Chapter 31. Configuring chrony for security
The default configuration file for
-f option can be used to specify an alternate configuration file path. See the
chrony.conf(5) man page for further options. For a complete list of the directives that can be used see The chronyd configuration file.
chronyc can access
chronyd in two ways:
- Internet Protocol, IPv4 or IPv6.
Unix domain socket, which is accessible locally by the
By default, chronyc connects to the Unix domain socket. The default path is
/var/run/chrony/chronyd.sock. If this connection fails, which can happen for example when chronyc is running under a non-root user, chronyc tries to connect to 127.0.0.1 and then ::1.
Only the following monitoring commands, which do not affect the behavior of
chronyd, are allowed from the network:
- manual list
The set of hosts from which
chronyd accepts these commands can be configured with the
cmdallow directive in the configuration file of
chronyd, or the
cmdallow command in chronyc. By default, the commands are accepted only from localhost (127.0.0.1 or ::1).
All other commands are allowed only through the Unix domain socket. When sent over the network,
chronyd responds with a
Not authorised error, even if it is from localhost.
The following procedure describes how to access chronyd remotely with chronyc.
Allow access from both IPv4 and IPv6 addresses by adding the following to the
Allow commands from the remote IP address, network, or subnet by using the
Add the following content to the
Open port 323 in the firewall to connect from a remote system.
# firewall-cmd --zone=public --add-port=323/udp
If you want to open port 323 permanently, use the
# firewall-cmd --permanent --zone=public --add-port=323/udp