我已经在 Ubuntu 机器上配置了 NTP 服务器,并使用 Chrony 在 Centos 9 Stream 上配置了 NTP 客户端。我已经在服务器和客户端上启用了身份验证,但是当我在两侧放置不同的密钥时,同步仍然成功!如何强制执行 NTP 身份验证并在密钥不匹配的情况下阻止同步?
这是我的设置:
服务器:
# cat /etc/chrony/chrony.conf
pool ntp.ubuntu.com iburst maxsources 4
pool 0.ubuntu.pool.ntp.org iburst maxsources 1
pool 1.ubuntu.pool.ntp.org iburst maxsources 1
pool 2.ubuntu.pool.ntp.org iburst maxsources 2
keyfile /etc/chrony/chrony.keys
driftfile /var/lib/chrony/chrony.drift
logdir /var/log/chrony
maxupdateskew 100.0
rtcsync
makestep 1 3
allow 192.168.1.0/24
# cat /etc/chrony/chrony.keys
1 MD5 111222
客户:
#cat /etc/chrony.conf
sourcedir /run/chrony-dhcp
driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync
keyfile /etc/chrony.keys
ntsdumpdir /var/lib/chrony
leapsectz right/UTC
logdir /var/log/chrony
server 192.168.1.10
# cat /etc/chrony.keys
1 MD5 55555555
# chronyc ntpdata
Remote address : 192.168.1.10 (290C1402)
Remote port : 123
Local address : 192.168.1.14 (0A0A3833)
Leap status : Normal
Version : 4
Mode : Server
Stratum : 3
Poll interval : 10 (1024 seconds)
Precision : -25 (0.000000030 seconds)
Root delay : 0.008575 seconds
Root dispersion : 0.001907 seconds
Reference ID : 4C7CE64A ()
Reference time : Thu Aug 04 09:45:39 2022
Offset : +0.000157768 seconds
Peer delay : 0.000969113 seconds
Peer dispersion : 0.000000050 seconds
Response time : 0.000046875 seconds
Jitter asymmetry: +0.00
NTP tests : 111 111 1111
Interleaved : No
Authenticated : No
TX timestamping : Daemon
RX timestamping : Kernel
Total TX : 36
Total RX : 36
Total valid RX : 36
# timedatectl status
Local time: Thu 2022-08-04 10:12:18 UTC
Universal time: Thu 2022-08-04 10:12:18 UTC
RTC time: Thu 2022-08-04 10:12:17
Time zone: Etc/UTC (UTC, +0000)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no
答案1
好的,我找到了答案。我们可以使用key [KEY ID]服务器或池语句末尾的关键字强制进行身份验证,如下所示:
server 192.168.1.10 key 1
纯粹设置密钥文件不会强制进行身份验证,并且key即使未设置关键字或存在密钥不匹配,也不会同步。