Discussion:
[chrony-users] Is restrict option supported in chrony.conf 2.1
Robert Moskowitz
2016-12-27 14:30:37 UTC
Permalink
Dear list members:

I have used ntpd in the past. I am now working with chronyd on Centos
7.3 which has v 2.1.1

For allowing local hosts to query my ntpd server I would use:

restrict 192.168.128.0 mask 255.255.255.0 nomodify notrap

In the chronyd docs I only see the following equivalent:

allow 192.168.128/24

Does this allow open up the server to updates from local hosts as well
as permitting them to get the time?

Basically how do I provide the level of protection of my time server
with chonyd as I did with ntpd.

Additionally, ntpd provides protection from upstream servers:

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default kod nomodify notrap nopeer noquery

Is this an issue with chronyd?


thank you
--
To unsubscribe email chrony-users-***@chrony.tuxfamily.org
with "unsubscribe" in the subject.
For help email chrony-users-***@chrony.tuxfamily.org
with "help" in the subject.
Trouble? Email ***@chrony.tuxfamily.org.
Miroslav Lichvar
2017-01-02 08:52:11 UTC
Permalink
Post by Robert Moskowitz
allow 192.168.128/24
Does this allow open up the server to updates from local hosts as well as
permitting them to get the time?
If by updates you mean chronyc commands (similar to ntpq/ntpdc), then
no. The allow directive only allows NTP queries from NTP clients,
nothing else. The cmdallow directive allows chronyc commands and the
default is denied for everything except localhost. Also, chronyd by
default binds the command sockets to localhost (127.0.0.1, ::1), which
needs to be changed by the bindcmdaddress directive in order to allow
remote access.
Post by Robert Moskowitz
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default kod nomodify notrap nopeer noquery
Is this an issue with chronyd?
No. The defaults are safe. Unless you add a cmdallow directive
together with "bindcmdaddress 0.0.0.0" (or ::) to the configuration
file, all command packets from network will be dropped.
--
Miroslav Lichvar
--
To unsubscribe email chrony-users-***@chrony.tuxfamily.org
with "unsubscribe" in the subject.
For help email chrony-users-***@chrony.tuxfamily.org
with "help" in the subject.
Trouble? Email ***@chrony.tuxfamily.org.
Loading...