On Mon, May 04, 2020 at 04:44:00PM +0000, Zbigniew Jędrzejewski-Szmek wrote: > Aside: the PEERNTP option seems to be very weakly documented. After > some searching I found [1, 2] and [3]. Some up-to-date documentation would > be necessary if users are expected to configure this. Ok. I filed bug #1831542 to improve the documentation. > It sounds like PEERNTP should be a per-interface setting. If I'm > connecting to a trusted network or VPN, I might want to use and trust > the provided NTP servers. If connecting to a public network, don't trust > and use NTS to verify servers. You could do that. PEERNTP can be set for each interface in the corresponding /etc/sysconfig/network-scripts/ifcfg-* file. However, as was suggested earlier in the thread, there will likely be a new upstream option in chrony to globally control mixing of unauthenticated and authenticated NTP sources, so PEERNTP doesn't have to be disabled when all NTP servers from DHCP are not to be trusted, e.g. because they are not expected to authenticate their upstream servers. > Also, what software supports /etc/sysconfig/network? I think we currently > have initscripts-network, NetworkManager, systemd-networkd in Fedora. It works with the initscripts and NetworkManager. For systemd-networkd there is no dispatcher mechanism in Fedora, so NTP servers provided by DHCP are ignored when using systemd-networkd with chrony or ntp. In Debian and Ubuntu there is a networkd-dispatcher service for that. > > An option could be added to disable the time checks before the > > first update of the clock. This would have an impact on security. > > ... how would that look? It'd need support in chrony itself, right? > Would upstream accept such code? Yes. It's already supported upstream and in our latest rawhide package. The time checks can be disabled with the NoCertTimeCheck directive in chrony.conf. The idea is that anaconda will set it when no RTC is found or it has no battery backup (if can we detect that). -- Miroslav Lichvar _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx