Hi there, I'm trying to configure chrony on a Debian. I need a client, a server and a packet authentication system (SHA2). If I understand, I can't use OpenSSL (because the licence is not compatible with the Chrony's GPL licence), so I need to use NSS. Am I right ?
For information, my server 's IP is 192.168.81.130, and my client's IP is 192.168.81.131 This is what I did: 1/ Installation script (Server and Client): ------------------------------------------------------------------------------ apt-get -y install build-essential libnss3 libnss3-dev cd /tmp wget http://download.tuxfamily.org/chrony/chrony-2.1.1.tar.gz tar zxvf chrony-2.1.1.tar.gz cd chrony-2.1.1 ./configure --prefix=/etc/chrony make make install ------------------------------------------------------------------------------ 2/ Server configuration (/etc/chrony.conf) ------------------------------------------------------------------------------ bindaddress 192.168.81.130 bindcmdaddress 127.0.0.1 # IPv4/IPv6: server clock.nyc.he.net iburst server clock.sjc.he.net iburst # IPv4 only: server time.keneli.org iburst server bonehed.lcs.mit.edu iburst server gnomon.cc.columbia.edu iburst # Record the rate at which the system clock gains/losses time. driftfile /var/lib/chrony/drift # Enable kernel RTC synchronization. rtcsync # In first three updates step the system clock instead of slew # if the adjustment is larger than 100 seconds. makestep 100 3 # Allow client access from local network. allow 192.168.81.0/24 # Serve time even if not synchronized to any NTP server. local stratum 6 keyfile /etc/chrony/chrony.keys # Specify the key used as password for chronyc. commandkey 1 cmdallow 127.0.0.1 # Send a message to syslog if a clock adjustment is larger than 0.5 seconds. logchange 0.5 logdir /var/log/chrony log measurements statistics tracking ------------------------------------------------------------------------------ 3/ Server's keyfile (/etc/chrony/chrony.keys) ----------------------------------------------------------------------------- 1 titi 42 SHA256 HEX:80e8fc5240260a81d163434234af1603c9e78c04020dc9822821ad41e41eb414 ------------------------------------------------------------------------------ 4/ Client's configuration ------------------------------------------------------------------------------ server 192.168.81.130 key 42 driftfile /var/lib/chrony/drift rtcsync keyfile /etc/chrony/chrony.keys commandkey 2 cmdallow 127.0.0.1 initstepslew 20 192.168.81.130 logchange 0.5 logdir /var/log/chrony log measurements statistics tracking ------------------------------------------------------------------------------ 3/ Client's keyfile (/etc/chrony/chrony.keys) ------------------------------------------------------------------------------ 1 toto 42 SHA256 HEX:80e8fc5240260a81d163434234af1603c9e78c04020dc9822821ad41e41eb414 ------------------------------------------------------------------------------ Now, when I'm starting chrony, this is what I see (from the client, or from the server, it's the same error): root@client-chrony:~# /etc/chrony/sbin/chronyd -d 2015-10-15T15:52:43Z chronyd version 2.1.1 starting (+CMDMON +NTP +REFCLOCK +RTC -PRIVDROP -DEBUG +ASYNCDNS +IPV6 -SECHASH) 2015-10-15T15:52:43Z Unknown hash function in key 42 2015-10-15T15:52:43Z Frequency -0.074 +/- 1000000.000 ppm read from /var/lib/chrony/drift 2015-10-15T15:52:47Z System's initial offset : 0.668897 seconds fast of true (slew) 2015-10-15T15:52:49Z Source 192.168.81.130 added with unknown key 42 "Unknown hash function in key 42" So I suppose NSS isn't linked directly during the compilation, right ? But what is the correct option to set ? Because when I read the "configuration" file, this is what I find: --disable-sechash Disable support for hashes other than MD5 --without-nss Don't use NSS even if it is available --without-tomcrypt Don't use libtomcrypt even if it is available Only "disable or without" things. So how can I configure Chrony to use NSS ? For information, I have the same problem when I use "SHA1", but everything is OK when I use MD5. Strange nop ? Thanks a lot for your answers. PS: Sorry for my English level, it's not my mother tongue at all.