Build a Chrony NTS Client from Source
Build
The Chrony software is distributed as source code which has to be compiled.
git clone https://git.tuxfamily.org/chrony/chrony.git
Git does not seem to be working atm - I downloaded the latest build using wget
:
wget https://git.tuxfamily.org/chrony/chrony.git/snapshot/chrony-4.3.zip
unzip chrony-4.3.zip
rm chrony-4.3.zip && cd chrony-4.3
mkdir build
The following programs and libraries with their development files are needed to build chrony:
- C compiler (gcc or clang recommended)
- GNU Make
- Nettle, NSS, or LibTomCrypt (optional)
- Editline (optional)
- libcap (Linux only, optional)
- libseccomp (Linux only, optional)
- timepps.h header (optional)
- Asciidoctor (for HTML documentation)
- Bash (for testing)
The build will use the gcc
compiler if not configured otherwise:
apt install build-essential
If development files for the Nettle, NSS, or libtomcrypt library are available, chronyd will be built with support for other cryptographic hash functions than MD5, which can be used for NTP authentication with a symmetric key. If you don’t want to enable the support, specify the --disable-sechash
flag to configure.
apt install libtomcrypt-dev nettle-dev
If development files for the POSIX threads library are available, chronyd will be built with support for asynchronous resolving of hostnames specified in the server, peer, and pool directives. This allows chronyd operating as a server to respond to client requests when resolving a hostname. If you don’t want to enable the support, specify the --disable-asyncdns
flag to configure.
If development files for the editline or readline library are available, chronyc will be built with line editing support. If you don’t want this, specify the --disable-readline
flag to configure.
On Linux, if development files for the libcap library are available, chronyd will be built with support for dropping root privileges. On other systems no extra library is needed. The default user which chronyd should run as can be specified with the --with-user
option of the configure script.
useradd --no-create-home chrony
After unpacking the source code, change directory into it, and type:
./configure
This is a shell script that automatically determines the system type. There is an optional parameter --prefix
, which indicates the directory tree where the software should be installed:
./configure --prefix=/home/kali/chrony/build
will install the chronyd daemon into /home/kali/chrony/build/sbin
and the chronyc control program into /home/kali/chrony/build/bin
. The default value for the prefix is /usr/local
.
Bringing it all together:
./configure --disable-sechash --disable-asyncdns --disable-readline --prefix=/home/kali/chrony/build
Configuring for Linux-armv7l
Checking for gcc : Yes
Checking for hardening compiler options : Yes
Checking for -fstack-protector-strong : Yes
Checking for pkg-config : No
Checking for 64-bit time_t : No
Checking for math : No
Checking for math in -lm : Yes
Checking for struct in_pktinfo : Yes
Checking for IPv6 support : Yes
Checking for struct in6_pktinfo : No
Checking for struct in6_pktinfo with _GNU_SOURCE : Yes
Checking for O_NOFOLLOW flag : Yes
Checking for clock_gettime() : Yes
Checking for getaddrinfo() : Yes
Checking for getrandom() : Yes
Checking for recvmmsg() : Yes
Checking for SW/HW timestamping : Yes
Checking for other timestamping options : Yes
Checking for <sys/timepps.h> : No
Checking for <timepps.h> : No
Checking for libcap : Yes
Checking for <linux/rtc.h> : Yes
Checking for <linux/ptp_clock.h> : Yes
Checking for pthread_setschedparam() : Yes
Checking for mlockall() : Yes
Checking for setrlimit(RLIMIT_MEMLOCK, ...) : Yes
Features : +CMDMON +NTP +REFCLOCK +RTC +PRIVDROP -SCFILTER -SIGND -ASYNCDNS -NTS -READLINE -SECHASH +IPV6 -DEBUG
Creating Makefile
Creating doc/Makefile
Creating test/unit/Makefile
Now we are ready to build the binaries:
make
ls -la /home/kali/chrony/ | grep chrony
-rwxr-xr-x 1 kali kali 418560 Oct 6 05:31 chronyc
-rwxr-xr-x 1 kali kali 1160816 Oct 6 05:30 chronyd
Once the programs have been successfully compiled, they need to be installed in their target locations. This step normally needs to be performed by the superuser, and requires the following command to be entered.
sudo make install
[ -d /etc ] || mkdir -p /etc
[ -d /home/kali/chrony/build/sbin ] || mkdir -p /home/kali/chrony/build/sbin
[ -d /home/kali/chrony/build/bin ] || mkdir -p /home/kali/chrony/build/bin
[ -d /var/lib/chrony ] || mkdir -p /var/lib/chrony
if [ -f /home/kali/chrony/build/sbin/chronyd ]; then rm -f /home/kali/chrony/build/sbin/chronyd ; fi
if [ -f /home/kali/chrony/build/bin/chronyc ]; then rm -f /home/kali/chrony/build/bin/chronyc ; fi
cp chronyd /home/kali/chrony/build/sbin/chronyd
chmod 755 /home/kali/chrony/build/sbin/chronyd
cp chronyc /home/kali/chrony/build/bin/chronyc
chmod 755 /home/kali/chrony/build/bin/chronyc
make -C doc install
make[1]: Entering directory '/home/kali/chrony/doc'
asciidoctor -b manpage -o chrony.conf.man.in chrony.conf.adoc
make[1]: asciidoctor: No such file or directory
make[1]: *** [Makefile:44: chrony.conf.man.in] Error 127
make[1]: Leaving directory '/home/kali/chrony/doc'
make: *** [Makefile:98: install] Error 2
This will installed the binaries - but adding the man pages seems to have failed:
tree build
build
├── bin
│ └── chronyc
└── sbin
└── chronyd
2 directories, 2 files
Configuration
Now that the software is successfully installed, the next step is to set up a configuration file. The default location of the file is /etc/chrony.conf
:
# Use Debian vendor zone.
# pool 2.debian.pool.ntp.org iburst
# This directive specify the location of the file containing ID/key pairs for
# NTP authentication.
keyfile /home/kali/chrony/build/chrony.keys
# This directive specify the file into which chronyd will store the rate
# information.
driftfile /home/kali/chrony/build/chrony.drift
# Save NTS keys and cookies.
ntsdumpdir /home/kali/chrony/build
# Uncomment the following line to turn logging on.
#log tracking measurements statistics
# Log files location.
logdir /var/log/chrony
# Stop bad estimates upsetting machine clock.
maxupdateskew 100.0
# This directive enables kernel synchronisation (every 11 minutes) of the
# real-time clock. Note that it can’t be used along with the 'rtcfile' directive.
rtcsync
# Step the system clock instead of slewing it if the adjustment is larger than
# one second, but only in the first three clock updates.
makestep 1 3
# Get TAI-UTC offset and leap seconds from the system tz database.
# This directive must be commented out when using time sources serving
# leap-smeared time.
leapsectz right/UTC
server my.server.com key 666 nts iburst
chown chronyd:chronyd /etc/chrony.conf
mkdir /home/kali/chrony/build
chown chronyd:chronyd /home/kali/chrony/build
mv chronyd /home/kali/chrony/build/chronyd
And add your keyfiles:
nano /home/kali/chrony/build/chrony.keys
And service file:
nano /etc/systemd/system/chronyd.service
[Unit]
Description=chrony, an NTP client/server
Documentation=man:chronyd(8) man:chronyc(1) man:chrony.conf(5)
Conflicts=openntpd.service ntp.service ntpsec.service
Wants=time-sync.target
Before=time-sync.target
After=network.target
ConditionCapability=CAP_SYS_TIME
[Service]
Type=forking
PIDFile=/run/chrony/chronyd.pid
EnvironmentFile=-/etc/default/chrony
ExecStart=/home/kali/chrony/build/chronyd $DAEMON_OPTS
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=full
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
[Install]
Alias=chronyd.service
WantedBy=multi-user.target