After setting up your Chrony NTP Server and Client, we are now ready to configure authentication using randomly generated symmetric keys. This is an important option beyond the allow/deny rules within your /etc/chrony.conf file to maintain the integrity of the service.
Server Configuration
The default location for the keyfile is specified in chrony.conf as /etc/chrony.keys. You are free to change the location of the ID-key pairs but this parameter will need to be uncommented, as it is not enabled by default. Edit the config file and remove the # in front of keyfile line.
# vi /etc/chrony.conf keyfile /etc/chrony.keys
We will use the keygen option of the chronyc command to generate the keys. There are 3 needed arguments for the command. The first is the key number, which is specified by the key option within the client configuration file. The second is the hash function, SHA1 or MD5. Lastly, you specify the number of bits for the key between 80 and 4096, with the default being 160.
Generate a 512-bit SHA1 key with the key number of 50.
# chronyc keygen 50 SHA1 512 50 SHA1 HEX:41303679BF767668BC4FA98783FABC76526AEA12A5B47A5C3DEE26DD5940F0E831AA6978B995615074BE284238374DF405A30C51D7145151A8B2E20A30D29FFA
Insert the newly created key into /etc/chrony.keys
# vi /etc/chrony.keys 50 SHA1 HEX:41303679BF767668BC4FA98783FABC76526AEA12A5B47A5C3DEE26DD5940F0E831AA6978B995615074BE284238374DF405A30C51D7145151A8B2E20A30D29FFA
Restart the chronyd service
# systemctl restart chronyd
Client Configuration
Uncomment the keyfile parameter and add the key ID, in this case 50, to your defined server line in chrony.conf
# vi /etc/chrony.conf server t1.networklogician.com key 50 keyfile /etc/chrony.keys
Add the symmetric key that was generated from the server into /etc/chrony.keys file on the client
# vi /etc/chrony.keys 50 SHA1 HEX:41303679BF767668BC4FA98783FABC76526AEA12A5B47A5C3DEE26DD5940F0E831AA6978B995615074BE284238374DF405A30C51D7145151A8B2E20A30D29FFA
Restart the chronyd service
# systemctl restart chronyd
At this point, everything should be working correctly. From the client you should see the server time source. In our example the server is t1.networklogician.com
# chronyc sources 210 Number of sources = 5 MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^? t1.networklogician.com 1 6 1 27 -3350us[-1785us] +/- 53ms ^- voipmonitor.wci.com 2 6 17 21 +2542us[+2542us] +/- 68ms ^- clock.trit.net 3 6 17 22 -6294us[-9084us] +/- 147ms ^+ radio-sunshine.org 2 6 17 21 -3355us[-6145us] +/- 75ms ^* time.cloudflare.com 3 6 17 21 +1421us[-1369us] +/- 36ms
From the server side, you should see the client connected. Our client machine name is client.networklogician.com
# chronyc clients Hostname NTP Drop Int IntL Last Cmd Drop Int Last =============================================================================== localhost 4 0 2 - 119 14 0 -1 6 client.networklogician.com 17 0 5 - 18 0 0 - -
Troubleshooting
Here are a few useful things to check if you run into problems.
1. Verify chronyd is running on server and client
systemctl status chronyd
2. Verify the server is listening on port 123
lsof -i:123
3. Verify allow statement in /etc/chrony.conf allow 10.10.30.0/24
4. Verify firewall is allowing connections for ntp
firewall-cmd --list-ports
5. Check key ID for client and that keys match server t1.networklogician.com key 50
50 SHA1 HEX:41303679BF767668BC4FA98783FABC76526AEA12A5B47A5C3DEE26DD5940F0E831AA6978B995615074BE284238374DF405A30C51D7145151A8B2E20A30D29FFA 6. If you have more than one interface card, check bindaddress option in /etc/chrony.conf
7. For more logging, uncomment this line in /etc/chrony.conf and restart daemon
log measurements statistics tracking
The Network Logician 