Product SiteDocumentation Site

14.2.4. Security with chronyc

As access to chronyc allows changing chronyd just as editing the configuration files would, access to chronyc should be limited. Passwords can be specified in the key file, written in ASCII or HEX, to restrict the use of chronyc. One of the entries is used to restrict the use of operational commands and is referred to as the command key. In the default configuration, a random command key is generated automatically on start. It should not be necessary to specify or alter it manually.
Other entries in the key file can be used as NTP keys to authenticate packets received from remote NTP servers or peers. The two sides need to share a key with identical ID, hash type and password in their key file. This requires manually creating the keys and copying them over a secure medium, such as SSH. If the key ID was, for example, 10 then the systems that act as clients must have a line in their configuration files in the following format:
server w.x.y.z key 10
peer w.x.y.z key 10
The location of the key file is specified in the /etc/chrony.conf file. The default entry in the configuration file is:
keyfile /etc/chrony.keys
The command key number is specified in /etc/chrony.conf using the commandkey directive, it is the key chronyd will use for authentication of user commands. The directive in the configuration file takes the following form:
commandkey 1
An example of the format of the default entry in the key file, /etc/chrony.keys, for the command key is:
1 SHA1 HEX:A6CFC50C9C93AB6E5A19754C246242FC5471BCDF
Where 1 is the key ID, SHA1 is the hash function to use, HEX is the format of the key, and A6CFC50C9C93AB6E5A19754C246242FC5471BCDF is the key randomly generated when chronyd was started for the first time. The key can be given in hexidecimal or ASCII format (the default).
A manual entry in the key file, used to authenticate packets from certain NTP servers or peers, can be as simple as the following:
20 foobar
Where 20 is the key ID and foobar is the secret authentication key. The default hash is MD5, and ASCII is the default format for the key.
By default, chronyd is configured to listen for commands only from localhost ( and ::1) on port 323. To access chronyd remotely with chronyc, any bindcmdaddress directives in the /etc/chrony.conf file should be removed to enable listening on all interfaces and the cmdallow directive should be used to allow commands from the remote IP address, network, or subnet. In addition, port 323 has to be opened in the firewall in order to connect from a remote system. Note that the allow directive is for NTP access whereas the cmdallow directive is to enable the receiving of remote commands. It is possible to make these changes temporarily using chronyc running locally. Edit the configuration file to make persistent changes.
The communication between chronyc and chronyd is done over UDP, so it needs to be authorized before issuing operational commands. To authorize, use the authhash and password commands as follows:
chronyc> authhash SHA1
chronyc> password HEX:A6CFC50C9C93AB6E5A19754C246242FC5471BCDF
200 OK
If chronyc is used to configure the local chronyd, the -a option will run the authhash and password commands automatically.
Only the following commands can be used without providing a password: activity , authhash , dns , exit , help , password , quit , rtcdata , sources , sourcestats , tracking , waitsync .