NTS-Service and Authenticated Time Synchronization

TST, Hong Kong

Chrony Client
NTPsec Client
Authentication Keys

I did setup a Chrony NTP/NTS Server and deployed it using Nomad. Now I need a client to connect to it using NTS. Here I have the option to either use Chrony or NTPSec.

Chrony Client

By default Chrony is not installed on Debian but it can be installed using Aptitude.

Installing Chrony

apt install chrony

Note: If you have another NTP client running on your system it will be deactivated once you install Chrony (e.g. systemd-timesyncd or ntpsec).

Verify Chrony works as an NTP client:

chronyc sources

MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^* server1a.meinberg.de          2   6    37     3   -558us[ -446us] +/-   24ms
^+ lucy.thehomeofanime.de        2   6    37     3   +729us[ +842us] +/-   31ms
^+ 2a01:4f8:241:56c6:1::123      2   6    37     3   -417us[ -304us] +/-   40ms
^+ ns1.idfnet.net                2   6    37     2   -303us[ -303us] +/-   39ms

Configure NTS

Edit the configuration file /etc/chrony/chrony.conf and replace the existing NTP servers with your personal NTS server. First comment out any lines starting with one of the words pool, server, source or sourcedir:

# Use Debian vendor zone.
# pool 2.debian.pool.ntp.org iburst

# Use time sources from DHCP.
# sourcedir /run/chrony-dhcp

# Use NTP sources found in /etc/chrony/sources.d.
# sourcedir /etc/chrony/sources.d

You can enable these sources later, but comment them out for the moment since it will make it easier to see if the NTS servers are working. Then add your personal NTS server. Note that the configuration line should contain nts which says that it uses the NTS protocol:

server my.nts-server.com nts iburst

Save the file and restart the Chrony service by running this command:

systemctl restart chrony

Verify that NTS is working on Chrony

Now verify that NTS is working with Chrony - first we can check the service status. It will show you the latest log output containing the source server:

systemctl status chronyd    
● chrony.service - chrony, an NTP client/server
     Loaded: loaded (/lib/systemd/system/chrony.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2022-09-30 11:03:44 UTC; 11s ago
       Docs: man:chronyd(8)
             man:chronyc(1)
             man:chrony.conf(5)
    Process: 996854 ExecStart=/usr/sbin/chronyd $DAEMON_OPTS (code=exited, status=0/SUCCESS)
   Main PID: 996856 (chronyd)
      Tasks: 2 (limit: 2275)
     Memory: 3.1M
        CPU: 44ms
     CGroup: /system.slice/chrony.service
             ├─996856 /usr/sbin/chronyd -F 1
             └─996857 /usr/sbin/chronyd -F 1

Sep 30 11:03:44 chrony systemd[1]: Starting chrony, an NTP client/server...
Sep 30 11:03:44 chrony chronyd[996856]: chronyd version 4.0 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SI>
Sep 30 11:03:44 chrony chronyd[996856]: Frequency -40.688 +/- 0.247 ppm read from /var/lib/chrony/chrony.drift
Sep 30 11:03:44 chrony chronyd[996856]: Using right/UTC timezone to obtain leap second data
Sep 30 11:03:44 chrony chronyd[996856]: Loaded seccomp filter
Sep 30 11:03:44 chrony systemd[1]: Started chrony, an NTP client/server.
Sep 30 11:03:49 chrony chronyd[996856]: Selected source my.server.ip (my.nts-server.com)
Sep 30 11:03:49 chrony chronyd[996856]: System clock TAI offset set to 37 seconds

Or just check the output from chronyc:

chronyc sources

MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^* static.my.server.ip.in.reverse.cli>     2   6    17    23   +351us[ +592us] +/- 6891us

A leading ^ means its a server, = means peer, and # means local clock. The second column is what tells you if the server is being used. the + tells you that the source is being used. A * indicates the current best source which is being used, and a - means its a good source, but is not currently selected. Source state ~ means that the time is too variable.

chronyc tracking

Reference ID    : 9F459319 (static.my.server.ip.in.reverse.clients.your-server.com)
Stratum         : 3
Ref time (UTC)  : Sat Oct 01 10:36:30 2022
System time     : 0.000158212 seconds fast of NTP time
Last offset     : -0.272258192 seconds
RMS offset      : 0.129027337 seconds
Frequency       : 310.921 ppm fast
Residual freq   : -1410.939 ppm
Skew            : 122.050 ppm
Root delay      : 0.014122445 seconds
Root dispersion : 0.208602116 seconds
Update interval : 64.7 seconds
Leap status     : Normal

Reference ID is the value indicates the name and ID of the NTP server to which the system’s time is currently synchronized.
Stratum specifies the number of hops in servers level to the NTP hierarchy.
Ref time is the time per UTC when the last measurement from the reference source was processed.
System time denotes the amount of delay in a systems clock from a synchronized server.
Last offset is the estimated time offset since the last clock update.
RMS Offset denotes the long-term average of the time offset
Frequency is the value the servers clock would be off if chronyd was not correcting it. This value is measured in ppm (parts per million)
Residual freq indicates the measurement of difference in between the next-level Stratum source and the current frequency being used.
Skew is the estimate variance of error in the frequency measured in parts per million
Root delay is the total time of delay within the network path to the higher level stratum computer from which the local server is being synced.
Root dispersion is part of the equation that calculates the value derived from the root delay and root dispersion as reported by the tracking command
Update interval is the distance between the previous two clock updates.
Leap status is the value which can have one of the following settings
- normal
- insert second
- delete second
- not synchronized.

For service tracking add an alias to your .bashrc like alias showtime='chronyc sourcestats; chronyc -n sources; chronyc -n tracking'

NTPsec Client

The NTS version of ntpd NTPSec is not installed on Debian but it can be installed using Aptitude.

Installing NTPsec

apt install ntpsec

Note: If you have another NTP client running on your system it will be deactivated once you install NTPsec (e.g. systemd-timesyncd or chrony).

Verify NTPsec works as an NTP client:

ntpq -p

     remote                                   refid      st t when poll reach   delay   offset   jitter
=======================================================================================================
 0.debian.pool.ntp.org                   .POOL.          16 p    -  256    0   0.0000   0.0000   0.0001
 1.debian.pool.ntp.org                   .POOL.          16 p    -  256    0   0.0000   0.0000   0.0001
 2.debian.pool.ntp.org                   .POOL.          16 p    -  256    0   0.0000   0.0000   0.0001
 3.debian.pool.ntp.org                   .POOL.          16 p    -  256    0   0.0000   0.0000   0.0001

Configure NTS

Edit the configuration file /etc/ntpsec/ntp.conf and replace the existing NTP servers with your own NTS servers. First comment out any lines starting with one of the words pool or server:

# Public NTP servers supporting Network Time Security:
# server time.cloudflare.com nts

# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
# pick a different set every time it starts up.  Please consider joining the
# pool: <https://www.pool.ntp.org/join.html>
# pool 0.debian.pool.ntp.org iburst
# pool 1.debian.pool.ntp.org iburst
# pool 2.debian.pool.ntp.org iburst
# pool 3.debian.pool.ntp.org iburst

Then add your own NTS server. Note that the configuration line should contain nts which says that it uses the NTS protocol:

server my.nts-server.com nts iburst

Save the file and restart the Chrony service by running this command:

systemctl restart ntpsec

Verify that NTS is working on NTPsec

The service comes up now using my server:

systemctl status ntpsec

● ntpsec.service - Network Time Service
     Loaded: loaded (/lib/systemd/system/ntpsec.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2022-09-30 13:26:59 CEST; 11s ago
       Docs: man:ntpd(8)
    Process: 1516451 ExecStart=/usr/libexec/ntpsec/ntp-systemd-wrapper (code=exited, status=0/SUCCESS)
   Main PID: 1516454 (ntpd)
      Tasks: 1 (limit: 2276)
     Memory: 9.4M
        CPU: 36ms
     CGroup: /system.slice/ntpsec.service
             └─1516454 /usr/sbin/ntpd -p /run/ntpd.pid -c /etc/ntpsec/ntp.conf -g -N -u ntpsec:ntpsec

Sep 30 13:27:00 Nomad ntpd[1516454]: NTSc: certificate subject name: /CN=my.nts-server.com
Sep 30 13:27:00 Nomad ntpd[1516454]: NTSc: certificate issuer name: /C=US/O=Lets Encrypt/CN=R3
Sep 30 13:27:00 Nomad ntpd[1516454]: NTSc: certificate is valid.
Sep 30 13:27:00 Nomad ntpd[1516454]: NTSc: Good ALPN from my.nts-server.com
Sep 30 13:27:00 Nomad ntpd[1516454]: NTSc: read 848 bytes
Sep 30 13:27:00 Nomad ntpd[1516454]: NTSc: Got 8 cookies, length 100, aead=15.
Sep 30 13:27:00 Nomad ntpd[1516454]: NTSc: NTS-KE req to my.nts-server.com took 0.088 sec, OK
Sep 30 13:27:00 Nomad ntpd[1516454]: DNS: dns_check: processing my.nts-server.com, 1, 21901
Sep 30 13:27:00 Nomad ntpd[1516454]: DNS: Server taking: my.server.ip
Sep 30 13:27:00 Nomad ntpd[1516454]: DNS: dns_take_status: my.nts-server.com=>good, 0

Check the output from ntpq:

ntpq -p 
     remote                                             refid      st t when poll reach   delay   offset   jitter
=================================================================================================================
+static.my.server.ip.in.reverse.clients.your-serve 216.239.35.0     2 8   17   64   17   4.3198  -5.5261  14.3994

Authentication Keys

Chrony Server Configuration

When I set up the Chrony NTP/NTS Server I did not consider client authentication. So currently every device with a NTS client can use the server. To limit access to our server we can create a pre-shared authentication key that we then have to add to our server as well as too all clients we want to connect. Both Chrony and NTPSec offer a keygen client that we can use to create our pre-shared key. I am going to generate the key using Chrony. To a 512-bit SHA1 key with the key number of 666 run the following command (inside your Chrony Server container or on your Chrony client):

chronyc keygen 666 SHA1 512

This will output a secure hash that we will have to copy into a file assets/chrony.keys in the Chrony repository:

666 SHA1 HEX:41303679BF767668BC4FA98783FABC76526AEA12A5B47A5C3DEE26DD5940F0E831AA6978B995615074BE284238374DF405A30C51D7145151A8B2E20A30D29FFA

I can add this to my Chrony Dockerfile to copy the keyfile into the Chrony container:

# add chrony keys generated with `chronyc keygen 666 SHA1 512`
COPY assets/chrony.keys /opt/chrony.keys

Now I have to modify the start-up script I am using inside the container to generate the Chrony configuration file and add the keyfile location:

{
  echo
  echo "driftfile /var/lib/chrony/chrony.drift"
  echo "makestep 0.1 3"
  echo "rtcsync"
  echo
  echo "ntsserverkey /opt/letsencrypt/live/my.server.com/privkey.pem"
  echo "ntsservercert /opt/letsencrypt/live/my.server.com/fullchain.pem"
  echo "keyfile /opt/chrony.keys"
  echo "ntsprocesses 3"
  echo "maxntsconnections 512"
  echo "ntsdumpdir /var/lib/chrony"
  echo
  echo "allow all"
} >> ${CHRONY_CONF_FILE}

Now I can rebuild my container and re-deploy it using Nomad.

Now my clients should no longer be able to use the timeserver they are configured to use:

# BEFORE
ntpq -p
     remote                                   refid      st t when poll reach   delay   offset   jitter
=======================================================================================================
+static.my.server.ip.in.reverse.clients.your-serve 216.239.35.0     2 5  202   64  370   3.9457  10.4121 287.4892
# AFTER
ntpq -p
     remote                                   refid      st t when poll reach   delay   offset   jitter
=======================================================================================================
 static.my.server.ip.in.reverse.clients.your-serve 216.239.35.0     2 0  585   64    0   0.0000   0.0000 298.1516

# BEFORE
chronyc sources
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^* static.my.server.ip.in.reverse.cli>     2   6    17    23   +351us[ +592us] +/- 6891us
# AFTER
chronyc sources
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^? static.my.server.ip.in.reverse.cli>     0   8     0     -     +0ns[   +0ns] +/-    0ns

Now let's fix that problem :)

Chrony Client Configuration

To add the keyfile to our Chrony client we first have to add it's location to the configuration file:

nano /etc/chrony/chrony.conf

keyfile /etc/chrony/chrony.keys

And then create the chrony.keys file in the specified location:

666 SHA1 HEX:41303679BF767668BC4FA98783FABC76526AEA12A5B47A5C3DEE26DD5940F0E831AA6978B995615074BE284238374DF405A30C51D7145151A8B2E20A30D29FFA

And make sure that the file is readable:

chmod u=rw,g=r,o=r /etc/chrony/chrony.keys

Restart the service:

service chrony restart

And we are back at working conditions:

chronyc sources
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^* static.my.server.ip.in.reverse.cli>     3   6    17    49  -1866us[  -38ms] +/- 3505us

NTPSec Client Configuration (failed)

Update the NTPSec client runs well with a Chrony server as long as I don't add the key authentication. I will just stick with a Chrony Server/Client combo. THere don't seem to be any issues.

For the NTPSec client we have to create the keyfile in /var/lib/ntpsec/nts-keys/ntp.keys and add the same content as with the chrony.keys file before. And point out the location in the configuration file - which is a little bit more verbose here. You additionally have to select the key number which I set to be 666 above and also assign the key to the server you want it to be uses with...

Update as son as I added the Chrony key I could no longer connect to my server... I then ran the NTPSec included key generator ntpkeygen which generates a list of keys.

Update Update adding the AES key was not necessary after all I just had to remove the HEX: in front of the Chrony key and it was accepted. So, just keep the Chrony key ~

cat ntp.keys

# Sat Oct  1 14:43:23 2022
 1 AES g&$cpQDr:_eLspU|
 
 ...

 19 AES a09a2bf2f05a42f16372dbb7fc419782
 20 AES 552b05b5536833d5a89ec83767f268c6

So I updated nano /var/lib/ntpsec/nts-keys/ntp.keys to include one of those keys:

19 AES a09a2bf2f05a42f16372dbb7fc419782
666 SHA1 HEX:41303679BF767668BC4FA98783FABC76526AEA12A5B47A5C3DEE26DD5940F0E831AA6978B995615074BE284238374DF405A30C51D7145151A8B2E20A30D29FFA

And also added them to the chrony.keys file of my Chrony server.

chmod u=rw,g=r,o=r /var/lib/ntpsec/nts-keys/ntp.keys
nano /etc/ntpsec/ntp.conf

keys /var/lib/ntpsec/nts-keys/ntp.keys
trustedkey 19
controlkey 19
requestkey 19

...

server my.server.com nts iburst key 19

But I am still not getting a connection:

ntpq -p

     remote                                   refid      st t when poll reach   delay   offset   jitter
=======================================================================================================
 static.my.server.com.clients.your-serve .NTS.           16 7    -   64    0   0.0000   0.0000   0.0001

The client request are send but the server does not seem to reply:

ntpq -c nts

NTS client sends:            7
NTS client recvs good:       0
NTS client recvs w error:    0
NTS server recvs good:       0
NTS server recvs w error:    0
NTS server sends:            0
NTS make cookies:            0
NTS decode cookies:          0
NTS decode cookies old:      0
NTS decode cookies too old:  0
NTS decode cookies error:    0
NTS KE probes good:          1
NTS KE probes_bad:           0
NTS KE serves good:          0
NTS KE serves_bad:           0

Let's start the client manually and see what is going on:

service ntpsec stop
/usr/sbin/ntpd -n -d

First of all I can see that the Chrony key is not accepted - but NTPSec seems to add the additional AES key:

2022-10-02T09:03:39 ntpd[19852]: Found 1 trusted keys.
2022-10-02T09:03:39 ntpd[19852]: AUTH: authreadkeys: reading /var/lib/ntpsec/nts-keys/ntp.keys
2022-10-02T09:03:39 ntpd[19852]: AUTH: authreadkeys: key 666 truncated to 64 bytes
2022-10-02T09:03:39 ntpd[19852]: AUTH: authreadkeys: invalid hex digit for key 666
2022-10-02T09:03:39 ntpd[19852]: AUTH: authreadkeys: added 1 keys

Interesting so the key 666 contains illegal characters. Let's remove the HEX: that Chrony sets in front of the key and see what happens when I switch the NTPSec configuration back from using key 19 to key 666:

19 AES a09a2bf2f05a42f16372dbb7fc419782
666 SHA1 41303679BF767668BC4FA98783FABC76526AEA12A5B47A5C3DEE26DD5940F0E831AA6978B995615074BE284238374DF405A30C51D7145151A8B2E20A30D29FFA

Excellent, NTPSec accepts both keys and is now using the original Chrony key as trusted:

2022-10-02T09:12:35 ntpd[20300]: Found 1 trusted keys.
2022-10-02T09:12:35 ntpd[20300]: AUTH: authreadkeys: reading /var/lib/ntpsec/nts-keys/ntp.keys
2022-10-02T09:12:35 ntpd[20300]: AUTH: authreadkeys: key 666 truncated to 64 bytes
2022-10-02T09:12:35 ntpd[20300]: AUTH: authreadkeys: digest for key 666, SHA512 will be truncated.
2022-10-02T09:12:35 ntpd[20300]: AUTH: authreadkeys: added 2 keys

But scrolling down the ntpd Log there are only a lot of:

select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call

Which is where I reached the realm darkness, full of terrors. Where not even the Lord of Light may help you to chase away the shadows...

NTS-Service and Authenticated Time Synchronization

Complete ntpd Client Log

/usr/sbin/ntpd -n -d 

2022-10-02T09:14:00 ntpd[20412]: INIT: ntpd ntpsec-1.2.0 2021-06-17T05:15:04Z: Starting
2022-10-02T09:14:00 ntpd[20412]: INIT: Command line: /usr/sbin/ntpd -n -d
2022-10-02T09:14:00 ntpd[20412]: INIT: precision = 0.088 usec (-23)
2022-10-02T09:14:00 ntpd[20412]: INIT: successfully locked into RAM
2022-10-02T09:14:00 ntpd[20412]: CONFIG: readconfig: parsing file: /etc/ntpsec/ntp.conf
2022-10-02T09:14:00 ntpd[20412]: CONFIG: requestkey is a no-op because ntpdc has been removed.
Finished Parsing!!
2022-10-02T09:14:00 ntpd[20412]: Found 1 trusted keys.
2022-10-02T09:14:00 ntpd[20412]: AUTH: authreadkeys: reading /var/lib/ntpsec/nts-keys/ntp.keys
2022-10-02T09:14:00 ntpd[20412]: AUTH: authreadkeys: key 666 truncated to 64 bytes
2022-10-02T09:14:00 ntpd[20412]: AUTH: authreadkeys: digest for key 666, SHA512 will be truncated.
2022-10-02T09:14:00 ntpd[20412]: AUTH: authreadkeys: added 2 keys
2022-10-02T09:14:00 ntpd[20412]: CONFIG: restrict nopeer ignored
restrict: op 1 addr 0.0.0.0 mask 0.0.0.0 mflags 00000000 flags 000004e0
restrict: op 1 addr :: mask :: mflags 00000000 flags 000004e0
restrict: op 1 addr 127.0.0.1 mask 255.255.255.255 mflags 00000000 flags 00000000
restrict: op 1 addr ::1 mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mflags 00000000 flags 00000000
2022-10-02T09:14:00 ntpd[20412]: CLOCK: leapsecond file ('/usr/share/zoneinfo/leap-seconds.list'): good hash signature
2022-10-02T09:14:00 ntpd[20412]: CLOCK: leapsecond file ('/usr/share/zoneinfo/leap-seconds.list'): loaded, expire=2022-12-28T00:00Z last=2017-01-01T00:00Z ofs=37
event at 0 0.0.0.0 c01e 0e TAI 37 leap 2017-01-01T00:00Z expires 2022-12-28T00:00Z
move_fd: estimated max descriptors: 1024, initial socket boundary: 16
2022-10-02T09:14:00 ntpd[20412]: INIT: Using SO_TIMESTAMPNS
2022-10-02T09:14:00 ntpd[20412]: IO: Listen and drop on 0 v6wildcard [::]:123
2022-10-02T09:14:00 ntpd[20412]: IO: Listen and drop on 1 v4wildcard 0.0.0.0:123
2022-10-02T09:14:00 ntpd[20412]: IO: Listen normally on 2 lo 127.0.0.1:123
restrict: op 1 addr 127.0.0.1 mask 255.255.255.255 mflags 00003000 flags 00000001
2022-10-02T09:14:00 ntpd[20412]: IO: Listen normally on 3 eth0 my.client-ip:123
restrict: op 1 addr my.client-ip mask 255.255.255.255 mflags 00003000 flags 00000001
2022-10-02T09:14:00 ntpd[20412]: IO: Listen normally on 4 lo [::1]:123
2022-10-02T09:14:00 ntpd[20412]: IO: Listening on routing socket on fd #23 for interface updates
peer_clear: at 0 next 1 associd 17767 refid NTS
event at 0 my.ntp-server.com c011 81 mobilize assoc 17767
newpeer: <null>->0.0.0.0 mode 3 vers 4 poll 6 10 flags 0x21901 0x1 mode 0 key 0000029a
2022-10-02T09:14:00 ntpd[20412]: INIT: MRU 10922 entries, 13 hash bits, 65536 bytes
event at 0 0.0.0.0 c01d 0d kern kernel time sync enabled
event at 0 0.0.0.0 c012 02 freq_set kernel 0.000000 PPM
event at 0 0.0.0.0 c016 06 restart
2022-10-02T09:14:00 ntpd[20412]: INIT: Built with OpenSSL 1.1.1k  25 Mar 2021, 101010bf
2022-10-02T09:14:00 ntpd[20412]: INIT: Running with OpenSSL 1.1.1n  15 Mar 2022, 101010ef
2022-10-02T09:14:00 ntpd[20412]: NTSc: Using system default root certificates.
2022-10-02T09:14:00 ntpd[20412]: statistics directory /var/log/ntpsec/ does not exist or is unwriteable, error No such file or directory
select() returned -1: Interrupted system call
2022-10-02T09:14:01 ntpd[20412]: DNS: dns_probe: my.ntp-server.com, cast_flags:1, flags:21901
2022-10-02T09:14:01 ntpd[20412]: NTSc: DNS lookup of my.ntp-server.com took 0.016 sec
2022-10-02T09:14:01 ntpd[20412]: NTSc: connecting to my.ntp-server.com:4460 => my.server-ip:4460
2022-10-02T09:14:01 ntpd[20412]: NTSc: set cert host: my.ntp-server.com
2022-10-02T09:14:01 ntpd[20412]: NTSc: Using TLSv1.3, TLS_AES_256_GCM_SHA384 (256)
2022-10-02T09:14:01 ntpd[20412]: NTSc: certificate subject name: /CN=my.ntp-server.com
2022-10-02T09:14:01 ntpd[20412]: NTSc: certificate issuer name: /C=US/O=Lets Encrypt/CN=R3
2022-10-02T09:14:01 ntpd[20412]: NTSc: certificate is valid.
2022-10-02T09:14:01 ntpd[20412]: NTSc: Good ALPN from my.ntp-server.com
2022-10-02T09:14:01 ntpd[20412]: NTSc: read 848 bytes
2022-10-02T09:14:01 ntpd[20412]: NTSc: Got 8 cookies, length 100, aead=15.
2022-10-02T09:14:01 ntpd[20412]: NTSc: NTS-KE req to my.ntp-server.com took 0.087 sec, OK
select() returned -1: Interrupted system call
2022-10-02T09:14:01 ntpd[20412]: DNS: dns_check: processing my.ntp-server.com, 1, 21901
2022-10-02T09:14:01 ntpd[20412]: DNS: Server taking: my.server-ip
transmit: at 1 my.client-ip->my.server-ip mode 3 keyid 0000029a len 228
2022-10-02T09:14:01 ntpd[20412]: DNS: dns_take_status: my.ntp-server.com=>good, 0
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
transmit: at 66 my.client-ip->my.server-ip mode 3 keyid 0000029a len 332
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
transmit: at 133 my.client-ip->my.server-ip mode 3 keyid 0000029a len 436
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
transmit: at 199 my.client-ip->my.server-ip mode 3 keyid 0000029a len 540
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
transmit: at 266 my.client-ip->my.server-ip mode 3 keyid 0000029a len 644
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
select() returned -1: Interrupted system call
^Cselect() returned -1: Interrupted system call
2022-10-02T09:19:00 ntpd[20412]: ERR: ntpd exiting on signal 2 (Interrupt)
event at 299 my.server-ip c012 82 demobilize assoc 17767
2022-10-02T09:19:00 ntpd[20412]: PROTO: my.server-ip unlink local addr my.client-ip -> <null>
event at 299 0.0.0.0 c01d 0d kern kernel time sync disabled

Chrony Client​

Installing Chrony​

Configure NTS​

Verify that NTS is working on Chrony​

NTPsec Client​

Installing NTPsec​

Configure NTS​

Verify that NTS is working on NTPsec​

Authentication Keys​

Chrony Server Configuration​

Chrony Client Configuration​

NTPSec Client Configuration (failed)​

Complete ntpd Client Log​

Chrony Client

Installing Chrony

Configure NTS

Verify that NTS is working on Chrony

NTPsec Client

Installing NTPsec

Configure NTS

Verify that NTS is working on NTPsec

Authentication Keys

Chrony Server Configuration

Chrony Client Configuration

NTPSec Client Configuration (failed)

Complete ntpd Client Log