if missing. -generatecommandkey +# Specify file containing keys for NTP authentication. +#keyfile /etc/chrony.keys # Disable logging of client accesses. noclientlog diff --git a/examples/chrony.conf.example3 b/examples/chrony.conf.example3 index 9f2bbe5..1317a11 100644 --- a/examples/chrony.conf.example3 +++ b/examples/chrony.conf.example3 @@ -95,24 +95,10 @@ driftfile /var/lib/chrony/drift -# If you want to use the program called chronyc to configure aspects of -# chronyd's operation once it is running (e.g. tell it the Internet link -# has gone up or down), you need a password. This is stored in the -# following keys file. (You also need keys to support authenticated NTP -# exchanges between cooperating machines.) Again, this option is -# assumed by default. +# If you want to enable NTP authentication with symmetric keys, you will need +# to uncomment the following line and edit the file to set up the keys. -keyfile /etc/chrony.keys - -# Tell chronyd which numbered key in the file is used as the password -# for chronyc. (You can pick any integer up to 2**32-1. '1' is just a -# default. Using another value will _NOT_ increase security.) - -commandkey 1 - -# With this directive a random password will be generated automatically. - -generatecommandkey +! keyfile /etc/chrony.keys # chronyd can save the measurement history for the servers to files when # it it exits. This is useful in 2 situations: @@ -262,11 +248,6 @@ generatecommandkey # syntax and meaning is the same as for 'allow' and 'deny', except that # 'cmdallow' and 'cmddeny' control access to the chronyd's command port. -# NOTE, even if the host where you run chronyc is granted access, you -# still need a command key set up and you have to know the password to -# put into chronyc to allow you to modify chronyd's parameters. By -# default all you can do is view information about chronyd's operation. - ####################################################################### ### REAL TIME CLOCK # chronyd can characterise the system's real-time clock. This is the diff --git a/examples/chrony.keys.example b/examples/chrony.keys.example index 1583174..e6660ae 100644 --- a/examples/chrony.keys.example +++ b/examples/chrony.keys.example @@ -1,29 +1,15 @@ -####################################################################### +# This is an example chrony keys file. It is used for NTP authentication with +# symmetric keys. It should be readable only by root or the user to which +# chronyd is configured to switch to. # -# This is an example chrony keys file. You should copy it to /etc/chrony.keys -# after editing it to set up the key(s) you want to use. It should be readable -# only by root or the user chronyd drops the root privileges to. In most -# situations, you will require a single key (the 'commandkey') so that you can -# supply a password to chronyc to enable you to modify chronyd's operation -# whilst it is running. -# -# Copyright 2002 Richard P. Curnow -# -###################################################################### +# Don't use the example keys! The keys need to be random for maximum security. +# These shell commands can be used to generate random MD5 and SHA1 keys on +# systems which have the /dev/urandom device: +# echo "1 MD5 HEX:$(tr -d -c '[:xdigit:]' < /dev/urandom | head -c 32)" +# echo "1 SHA1 HEX:$(tr -d -c '[:xdigit:]' < /dev/urandom | head -c 40)" # Examples of valid keys: #1 ALongAndRandomPassword #2 MD5 HEX:B028F91EA5C38D06C2E140B26C7F41EC #3 SHA1 HEX:1DC764E0791B11FA67EFC7ECBC4B0D73F68A070C - -# The keys should be random for maximum security. If you wanted to use a key -# with ID 1 as your commandkey (i.e. chronyc password) you would put -# "commandkey 1" into chrony.conf. If no commandkey is present in the keys -# file and the generatecommandkey directive is specified in chrony.conf, -# a random commandkey will be generated and added to the keys file -# automatically on chronyd start. - -# You might want to define more keys if you use the authentication facility -# in the network time protocol to authenticate request/response packets between -# trusted clients and servers. diff --git a/examples/chrony.logrotate b/examples/chrony.logrotate index e0cd83c..2823a1a 100644 --- a/examples/chrony.logrotate +++ b/examples/chrony.logrotate @@ -3,6 +3,6 @@ nocreate sharedscripts postrotate - /usr/bin/chronyc -a cyclelogs > /dev/null 2>&1 || true + /usr/bin/chronyc cyclelogs > /dev/null 2>&1 || true endscript } diff --git a/examples/chrony.nm-dispatcher b/examples/chrony.nm-dispatcher index d23700b..084aed6 100644 --- a/examples/chrony.nm-dispatcher +++ b/examples/chrony.nm-dispatcher @@ -6,12 +6,12 @@ export LC_ALL=C if [ "$2" = "up" ]; then /sbin/ip route list dev "$1" | grep -q '^default' && - /usr/bin/chronyc -a online > /dev/null 2>&1 + /usr/bin/chronyc online > /dev/null 2>&1 fi if [ "$2" = "down" ]; then /sbin/ip route list | grep -q '^default' || - /usr/bin/chronyc -a offline > /dev/null 2>&1 + /usr/bin/chronyc offline > /dev/null 2>&1 fi exit 0