chrony: add NTS server support and confdir include#5370
Open
uistlabs wants to merge 2 commits intoopnsense:masterfrom
Open
chrony: add NTS server support and confdir include#5370uistlabs wants to merge 2 commits intoopnsense:masterfrom
uistlabs wants to merge 2 commits intoopnsense:masterfrom
Conversation
Add configuration options for chrony NTS server mode: - ntsservercert: path to TLS certificate chain (PEM) - ntsserverkey: path to TLS private key - ntsport: NTS-KE port (default: 4460) Also add confdir include for /usr/local/etc/chrony.opnsense.d/*.conf, following the same extensibility pattern used by other OPNsense plugins (e.g. Squid's pre-auth/post-auth includes). This allows custom chrony directives without modifying the managed template. NTS (Network Time Security, RFC 8915) provides cryptographic authentication for NTP. Chrony supports serving NTS alongside plain NTP on the same instance since version 4.0. This change enables administrators to configure their OPNsense routers as NTS servers for internal networks using their own PKI certificates. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The chrony.opnsense.d directory needs group ownership set to chronyd so that chronyd can traverse the directory to read NTS key files after privilege drop. Without this, ntsserverkey paths inside the confdir are inaccessible and NTS-KE fails silently. Matches the ownership pattern already used for /var/db/chrony, /var/lib/chrony, and /var/run/chrony in the same script. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add NTS (Network Time Security, RFC 8915) server configuration support to the chrony plugin:
include /usr/local/etc/chrony.opnsense.d/*.conffor custom directives, following the same extensibility pattern used by other OPNsense plugins (e.g. Squid'spre-auth/*.conf)Motivation
Chrony has supported NTS server mode since version 4.0 (2020). The OPNsense chrony plugin currently supports NTS as a client (connecting to NTS-enabled upstream servers) but has no mechanism to configure chrony as an NTS server for downstream clients.
This is useful for environments with internal PKI where routers act as NTP servers for LAN hosts. NTS provides cryptographic authentication of time responses, protecting against NTP spoofing attacks.
NTS server mode coexists with plain NTP — non-NTS clients continue using UDP 123 as usual, while NTS-capable clients additionally perform a TLS handshake on TCP 4460 for key establishment.
Changes
General.xml(model)ntsservercert,ntsserverkey,ntsportfields with path validationchrony.conf(template)general.xml(form)setup.sh/usr/local/etc/chrony.opnsense.d/directoryMakefilepkg-descrTesting
Tested on OPNsense 25.1 with chrony 4.6:
confdirinclude correctly loads drop-in configuration filesReferences