Re: [chrony-users] Problem with authentication algorithm

Steven Liegaux Mon, 19 Oct 2015 12:10:46 +0200

Thx Miroslav for your answer.

If I list all my installed packets, this is what I have:


root@client-chrony:/tmp/chrony-2.1.1#  dpkg-query -l | grep nss
ii  insserv                            1.14.0-5
amd64        boot sequence organizer using LSB init.d script dependency
information

*ii  libnss3:amd64                      2:3.14.5-1+deb7u5
amd64        Network Security Service librariesii
libnss3-dev                        2:3.14.5-1+deb7u5
amd64        Development files for the Network Security Service libraries*
ii  openssh-blacklist                  0.4.1+nmu1
all          list of default blacklisted OpenSSH RSA and DSA keys
ii  openssh-blacklist-extra            0.4.1+nmu1
all          list of non-default blacklisted OpenSSH RSA and DSA keys
ii  openssh-client                     1:6.0p1-4+deb7u2
amd64        secure shell (SSH) client, for secure access to remote machines
ii  openssh-server                     1:6.0p1-4+deb7u2
amd64        secure shell (SSH) server, for secure access from remote
machines
ii  openssl                            1.0.1e-2+deb7u17
amd64        Secure Socket Layer (SSL) binary and related cryptographic
tools
root@client-chrony:/tmp/chrony-2.1.1#

--------------------------------------------------------------------------------------------------------

If I configure again:

root@client-chrony:/tmp/chrony-2.1.1# ./configure  --prefix=/etc/chrony
Configuring for  Linux-x86_64
Checking for 64-bit time_t : Yes
NTP time mapped to 1965-10-27T20:13:31Z/2101-12-04T02:41:47Z
Checking for math : No
Checking for math in -lm : Yes
Checking for <stdint.h> : Yes
Checking for <inttypes.h> : Yes
Checking for IPv6 support : Yes
Checking for in6_pktinfo : No
Checking for in6_pktinfo with _GNU_SOURCE : Yes
Checking for getaddrinfo() : Yes
Checking for pthread : Yes
Checking for <sys/timepps.h> : No
Checking for <timepps.h> : No
Checking for libcap : No
Checking for <linux/rtc.h> : Yes
Checking for <linux/ptp_clock.h> : Yes
Checking for clock_gettime() : No
Checking for clock_gettime() in -lrt : Yes
Checking for sched_setscheduler() : Yes
Checking for mlockall() : Yes
Checking for editline : No
Checking for readline : No
Checking for readline with -lncurses : No
*Checking for NSS : No*
Checking for tomcrypt : No
Features : +CMDMON +NTP +REFCLOCK +RTC -PRIVDROP -DEBUG -READLINE +ASYNCDNS
+IPV6 *-SECHASH*
Creating Makefile
Creating chrony.conf.5
Creating chrony.texi
Creating chronyc.1
Creating chronyd.8

--------------------------------------------------------------------------------------------------------

If I check the config.log I have this kind of error:

docheck.c:
#include <nss.h>
#include <hasht.h>
#include <nsslowhash.h>
int main(int argc, char **argv) {
NSSLOWHASH_Begin(NSSLOWHASH_NewContext(NSSLOW_Init(), HASH_AlgSHA512));
return 0; }
gcc -O2 -g -Wmissing-prototypes -Wall -pthread -o docheck docheck.c
-lfreebl3
*docheck.c:2:19: fatal error: hasht.h: Aucun fichier ou dossier de ce type*
compilation terminated.

--------------------------------------------------------------------------------------------------------

If I try to access the NSS include directory:

root@client-chrony:/tmp# cd /usr/include/nss/
root@client-chrony:/usr/include/nss# l
total 1196
-rw-r--r-- 1 root root  1226 août  16 20:30 base64.h
-rw-r--r-- 1 root root 12071 août  16 20:30 blapit.h
-rw-r--r-- 1 root root  2511 août  16 20:30 certdb.h
-rw-r--r-- 1 root root 53104 août  16 20:30 cert.h
-rw-r--r-- 1 root root 44798 août  16 20:30 certt.h
-rw-r--r-- 1 root root  2386 août  16 20:30 ciferfam.h
-rw-r--r-- 1 root root 43019 août  16 20:30 cmmf.h
-rw-r--r-- 1 root root  2392 août  16 20:30 cmmft.h
-rw-r--r-- 1 root root 38799 août  16 20:30 cms.h
-rw-r--r-- 1 root root   954 août  16 20:30 cmsreclist.h
-rw-r--r-- 1 root root 17359 août  16 20:30 cmst.h
-rw-r--r-- 1 root root 63980 août  16 20:30 crmf.h
-rw-r--r-- 1 root root  5601 août  16 20:30 crmft.h
-rw-r--r-- 1 root root 14398 août  16 20:30 cryptohi.h
-rw-r--r-- 1 root root   495 août  16 20:30 cryptoht.h
[...]

--------------------------------------------------------------------------------------------------------

The file /usr/include/nss/hasht.h exist:

root@client-chrony:/usr/include/nss# l | grep hasht.h
-rw-r--r-- 1 root root  1756 août  16 20:30 hasht.h
root@client-chrony:/usr/include/nss#

--------------------------------------------------------------------------------------------------------

The file /usr/include/nss/nsslowhash.h exist too:

root@client-chrony:/usr/include/nss# l | grep nsslowhash.h
-rw-r--r-- 1 root root  1172 août  16 20:30 nsslowhash.h
root@client-chrony:/usr/include/nss#

--------------------------------------------------------------------------------------------------------

I have nothing about "nss-softokn-devel" or "nss-softokn-freebl" or
"freebl" onmy system. Nothing on Internet, except
http://linuxsoft.cern.ch/cern/updates/slc6X/i386/RPMS/repoview/nss-softokn-freebl-devel.html
but it's only for RedHat (and I'm on Debian).

So I don't understand.

Any ideas ?

Thanks a lot.



2015-10-19 10:27 GMT+02:00 Miroslav Lichvar <mlich...@redhat.com>:

> On Fri, Oct 16, 2015 at 04:04:22PM +0200, Steven Liegaux wrote:
> > Hi there,
> >
> > I'm trying to configure chrony on a Debian. I need a client, a server
> and a
> > packet authentication system (SHA2). If I understand, I can't use OpenSSL
> > (because the licence is not compatible with the Chrony's GPL licence),
> so I
> > need to use NSS. Am I right ?
>
> NSS or tomcrypt. OpenSSL is not supported. The issue with licensing is
> the main reason.
>
> > root@client-chrony:~# /etc/chrony/sbin/chronyd -d
> > 2015-10-15T15:52:43Z chronyd version 2.1.1 starting (+CMDMON +NTP
> +REFCLOCK
> > +RTC -PRIVDROP -DEBUG +ASYNCDNS +IPV6 -SECHASH)
>
> -SECHASH means it wasn't compiled with NSS or tomcrypt support.
>
> >  --disable-sechash      Disable support for hashes other than MD5
> >   --without-nss          Don't use NSS even if it is available
> >   --without-tomcrypt     Don't use libtomcrypt even if it is available
> >
> > Only "disable or without" things. So how can I configure Chrony to use
> NSS ?
> > For information, I have the same problem when I use "SHA1", but
> everything
> > is OK when I use MD5. Strange nop ?
>
> The SECHASH feature is enabled automatically if the configure script
> can find the NSS or tomcrypt development files. MD5 is always
> available as there is an internal MD5 implementation included in the
> chrony source code.
>
> Check config.log for errors. It will probably be a missing devel file.
>
> It needs the freebl library and nsslowhash.h from NSS. In Fedora, for
> instance, they are in the nss-softokn-devel and nss-softokn-freebl
> packages.
>
> --
> Miroslav Lichvar
>
> --
> To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org
> with "unsubscribe" in the subject.
> For help email chrony-users-requ...@chrony.tuxfamily.org
> with "help" in the subject.
> Trouble?  Email listmas...@chrony.tuxfamily.org.
>
>

Re: [chrony-users] Problem with authentication algorithm

Reply via email to