RHEL 8 and Chrony – Part 3

After setting up your Chrony NTP Server and Client, we are now ready to configure authentication using randomly generated symmetric keys. This is an important option beyond the allow/deny rules within your /etc/chrony.conf file to maintain the integrity of the service.

Server Configuration

The default location for the keyfile is specified in chrony.conf as /etc/chrony.keys. You are free to change the location of the ID-key pairs but this parameter will need to be uncommented, as it is not enabled by default. Edit the config file and remove the # in front of keyfile line.

# vi /etc/chrony.conf
keyfile /etc/chrony.keys

We will use the keygen option of the chronyc command to generate the keys. There are 3 needed arguments for the command. The first is the key number, which is specified by the key option within the client configuration file. The second is the hash function, SHA1 or MD5. Lastly, you specify the number of bits for the key between 80 and 4096, with the default being 160.

Generate a 512-bit SHA1 key with the key number of 50.

# chronyc keygen 50 SHA1 512
50 SHA1 HEX:41303679BF767668BC4FA98783FABC76526AEA12A5B47A5C3DEE26DD5940F0E831AA6978B995615074BE284238374DF405A30C51D7145151A8B2E20A30D29FFA

Insert the newly created key into /etc/chrony.keys

# vi /etc/chrony.keys
50 SHA1 HEX:41303679BF767668BC4FA98783FABC76526AEA12A5B47A5C3DEE26DD5940F0E831AA6978B995615074BE284238374DF405A30C51D7145151A8B2E20A30D29FFA

Restart the chronyd service

# systemctl restart chronyd

Client Configuration

Uncomment the keyfile parameter and add the key ID, in this case 50, to your defined server line in chrony.conf

# vi /etc/chrony.conf
server t1.networklogician.com key 50
keyfile /etc/chrony.keys

Add the symmetric key that was generated from the server into /etc/chrony.keys file on the client

# vi /etc/chrony.keys
50 SHA1 HEX:41303679BF767668BC4FA98783FABC76526AEA12A5B47A5C3DEE26DD5940F0E831AA6978B995615074BE284238374DF405A30C51D7145151A8B2E20A30D29FFA

Restart the chronyd service

# systemctl restart chronyd

At this point, everything should be working correctly. From the client you should see the server time source. In our example the server is t1.networklogician.com

# chronyc sources
210 Number of sources = 5
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^? t1.networklogician.com      1   6     1    27  -3350us[-1785us] +/-   53ms
^- voipmonitor.wci.com         2   6    17    21  +2542us[+2542us] +/-   68ms
^- clock.trit.net              3   6    17    22  -6294us[-9084us] +/-  147ms
^+ radio-sunshine.org          2   6    17    21  -3355us[-6145us] +/-   75ms
^* time.cloudflare.com         3   6    17    21  +1421us[-1369us] +/-   36ms

From the server side, you should see the client connected. Our client machine name is client.networklogician.com

# chronyc clients
Hostname                      NTP   Drop Int IntL Last     Cmd   Drop Int  Last
===============================================================================
localhost                       4      0   2   -   119      14      0  -1     6    
client.networklogician.com     17      0   5   -    18       0      0   -     -

Troubleshooting

Here are a few useful things to check if you run into problems.

1. Verify chronyd is running on server and client
systemctl status chronyd

2. Verify the server is listening on port 123
lsof -i:123

3. Verify allow statement in /etc/chrony.conf allow 10.10.30.0/24

4.
Verify firewall is allowing connections for ntp
firewall-cmd --list-ports

5. Check key ID for client and that keys match server t1.networklogician.com key 50
50 SHA1 HEX:41303679BF767668BC4FA98783FABC76526AEA12A5B47A5C3DEE26DD5940F0E831AA6978B995615074BE284238374DF405A30C51D7145151A8B2E20A30D29FFA 6.
If you have more than one interface card, check bindaddress option in /etc/chrony.conf

7. For more logging, uncomment this line in /etc/chrony.conf and restart daemon
log measurements statistics tracking

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s