Hi,
sorry for thread necromancy...
On Wed, Apr 08, 2020 at 10:42:09AM +0200, Miroslav Lichvar wrote:
What I meant, if someone for example had at home a stratum 1 server
(e.g. synchronized to GPS) and they trusted everything and everyone in
their local network, it would make sense to still use the server
(without NTS) in addition to any external time servers authenticated
by NTS.
The question is if we need to change the default value of the PEERNTP
option. There could be a new default which adds the servers provided
by DHCP only if chronyd is not using any servers with enabled
authentication.
Aside: the PEERNTP option seems to be very weakly documented. After
some searching I found [1, 2] and [3]. Some up-to-date documentation would
be necessary if users are expected to configure this.
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
[2]
https://docs.fedoraproject.org/en-US/Fedora/26/html/System_Administrators...
[3]
https://bugzilla.redhat.com/show_bug.cgi?id=809367
It sounds like PEERNTP should be a per-interface setting. If I'm
connecting to a trusted network or VPN, I might want to use and trust
the provided NTP servers. If connecting to a public network, don't trust
and use NTS to verify servers.
Also, what software supports /etc/sysconfig/network? I think we currently
have initscripts-network, NetworkManager, systemd-networkd in Fedora.
From the original proposal:
Computers with no RTC (e.g. some ARM boards), or RTC that is too far
from the real time, will fail to verify TLS certificates.
Making NTP not work on boards without RTC could impact a large number
of such users, and also those who have flaky RTCs. Right now they can
simply use NTP to update the clock after boot, and with this proposal
that'd be broken... In my experience, bug reports that stem from broken
RTC are somewhat frequent (e.g. journalctl doesn't handle the case of
a jumping clock very well, and we get reports about this fairly regularly).
So I think handling the no-RTC case gracefully would be a requirement
to make NTS enabled by default.
An option could be added to disable the time checks before the
first update of the clock. This would have an impact on security.
... how would that look? It'd need support in chrony itself, right?
Would upstream accept such code?
Zbyszek