Chrony-4.1-2 support AES-128 and AES-256

ramalingam · March 7, 2025, 8:49pm

Hi Team,

as per given below output ,
is this given chronyd process supporting AES-128 and AES-256 ?
is the nettle package enabled ? if not, which package to enable for support nettle..

root@OS:~# chronyd -v
chronyd (chrony) version 4.1 (+CMDMON +NTP +REFCLOCK -RTC +PRIVDROP -SCFILTER -SIGND +ASYNCDNS +NTS -SECHASH +IPV6 -DEBUG)
root@OS:~#

root@OS:~# opkg list | grep nettle
libnettle8 - 3.6-1

root@OS:~# opkg list | grep chrony
chrony-nts - 4.1-2
root@S:~#

brada4 · March 7, 2025, 11:05pm

What do you mean by "support aes encryption" ?
NTS is TLS to generate symmetric keys for message authentication

ramalingam · March 8, 2025, 5:26am

@brada4 ,
i have tried to configure AES-128/AES-256 key(key generated via openssl) in /etc/chrony/chrony,keys and restarted the chronyd(/etc/init.d/chronyd restart) process ,, but getting given below error ..

i want to verify secure NTP using AES-128/AES-256 key in client and server ..
is the chrony-nts packages or chrony package support this secure ntp..
do you have sample config how to configure secure NTP??

is the ntpd package support secure NTP ?

error logs :
Fri Mar 7 15:17:05 2025 daemon.info chronyd[16028]: chronyd exiting
Fri Mar 7 15:17:05 2025 daemon.info chronyd[17209]: chronyd version 4.1 starting (+CMDMON +NTP +REFCLOCK -RTC +PRIVDROP -SCFILTER -SIGND +AS)
Fri Mar 7 15:17:05 2025 daemon.warn chronyd[17209]: Unsupported cipher in key 1
Fri Mar 7 15:17:05 2025 daemon.info chronyd[17209]: Frequency -5.256 +/- 0.288 ppm read from /var/run/chrony/drift
Fri Mar 7 15:17:09 2025 daemon.info chronyd[17209]: Selected source 171.10.10.65
root@OS:~# date
Fri Mar 7 15:17:15 IST 2025
root@OS:~# cat /etc/chrony/chrony.keys
1 AES128 a39bc490f5105b9fa0809c1b0aa25871
root@OS:~#

/etc/chrony/chrony.conf
config nts
option rtccheck 'yes'
option systemcerts 'yes'
option encryption 'aes128' # Enable AES128 encryption
option keyid '2' # Use key ID 2 from the keyfile

config keyfile
option path '/etc/chrony/chrony.keys' # Path to the key file

brada4 · March 8, 2025, 5:38am

Does not seem like chrony.conf at all.
Did you get your "config" via chadbots?

brada4 · March 8, 2025, 7:37am

Please provide output of

ubus call system board

Openwrt platforms mostly have no rtc and your chrony is years out of date

mlichvar · March 8, 2025, 8:49am

The SECHASH feature is disabled, which means only MD5 keys are supported.

I've submitted a PR to enable SECHASH in the chrony-nts package: https://github.com/openwrt/packages/pull/26112

brada4 · March 8, 2025, 11:12am

It seems OpenWrt 21 here which will not be fixed ever.