Chapter 30. Overview of Network Time Security (NTS) in chrony

Network Time Security (NTS) is an authentication mechanism for Network Time Protocol (NTP), designed to scale substantial clients. It verifies that the packets received from the server machines are unaltered while moving to the client machine. Network Time Security (NTS) includes a Key Establishment (NTS-KE) protocol that automatically creates the encryption keys used between the server and its clients.

30.1. Enabling Network Time Security (NTS) in the client configuration file

By default, Network Time Security (NTS) is not enabled. You can enable NTS in the /etc/chrony.conf. For that, perform the following steps:

Prerequisites

  • Server with the NTS support

Procedure

In the client configuration file:

  1. Specify the server with the nts option in addition to the recommended iburst option.

    For example:
    server time.example.com iburst nts
    server nts.netnod.se iburst nts
    server ptbtime1.ptb.de iburst nts
  2. To avoid repeating the Network Time Security-Key Establishment (NTS-KE) session during system boot, add the following line to chrony.conf, if it is not present:

    ntsdumpdir /var/lib/chrony
  3. Add the following line to /etc/sysconfig/network to disable synchronization with Network Time Protocol (NTP) servers provided by DHCP:

    PEERNTP=no
  4. Save your changes.
  5. Restart the chronyd service:

    systemctl restart chronyd

    Verification

    • Verify if the NTS keys were successfully established:

      # chronyc -N authdata
      
      Name/IP address  Mode KeyID Type KLen Last Atmp  NAK Cook CLen
      ================================================================
      time.example.com  NTS     1   15  256  33m    0    0    8  100
      nts.sth1.ntp.se   NTS     1   15  256  33m    0    0    8  100
      nts.sth2.ntp.se   NTS     1   15  256  33m    0    0    8  100

      The KeyID, Type, and KLen should have non-zero values. If the value is zero, check the system log for error messages from chronyd.

    • Verify the client is making NTP measurements:

      # chronyc -N sources
      
      MS Name/IP address Stratum Poll Reach LastRx Last sample
      =========================================================
      time.example.com   3        6   377    45   +355us[ +375us] +/-   11ms
      nts.sth1.ntp.se    1        6   377    44   +237us[ +237us] +/-   23ms
      nts.sth2.ntp.se    1        6   377    44   -170us[ -170us] +/-   22ms

      The Reach column should have a non-zero value; ideally 377. If the value rarely gets 377 or never gets to 377, it indicates that NTP requests or responses are getting lost in the network.

Additional resources

  • chrony.conf(5) man page

30.2. Enabling Network Time Security (NTS) on the server

If you run your own Network Time Protocol (NTP) server, you can enable the server Network Time Security (NTS) support to facilitate its clients to synchronize securely.

If the NTP server is a client of other servers, that is, it is not a Stratum 1 server, it should use NTS or symmetric key for its synchronization.

Prerequisites

  • Server private key in PEM format
  • Server certificate with required intermediate certificates in PEM format

Procedure

  1. Specify the private key and the certificate file in chrony.conf

    For example:
    ntsserverkey /etc/pki/tls/private/foo.example.net.key
    ntsservercert /etc/pki/tls/certs/foo.example.net.crt
  2. Ensure that both the key and certificate files are readable by the chrony system user, by setting the group ownership.

    For example:
    chown :chrony /etc/pki/tls/*/foo.example.net.*
  3. Ensure the ntsdumpdir /var/lib/chrony directive is present in the chrony.conf.
  4. Restart the chronyd service:

    systemctl restart chronyd
    Important

    If the server has a firewall, it needs to allow both the UDP 123 and TCP 4460 ports for NTP and Network Time Security-Key Establishment (NTS-KE).

Verification

  • Perform a quick test from a client machine with the following command:

    $ chronyd -Q -t 3 'server
    
    foo.example.net iburst nts maxsamples 1'
    2021-09-15T13:45:26Z chronyd version 4.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 +DEBUG)
    2021-09-15T13:45:26Z Disabled control of system clock
    2021-09-15T13:45:28Z System clock wrong by 0.002205 seconds (ignored)
    2021-09-15T13:45:28Z chronyd exiting

    The System clock wrong message indicates the NTP server is accepting NTS-KE connections and responding with NTS-protected NTP messages.

  • Verify the NTS-KE connections and authenticated NTP packets observed on the server:

    # chronyc serverstats
    
    NTP packets received       : 7
    NTP packets dropped        : 0
    Command packets received   : 22
    Command packets dropped    : 0
    Client log records dropped : 0
    NTS-KE connections accepted: 1
    NTS-KE connections dropped : 0
    Authenticated NTP packets: 7

    If the value of the NTS-KE connections accepted and Authenticated NTP packets field is a non-zero value, it means that at least one client was able to connect to the NTS-KE port and send an authenticated NTP request.