[Feature request] Chrony authselectmode

[Mr.Goodcat]

Hi,

I recently decided to switch to chrony which is working great so far
Unfortunately though, the pluging doesn't allow to specify the authselectmode, i.e. how to handle NTS. Currently it seems to be set to "require", meaning all non-NTS servers are ignored. However, I'd like to run a mix of remote NTS servers plus local non-NTS servers. Thus it would be great if the options "prefer" and "mix" were available. Would it be possible to add this with an upcoming update? Thanks!

[mimugmail]

Can you open a feature request in GitHub? I'll take it then

[Mr.Goodcat]

Hi,

thank you for your help!

Can you open a feature request in GitHub? I'll take it then

I opened up a request on Github, not sure if this is the right format though:
https://github.com/opnsense/plugins/issues/2470

[newsense]

The request is a bit non-sensical in that public NTP servers will be of a lower stratum than an internal one - which presumably will be tied to a GPS device. When mixing and matching multiple lower stratum clocks against a single stratum 0 one (gps/atomic) it will be discarded as

'x' = may be in error

The better option in the absence of an rtc clock would be to add the NTS servers both with DNS entries and IPs, so that a power outage doesn't create a chicken and egg problem when all SSL based services including DNS come up and nothing works because the time is incorrect.

Other alternatives to consider: Rpi + GPS dongle and/or RTC clock module.

[koushun]

I would like to have this as well.

On my (VLAN) interfaces I have port redirect for 123 pointing to the Chrony service over at 127.0.0.1:123 (having the default NTPD disabled).

Chrony is using NTS enabled NTP servers:

time.cloudflare.com
nts.netnod.se
sth1.nts.netnod.se
sth2.nts.netnode.se

However, I have been unable to incorporate my RPi with GPS HAT with this setup, because the NTP server on the RPi does not use NTS.

I have not thought of the condition described in the comment from newsense.

It would induce a whole lot of problems when I come to think of it, because I do port redirect :53 to Unbound as well, which only uses DoT upstream servers (they are configured using IP - 95.215.19.53@853 - https://dns.njal.la ) - but in regards to certificates, time is of the essence.

Good cactch, newsense- thanks. Let's see if I find any ip addresses for these NTS enabled NTP servers. ..

[mimugmail]

What is the exact syntax you use to achieve this?
Currently it seems not possible as templating is adding "nts" to every record as soon as you enalbe "NTS"

[Mr.Goodcat]

What is the exact syntax you use to achieve this?
Currently it seems not possible as templating is adding "nts" to every record as soon as you enalbe "NTS"

https://chrony.tuxfamily.org/doc/devel/chrony.conf.html
NTS should only be added to servers specifically configured with NTS. Then it will be sufficient to add a line with "authselect MODE", where mode can be require/prefer/mix/ignore.

[mimugmail]

Hm, this wont work in the current setup as the checkbox does this for all, so this is an all or nothing setup.

[lilsense]

OK. good news, I guess you mean that the current setup configuration that's there will need to be corrected, excellent.

[Mr.Goodcat]

Hm, this wont work in the current setup as the checkbox does this for all, so this is an all or nothing setup.

Yes, it would need to be along the lines of something like the "users" section of freeradius, i.e. with an individual "NTS" checkbox per Server.

[mimugmail]

I think I will add a single field for initial query, like with dnscrypt

[Mr.Goodcat]

I don't quite get it but still look forward to your update