I've been working on an implementation of the new NTP public-key authentication called Network Time Security (NTS). Its specification will hopefully be finalized in near future.
If anyone wants to play with it, the code is available here: https://github.com/mlichvar/chrony-nts Currently, it can interoperate with itself and few other NTS implementations which were recently tested at the IETF 104 hackathlon. The code is still highly experimental. It needs more work, some redesign, and testing before it can be merged to the official chrony repo. Nettle and gnutls development files are needed to build chrony with NTS support. Building with --enable-debug and running with -d -d options should help when things don't work. Configuration of an NTS server: ntsserverkey /etc/chrony/server.key ntsservercert /etc/chrony/server.crt Configuration of an NTS client: server foo.example.net iburst nts If the server's certificate is not signed by one of the system's trusted authorities (e.g. Let's encrypt), the CA certificate can be specified with the ntscacert directive. The default NTS-KE port is 11443. It can be changed with the ntsport directive on server and the ntsport option on client. Suggestions are welcome. Please report if you see anything interesting. Successful authentication is interesting too at this point :). -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
