Configuring the Local NTP Server with Authentication

Generally, all cloud providers set up authentication for their local servers. To verify the authentication status of the local servers, use the chronyc command as follows:

user1@kali-worker3:~$ sudo chronyc ntpdata 192.168.2.56 | grep Authenticated
Authenticated   : No

To secure your local servers:

  1. Select the key-id and n-bit Secure Hash Algorithm (SHA) key.

    • The following example shows the default key generation.

      user1@cluster-manager:~$ sudo chronyc keygen
      1 SHA1 HEX:959623F106595B9E75BE328C265CA9C86560D88E
    • The following example shows the key generation with key-id 27 and 512 bit SHA key.

      user1@cluster-manager:~$ sudo chronyc keygen 27 SHA512 512
      27 SHA512 HEX:80E68E6AEB1B994217282568AF2A0EA8E4731F6CDC5CC5635C799676864BD68B4317FA897B54F10DCFE8F5F36
      7E03626ACD0A5048BAA8E1A615A44C4FCF731B3
  2. Add the keys to the /etc/chrony/chrony.keys file to configure the authentication.

  3. Restart the Chrony as follows.

    user1@cluster-manager:~$ sudo systemctl daemon-reload
    user1-cloud@cluster-manager:~$ sudo systemctl restart chrony 
    user1-cloud@cluster-manager:~$ sudo systemctl status chrony
    ● chrony.service - chrony, an NTP client/server
       Loaded: loaded (/lib/systemd/system/chrony.service; enabled; vendor preset: enabled)
       Active: active (running) since Tue 2019-11-19 19:29:08 UTC; 8s ago
         Docs: man:chronyd(8)
               man:chronyc(1)
               man:chrony.conf(5)
      Process: 20452 ExecStartPost=/usr/lib/chrony/chrony-helper update-daemon (code=exited, status=0/SUCCESS)
      Process: 20406 ExecStart=/usr/lib/systemd/scripts/chronyd-starter.sh $DAEMON_OPTS (code=exited, status=0/SUCCESS)
     Main PID: 20445 (chronyd)
        Tasks: 1 (limit: 4915)
       CGroup: /system.slice/chrony.service
               └─20445 /usr/sbin/chronyd
    
    Nov 19 19:29:08 cluster-manager systemd[1]: Starting chrony, an NTP client/server...
    Nov 19 19:29:08 cluster-manager chronyd[20445]: chronyd version 3.2 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SECHASH +SIGND +ASYNCDNS +IPV6 -DEBUG)
    Nov 19 19:29:08 cluster-manager chronyd[20445]: Frequency -12.095 +/- 0.044 ppm read from /var/lib/chrony/chrony.drift
    Nov 19 19:29:08 cluster-manager systemd[1]: Started chrony, an NTP client/server.
    Nov 19 19:29:13 cluster-manager chronyd[20445]: Selected source 171.68.38.65
  4. Update the NTP configuration in the cluster manager.

  5. Run the cluster synchronization as follows.

    node-defaults os ntp servers 192.168.2.56
      key-id   27
      sha-type SHA512
      sha-key  80E68E6AEB1B994217282568AF2A0EA8E4731F6CDC5CC5635C799676864BD68B4317FA897B54F10DCFE8F5F36
    7E03626ACD0A5048BAA8E1A615A44C4FCF731B3
     exit
  6. Verify the authentication status on all the nodes connected to the local server after synchronization.

    user1@kali-worker3:~$ sudo chronyc ntpdata 192.168.2.56 | grep Authenticated
    Authenticated   : Yes