[Feature request] Chrony authselectmode

[Mr.Goodcat]

Hi,

I recently decided to switch to chrony which is working great so far :D
Unfortunately though, the pluging doesn't allow to specify the authselectmode, i.e. how to handle NTS. Currently it seems to be set to "require", meaning all non-NTS servers are ignored. However, I'd like to run a mix of remote NTS servers plus local non-NTS servers. Thus it would be great if the options "prefer" and "mix" were available. Would it be possible to add this with an upcoming update? Thanks!

[mimugmail]

Can you open a feature request in GitHub? I'll take it then

[Mr.Goodcat]

Hi,

thank you for your help! :D

Can you open a feature request in GitHub? I'll take it then

I opened up a request on Github, not sure if this is the right format though:
https://github.com/opnsense/plugins/issues/2470

[newsense]

The request is a bit non-sensical in that public NTP servers will be of a lower stratum than an internal one - which presumably will be tied to a GPS device. When mixing and matching multiple lower stratum clocks against a single stratum 0 one (gps/atomic) it will be discarded as

'x' = may be in error

The better option in the absence of an rtc clock would be to add the NTS servers both with DNS entries and IPs, so that a power outage doesn't create a chicken and egg problem when all SSL based services including DNS come up and nothing works because the time is incorrect.

Other alternatives to consider: Rpi + GPS dongle and/or RTC clock module.

[koushun]

I would like to have this as well.

On my (VLAN) interfaces I have port redirect for 123 pointing to the Chrony service over at 127.0.0.1:123 (having the default NTPD disabled).

Chrony is using NTS enabled NTP servers:

time.cloudflare.com
nts.netnod.se
sth1.nts.netnod.se
sth2.nts.netnode.se

However, I have been unable to incorporate my RPi with GPS HAT with this setup, because the NTP server on the RPi does not use NTS.

I have not thought of the condition described in the comment from newsense.

It would induce a whole lot of problems when I come to think of it, because I do port redirect :53 to Unbound as well, which only uses DoT upstream servers (they are configured using IP - 95.215.19.53@853 - https://dns.njal.la ) - but in regards to certificates, time is of the essence.

Good cactch, newsense- thanks. Let's see if I find any ip addresses for these NTS enabled NTP servers. ..

[mimugmail]

What is the exact syntax you use to achieve this?
Currently it seems not possible as templating is adding "nts" to every record as soon as you enalbe "NTS"

[Mr.Goodcat]

What is the exact syntax you use to achieve this?
Currently it seems not possible as templating is adding "nts" to every record as soon as you enalbe "NTS"

https://chrony.tuxfamily.org/doc/devel/chrony.conf.html
NTS should only be added to servers specifically configured with NTS. Then it will be sufficient to add a line with "authselect MODE", where mode can be require/prefer/mix/ignore.

[mimugmail]

Hm, this wont work in the current setup as the checkbox does this for all, so this is an all or nothing setup. :(

[lilsense]

OK. good news, I guess you mean that the current setup configuration that's there will need to be corrected, excellent. :)

[Mr.Goodcat]

Hm, this wont work in the current setup as the checkbox does this for all, so this is an all or nothing setup. :(

Yes, it would need to be along the lines of something like the "users" section of freeradius, i.e. with an individual "NTS" checkbox per Server.

[mimugmail]

I think I will add a single field for initial query, like with dnscrypt

[Mr.Goodcat]

I don't quite get it but still look forward to your update ;D