Closed macifell closed 2 years ago
The naming of the config file has been altered to allow for override config files to be created easily.
To permanently fallback to insecure NTP:
echo "authselectmode ignore" | sudo tee /etc/chrony/conf.d/20-disable-nts.conf
sudo systemctl restart chrony
To permanently harden the system so that the certificates are always checked (this will require the clock to be manually set if the time ever gets way off):
echo "nocerttimecheck 0" | sudo tee /etc/chrony/conf.d/20-always-check-certs.conf
sudo systemctl restart chrony
These custom config files for chrony do two things;
For more on
authselectmode
see the following: https://chrony.tuxfamily.org/doc/4.2/chrony.conf.html#authselectmodeI considered using
mix
instead ofprefer
, but it doesn't change much except potentially increasing the accuracy slightly. In my testing it never seemed to actually incorporate any of the insecure NTP pool servers into the time calculations with either value anyway.There is an important consideration for a computer that lacks an RTC (like a raspberry pi) - or if a system just starts out with the wrong time. It is possible the system clock will be too far out of sync to accept the server certificates when it starts up. There are a few ways around this.
This will stop chrony from validating the server certificates until the clock has been initially set after booting, but it is also a less secure option - which is why I did not add it to the configuration.
More on this: https://chrony.tuxfamily.org/faq.html#_using_nts
Some downsides to the current approach:
chronyc
command needs to be issued) before these config files will be used on an existing install.Ideally I would like to have a switch somewhere in the UI to disable NTS and fall back to insecure NTP (or vice versa) that would persist even if this package were reinstalled/updated - though it seems like a lot of effort and I'm not sure how useful it will really be.
However, a temporary fallback to insecure NTP is possible with the following commands:
and to restore NTS:
One thing I am curious about, but haven't been able to test, is how this behaves on a brand new system. I'm not sure what the clock will be set to on a new system and at what point it will get its initial update.