[chrony] Allow symmetric NTP authentication. #3824
Conversation
|
If possible, please consult with [email protected]. |
| @@ -1,7 +1,7 @@ | |||
| <model> | |||
| <mount>//OPNsense/chrony/general</mount> | |||
| <description>Chrony configuration</description> | |||
| <version>0.0.2</version> | |||
| <version>0.0.3</version> | |||
There was a problem hiding this comment.
Bumped to 0.0.3 on account of the append-only schema change.
| {% if not helpers.empty('OPNsense.chrony.general.peers') %} | ||
| {% for peer in OPNsense.chrony.general.peers.split(',') %} | ||
| server {{ peer }} iburst {% if helpers.exists('OPNsense.chrony.general.ntsclient') and OPNsense.chrony.general.ntsclient == '1' %}nts{% endif %} | ||
|
|
| @@ -15,13 +15,26 @@ nosystemcert | |||
| nocerttimecheck 1 | |||
| {% endif %} | |||
|
|
|||
| {% if helpers.exists('OPNsense.chrony.general.symmetric_auth') and OPNsense.chrony.general.symmetric_auth == '1' %} | |||
| {% if helpers.exists('OPNsense.chrony.general.symmetric_keys_file') and not helpers.empty('OPNsense.chrony.general.symmetric_keys_file') %} | |||
| keyfile /usr/local/etc/chrony.keys | |||
There was a problem hiding this comment.
Please verify that /usr/local/etc/chrony.keys is indeed the correct path.
| # Don't use example keys! It's recommended to generate random keys using | ||
| # the chronyc keygen command. | ||
|
|
||
| {{ OPNsense.chrony.general.symmetric_keys_file }} |
There was a problem hiding this comment.
Dump the multi-line text widget as-is.
There was a problem hiding this comment.
I'm afraid this goes against our coding guidelines... https://docs.opnsense.org/development/guidelines/basics.html#safeguard-user-input
What is the problem scope? Writing the file manually will overwrite it later or just convenience to store the value in the GUI?
There was a problem hiding this comment.
NTPD does the same thing. What's the best way to make the chrony.keys file persistent? Is there away to bypass the PHP UI?
There was a problem hiding this comment.
I want the chrony.keys file to be created each time the router boots up. (Preferably WORM - write once.)
There was a problem hiding this comment.
Does the NTPD widget violate the coding guidelines?
There was a problem hiding this comment.
@fichtner. Is the ask to re-write chrony like services_ntpd.php? (It seems like overkill. Likewise, there is a risk of creating a tarpit.)
There was a problem hiding this comment.
Let’s slow down a bit. NTPd is not the scope a here and we don’t accept static PHP submission anymore anyway.
I’m going to reiterate:
Config blobs into files are discouraged, because they cannot be validated. You can split up the content in a model in these cases.
what is odder a that /etc/ntpd.keys is a file in use by ntpd, but not chrony? Is that correct? If it’s also used by chrony i’d say it’s problematic as well for other reasons.
There was a problem hiding this comment.
Ok I misread the second part. No file overlap is good then.
| {% endfor %} | ||
| {% endif %} | ||
|
|
||
| {% if helpers.exists('OPNsense.chrony.general.symmetric_auth') and OPNsense.chrony.general.symmetric_auth == '1' %} | ||
| {% if helpers.exists('OPNsense.chrony.general.auth_servers') and not helpers.empty('OPNsense.chrony.general.auth_servers') %} | ||
| {{ OPNsense.chrony.general.auth_servers }} |
There was a problem hiding this comment.
Dump the multi-line text widget as-is.
There was a problem hiding this comment.
Elected to make the schema changes optional.
|
@mimugmail. Michael, when you have time can you please review and comment? Thanks! |
|
@B3K7 re: irc Ok now I got it ;) |
Candidate solution for [Feature request] Chrony Security - chrony.keys #3823