Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 4. Overview of Network Time Security (NTS) in chrony

Network Time Security (NTS) is an authentication mechanism for Network Time Protocol (NTP), designed to scale substantial clients. It verifies that the packets received from the server machines are unaltered while moving to the client machine. Network Time Security (NTS) includes a Key Establishment (NTS-KE) protocol that automatically creates the encryption keys used between the server and its clients.

Warning

NTS is not compatible with the FIPS and OSPP profile. When you enable the FIPS and OSPP profile, chronyd that is configured with NTS can abort with a fatal message. You can disable the OSPP profile and FIPS mode for chronyd service by adding the GNUTLS_FORCE_FIPS_MODE=0 setting to the /etc/sysconfig/chronyd file.

By default, Network Time Security (NTS) is not enabled. You can enable NTS in the /etc/chrony.conf file.

Prerequisites

  • The time server supports NTS.

Procedure

Edit the /etc/crony.conf file, and make the following changes:

  1. Specify the server with the nts option in addition to the iburst option. 

    For example:
server time.example.com iburst nts
server nts.netnod.se iburst nts
server ptbtime1.ptb.de iburst nts
    Copy to Clipboard Toggle word wrap

  2. Add the following setting to avoid repeating the Network Time Security-Key Establishment (NTS-KE) session during system boot: 

    ntsdumpdir /var/lib/chrony
    Copy to Clipboard Toggle word wrap

  3. If present, comment out or remove the following setting to disable synchronization with Network Time Protocol (NTP) servers provided by DHCP: 

    sourcedir /run/chrony-dhcp
    Copy to Clipboard Toggle word wrap

  4. Restart the chronyd service: 

    systemctl restart chronyd
    Copy to Clipboard Toggle word wrap

Verification

  • Verify if the NTS keys were successfully established: 

    # chronyc -N authdata

Name/IP address  Mode KeyID Type KLen Last Atmp  NAK Cook CLen
================================================================
time.example.com  NTS     1   15  256  33m    0    0    8  100
nts.netnod.se   NTS     1   15  256  33m    0    0    8  100
ptbtime1.ptb.de   NTS     1   15  256  33m    0    0    8  100
    Copy to Clipboard Toggle word wrap

    The KeyID, Type, and KLen should have non-zero values. If the value is zero, check the system log for error messages from chronyd.

  • Verify the client is making NTP measurements: 

    # chronyc -N sources

MS Name/IP address Stratum Poll Reach LastRx Last sample
=========================================================
time.example.com   3        6   377    45   +355us[ +375us] +/-   11ms
nts.netnod.se   1        6   377    44   +237us[ +237us] +/-   23ms
ptbtime1.ptb.de    1        6   377    44   -170us[ -170us] +/-   22ms
    Copy to Clipboard Toggle word wrap

    The Reach column should have a non-zero value; ideally 377. If the value rarely gets 377 or never gets to 377, it indicates that NTP requests or responses are getting lost in the network.

If you run your own Network Time Protocol (NTP) server, you can enable the server Network Time Security (NTS) support to facilitate its clients to synchronize securely.

If the NTP server is a client of other servers, that is, it is not a Stratum 1 server, it should use NTS or symmetric key for its synchronization.

Prerequisites

  • Server private key in PEM format
  • Server certificate with required intermediate certificates in PEM format

Procedure

  1. Edit the /etc/chrony.conf file, and make the following changes: 

    ntsserverkey /etc/pki/tls/private/<ntp-server.example.net>.key
ntsservercert /etc/pki/tls/certs/<ntp-server.example.net>.crt
    Copy to Clipboard Toggle word wrap

  2. Set permissions on both the private key and the certificate file that allow the chrony user to read the files, for example 

    # chown root:chrony /etc/pki/tls/private/<ntp-server.example.net>.key /etc/pki/tls/certs/<ntp-server.example.net>.crt

# chmod 644 /etc/pki/tls/private/<ntp-server.example.net>.key /etc/pki/tls/certs/<ntp-server.example.net>.crt
    Copy to Clipboard Toggle word wrap
  3. Ensure that the ntsdumpdir /var/lib/chrony setting is present.

  4. Open the required ports in firewalld: 

    # firewall-cmd --permanent --add-port={323/udp,4460/tcp}
# firewall-cmd --reload
    Copy to Clipboard Toggle word wrap

  5. Restart the chronyd service: 

    # systemctl restart chronyd
    Copy to Clipboard Toggle word wrap

Verification

  1. Perform a test from a client machine: 

    $ chronyd -Q -t 3 'server

ntp-server.example.net iburst nts maxsamples 1'
2021-09-15T13:45:26Z chronyd version 4.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 +DEBUG)
2021-09-15T13:45:26Z Disabled control of system clock
2021-09-15T13:45:28Z System clock wrong by 0.002205 seconds (ignored)
2021-09-15T13:45:28Z chronyd exiting
    Copy to Clipboard Toggle word wrap

    The System clock wrong message indicates the NTP server is accepting NTS-KE connections and responding with NTS-protected NTP messages.

  2. Verify the NTS-KE connections and authenticated NTP packets observed on the server: 

    # chronyc serverstats

NTP packets received       : 7
NTP packets dropped        : 0
Command packets received   : 22
Command packets dropped    : 0
Client log records dropped : 0
NTS-KE connections accepted: 1
NTS-KE connections dropped : 0
Authenticated NTP packets: 7
    Copy to Clipboard Toggle word wrap

    If the value of the NTS-KE connections accepted and Authenticated NTP packets field is a non-zero value, it means that at least one client was able to connect to the NTS-KE port and send an authenticated NTP request.

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat