OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 21.1 Legacy Series »
  • [Feature request] Chrony authselectmode
« previous next »
  • Print
Pages: [1]

Author Topic: [Feature request] Chrony authselectmode  (Read 7115 times)

Mr.Goodcat

  • Jr. Member
  • **
  • Posts: 94
  • Karma: 7
    • View Profile
[Feature request] Chrony authselectmode
« on: July 19, 2021, 09:04:03 pm »
Hi,

I recently decided to switch to chrony which is working great so far :D
Unfortunately though, the pluging doesn't allow to specify the authselectmode, i.e. how to handle NTS. Currently it seems to be set to "require", meaning all non-NTS servers are ignored. However, I'd like to run a mix of remote NTS servers plus local non-NTS servers. Thus it would be great if the options "prefer" and "mix" were available. Would it be possible to add this with an upcoming update? Thanks!
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6302
  • Karma: 434
    • View Profile
Re: [Feature request] Chrony authselectmode
« Reply #1 on: July 19, 2021, 10:17:20 pm »
Can you open a feature request in GitHub? I'll take it then
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

Mr.Goodcat

  • Jr. Member
  • **
  • Posts: 94
  • Karma: 7
    • View Profile
Re: [Feature request] Chrony authselectmode
« Reply #2 on: July 20, 2021, 07:18:02 pm »
Hi,

thank you for your help! :D

Quote from: mimugmail on July 19, 2021, 10:17:20 pm
Can you open a feature request in GitHub? I'll take it then

I opened up a request on Github, not sure if this is the right format though:
https://github.com/opnsense/plugins/issues/2470
« Last Edit: July 21, 2021, 03:27:01 pm by Mr.Goodcat »
Logged

newsense

  • Full Member
  • ***
  • Posts: 222
  • Karma: 11
    • View Profile
Re: [Feature request] Chrony authselectmode
« Reply #3 on: July 22, 2021, 03:17:39 am »
The request is a bit non-sensical in that public NTP servers will be of a lower stratum than an internal one - which presumably will be tied to a GPS device. When mixing and matching multiple lower stratum clocks against a single stratum 0 one (gps/atomic) it will be discarded as
Quote
'x' = may be in error

The better option in the absence of an rtc clock would be to add the NTS servers both with DNS entries and IPs, so that a power outage doesn't create a chicken and egg problem when all SSL based services including DNS come up and nothing works because the time is incorrect.

Other alternatives to consider: Rpi + GPS dongle and/or RTC clock module.
Logged

koushun

  • Jr. Member
  • **
  • Posts: 86
  • Karma: 6
  • Digital pimp hard at work.
    • View Profile
Re: [Feature request] Chrony authselectmode
« Reply #4 on: November 17, 2021, 11:29:36 am »
I would like to have this as well.

On my (VLAN) interfaces I have port redirect for 123 pointing to the Chrony service over at 127.0.0.1:123 (having the default NTPD disabled).

Chrony is using NTS enabled NTP servers:

time.cloudflare.com
nts.netnod.se
sth1.nts.netnod.se
sth2.nts.netnode.se

However, I have been unable to incorporate my RPi with GPS HAT with this setup, because the NTP server on the RPi does not use NTS.

I have not thought of the condition described in the comment from newsense.

It would induce a whole lot of problems when I come to think of it, because I do port redirect :53 to Unbound as well, which only uses DoT upstream servers (they are configured using IP - 95.215.19.53@853 - https://dns.njal.la ) - but in regards to certificates, time is of the essence.

Good cactch, newsense- thanks. Let's see if I find any ip addresses for these NTS enabled NTP servers. ..
Logged
GA-J3455N-D3H (rev. 1.0)

mimugmail

  • Hero Member
  • *****
  • Posts: 6302
  • Karma: 434
    • View Profile
Re: [Feature request] Chrony authselectmode
« Reply #5 on: December 30, 2021, 07:56:22 am »
What is the exact syntax you use to achieve this?
Currently it seems not possible as templating is adding "nts" to every record as soon as you enalbe "NTS"
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

Mr.Goodcat

  • Jr. Member
  • **
  • Posts: 94
  • Karma: 7
    • View Profile
Re: [Feature request] Chrony authselectmode
« Reply #6 on: January 21, 2022, 10:55:12 am »
Quote from: mimugmail on December 30, 2021, 07:56:22 am
What is the exact syntax you use to achieve this?
Currently it seems not possible as templating is adding "nts" to every record as soon as you enalbe "NTS"

https://chrony.tuxfamily.org/doc/devel/chrony.conf.html
NTS should only be added to servers specifically configured with NTS. Then it will be sufficient to add a line with "authselect MODE", where mode can be require/prefer/mix/ignore.
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6302
  • Karma: 434
    • View Profile
Re: [Feature request] Chrony authselectmode
« Reply #7 on: January 21, 2022, 12:53:00 pm »
Hm, this wont work in the current setup as the checkbox does this for all, so this is an all or nothing setup. :(
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

lilsense

  • Sr. Member
  • ****
  • Posts: 401
  • Karma: 12
    • View Profile
Re: [Feature request] Chrony authselectmode
« Reply #8 on: January 21, 2022, 08:50:16 pm »
OK. good news, I guess you mean that the current setup configuration that's there will need to be corrected, excellent. :)
Logged

Mr.Goodcat

  • Jr. Member
  • **
  • Posts: 94
  • Karma: 7
    • View Profile
Re: [Feature request] Chrony authselectmode
« Reply #9 on: January 22, 2022, 04:25:57 pm »
Quote from: mimugmail on January 21, 2022, 12:53:00 pm
Hm, this wont work in the current setup as the checkbox does this for all, so this is an all or nothing setup. :(

Yes, it would need to be along the lines of something like the "users" section of freeradius, i.e. with an individual "NTS" checkbox per Server.
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6302
  • Karma: 434
    • View Profile
Re: [Feature request] Chrony authselectmode
« Reply #10 on: January 22, 2022, 04:49:46 pm »
I think I will add a single field for initial query, like with dnscrypt
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

Mr.Goodcat

  • Jr. Member
  • **
  • Posts: 94
  • Karma: 7
    • View Profile
Re: [Feature request] Chrony authselectmode
« Reply #11 on: January 23, 2022, 12:55:40 pm »
I don't quite get it but still look forward to your update ;D
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 21.1 Legacy Series »
  • [Feature request] Chrony authselectmode
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2