Thx Miroslav for your answer. If I list all my installed packets, this is what I have:
root@client-chrony:/tmp/chrony-2.1.1# dpkg-query -l | grep nss ii insserv 1.14.0-5 amd64 boot sequence organizer using LSB init.d script dependency information *ii libnss3:amd64 2:3.14.5-1+deb7u5 amd64 Network Security Service librariesii libnss3-dev 2:3.14.5-1+deb7u5 amd64 Development files for the Network Security Service libraries* ii openssh-blacklist 0.4.1+nmu1 all list of default blacklisted OpenSSH RSA and DSA keys ii openssh-blacklist-extra 0.4.1+nmu1 all list of non-default blacklisted OpenSSH RSA and DSA keys ii openssh-client 1:6.0p1-4+deb7u2 amd64 secure shell (SSH) client, for secure access to remote machines ii openssh-server 1:6.0p1-4+deb7u2 amd64 secure shell (SSH) server, for secure access from remote machines ii openssl 1.0.1e-2+deb7u17 amd64 Secure Socket Layer (SSL) binary and related cryptographic tools root@client-chrony:/tmp/chrony-2.1.1# -------------------------------------------------------------------------------------------------------- If I configure again: root@client-chrony:/tmp/chrony-2.1.1# ./configure --prefix=/etc/chrony Configuring for Linux-x86_64 Checking for 64-bit time_t : Yes NTP time mapped to 1965-10-27T20:13:31Z/2101-12-04T02:41:47Z Checking for math : No Checking for math in -lm : Yes Checking for <stdint.h> : Yes Checking for <inttypes.h> : Yes Checking for IPv6 support : Yes Checking for in6_pktinfo : No Checking for in6_pktinfo with _GNU_SOURCE : Yes Checking for getaddrinfo() : Yes Checking for pthread : Yes Checking for <sys/timepps.h> : No Checking for <timepps.h> : No Checking for libcap : No Checking for <linux/rtc.h> : Yes Checking for <linux/ptp_clock.h> : Yes Checking for clock_gettime() : No Checking for clock_gettime() in -lrt : Yes Checking for sched_setscheduler() : Yes Checking for mlockall() : Yes Checking for editline : No Checking for readline : No Checking for readline with -lncurses : No *Checking for NSS : No* Checking for tomcrypt : No Features : +CMDMON +NTP +REFCLOCK +RTC -PRIVDROP -DEBUG -READLINE +ASYNCDNS +IPV6 *-SECHASH* Creating Makefile Creating chrony.conf.5 Creating chrony.texi Creating chronyc.1 Creating chronyd.8 -------------------------------------------------------------------------------------------------------- If I check the config.log I have this kind of error: docheck.c: #include <nss.h> #include <hasht.h> #include <nsslowhash.h> int main(int argc, char **argv) { NSSLOWHASH_Begin(NSSLOWHASH_NewContext(NSSLOW_Init(), HASH_AlgSHA512)); return 0; } gcc -O2 -g -Wmissing-prototypes -Wall -pthread -o docheck docheck.c -lfreebl3 *docheck.c:2:19: fatal error: hasht.h: Aucun fichier ou dossier de ce type* compilation terminated. -------------------------------------------------------------------------------------------------------- If I try to access the NSS include directory: root@client-chrony:/tmp# cd /usr/include/nss/ root@client-chrony:/usr/include/nss# l total 1196 -rw-r--r-- 1 root root 1226 août 16 20:30 base64.h -rw-r--r-- 1 root root 12071 août 16 20:30 blapit.h -rw-r--r-- 1 root root 2511 août 16 20:30 certdb.h -rw-r--r-- 1 root root 53104 août 16 20:30 cert.h -rw-r--r-- 1 root root 44798 août 16 20:30 certt.h -rw-r--r-- 1 root root 2386 août 16 20:30 ciferfam.h -rw-r--r-- 1 root root 43019 août 16 20:30 cmmf.h -rw-r--r-- 1 root root 2392 août 16 20:30 cmmft.h -rw-r--r-- 1 root root 38799 août 16 20:30 cms.h -rw-r--r-- 1 root root 954 août 16 20:30 cmsreclist.h -rw-r--r-- 1 root root 17359 août 16 20:30 cmst.h -rw-r--r-- 1 root root 63980 août 16 20:30 crmf.h -rw-r--r-- 1 root root 5601 août 16 20:30 crmft.h -rw-r--r-- 1 root root 14398 août 16 20:30 cryptohi.h -rw-r--r-- 1 root root 495 août 16 20:30 cryptoht.h [...] -------------------------------------------------------------------------------------------------------- The file /usr/include/nss/hasht.h exist: root@client-chrony:/usr/include/nss# l | grep hasht.h -rw-r--r-- 1 root root 1756 août 16 20:30 hasht.h root@client-chrony:/usr/include/nss# -------------------------------------------------------------------------------------------------------- The file /usr/include/nss/nsslowhash.h exist too: root@client-chrony:/usr/include/nss# l | grep nsslowhash.h -rw-r--r-- 1 root root 1172 août 16 20:30 nsslowhash.h root@client-chrony:/usr/include/nss# -------------------------------------------------------------------------------------------------------- I have nothing about "nss-softokn-devel" or "nss-softokn-freebl" or "freebl" onmy system. Nothing on Internet, except http://linuxsoft.cern.ch/cern/updates/slc6X/i386/RPMS/repoview/nss-softokn-freebl-devel.html but it's only for RedHat (and I'm on Debian). So I don't understand. Any ideas ? Thanks a lot. 2015-10-19 10:27 GMT+02:00 Miroslav Lichvar <mlich...@redhat.com>: > On Fri, Oct 16, 2015 at 04:04:22PM +0200, Steven Liegaux wrote: > > Hi there, > > > > I'm trying to configure chrony on a Debian. I need a client, a server > and a > > packet authentication system (SHA2). If I understand, I can't use OpenSSL > > (because the licence is not compatible with the Chrony's GPL licence), > so I > > need to use NSS. Am I right ? > > NSS or tomcrypt. OpenSSL is not supported. The issue with licensing is > the main reason. > > > root@client-chrony:~# /etc/chrony/sbin/chronyd -d > > 2015-10-15T15:52:43Z chronyd version 2.1.1 starting (+CMDMON +NTP > +REFCLOCK > > +RTC -PRIVDROP -DEBUG +ASYNCDNS +IPV6 -SECHASH) > > -SECHASH means it wasn't compiled with NSS or tomcrypt support. > > > --disable-sechash Disable support for hashes other than MD5 > > --without-nss Don't use NSS even if it is available > > --without-tomcrypt Don't use libtomcrypt even if it is available > > > > Only "disable or without" things. So how can I configure Chrony to use > NSS ? > > For information, I have the same problem when I use "SHA1", but > everything > > is OK when I use MD5. Strange nop ? > > The SECHASH feature is enabled automatically if the configure script > can find the NSS or tomcrypt development files. MD5 is always > available as there is an internal MD5 implementation included in the > chrony source code. > > Check config.log for errors. It will probably be a missing devel file. > > It needs the freebl library and nsslowhash.h from NSS. In Fedora, for > instance, they are in the nss-softokn-devel and nss-softokn-freebl > packages. > > -- > Miroslav Lichvar > > -- > To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org > with "unsubscribe" in the subject. > For help email chrony-users-requ...@chrony.tuxfamily.org > with "help" in the subject. > Trouble? Email listmas...@chrony.tuxfamily.org. > >