Menu Close

Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 33. Overview of Network Time Security (NTS) in chrony

Network Time Security (NTS) is an authentication mechanism for Network Time Protocol (NTP), designed to scale substantial clients. It verifies that the packets received from the server machines are unaltered while moving to the client machine. Network Time Security (NTS) includes a Key Establishment (NTS-KE) protocol that automatically creates the encryption keys used between the server and its clients.

33.1. Enabling Network Time Security (NTS) in the client configuration file

By default, Network Time Security (NTS) is not enabled. You can enable NTS in the /etc/chrony.conf. For that, perform the following steps:


  • Server with the NTS support


In the client configuration file:

  1. Specify the server with the nts option in addition to the recommended iburst option.

    For example:
    server iburst nts
    server iburst nts
    server iburst nts
  2. To avoid repeating the Network Time Security-Key Establishment (NTS-KE) session during system boot, add the following line to chrony.conf, if it is not present:

    ntsdumpdir /var/lib/chrony
  3. Add the following line to /etc/sysconfig/network to disable synchronization with Network Time Protocol (NTP) servers provided by DHCP:

  4. Save your changes.
  5. Restart the chronyd service:

    systemctl restart chronyd


  • Verify if the NTS keys were successfully established:

    # chronyc -N authdata
    Name/IP address  Mode KeyID Type KLen Last Atmp  NAK Cook CLen
    ================================================================  NTS     1   15  256  33m    0    0    8  100   NTS     1   15  256  33m    0    0    8  100   NTS     1   15  256  33m    0    0    8  100

    The KeyID, Type, and KLen should have non-zero values. If the value is zero, check the system log for error messages from chronyd.

  • Verify the client is making NTP measurements:

    # chronyc -N sources
    MS Name/IP address Stratum Poll Reach LastRx Last sample
    =========================================================   3        6   377    45   +355us[ +375us] +/-   11ms    1        6   377    44   +237us[ +237us] +/-   23ms    1        6   377    44   -170us[ -170us] +/-   22ms

    The Reach column should have a non-zero value; ideally 377. If the value rarely gets 377 or never gets to 377, it indicates that NTP requests or responses are getting lost in the network.

Additional resources

  • chrony.conf(5) man page

33.2. Enabling Network Time Security (NTS) on the server

If you run your own Network Time Protocol (NTP) server, you can enable the server Network Time Security (NTS) support to facilitate its clients to synchronize securely.

If the NTP server is a client of other servers, that is, it is not a Stratum 1 server, it should use NTS or symmetric key for its synchronization.


  • Server private key in PEM format
  • Server certificate with required intermediate certificates in PEM format


  1. Specify the private key and the certificate file in chrony.conf

    For example:
    ntsserverkey /etc/pki/tls/private/
    ntsservercert /etc/pki/tls/certs/
  2. Ensure that both the key and certificate files are readable by the chrony system user, by setting the group ownership.

    For example:
    chown :chrony /etc/pki/tls/*/*
  3. Ensure the ntsdumpdir /var/lib/chrony directive is present in the chrony.conf.
  4. Restart the chronyd service:

    systemctl restart chronyd

    If the server has a firewall, it needs to allow both the UDP 123 and TCP 4460 ports for NTP and Network Time Security-Key Establishment (NTS-KE).


  • Perform a quick test from a client machine with the following command:

    $ chronyd -Q -t 3 'server iburst nts maxsamples 1'
    2021-09-15T13:45:26Z chronyd version 4.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 +DEBUG)
    2021-09-15T13:45:26Z Disabled control of system clock
    2021-09-15T13:45:28Z System clock wrong by 0.002205 seconds (ignored)
    2021-09-15T13:45:28Z chronyd exiting

    The System clock wrong message indicates the NTP server is accepting NTS-KE connections and responding with NTS-protected NTP messages.

  • Verify the NTS-KE connections and authenticated NTP packets observed on the server:

    # chronyc serverstats
    NTP packets received       : 7
    NTP packets dropped        : 0
    Command packets received   : 22
    Command packets dropped    : 0
    Client log records dropped : 0
    NTS-KE connections accepted: 1
    NTS-KE connections dropped : 0
    Authenticated NTP packets: 7

    If the value of the NTS-KE connections accepted and Authenticated NTP packets field is a non-zero value, it means that at least one client was able to connect to the NTS-KE port and send an authenticated NTP request.