【问题标题】:How to build chrony with SHA hashes authentication?如何使用 SHA 哈希认证构建 chrony?
【发布时间】:2016-03-07 06:26:30
【问题描述】:

我正在尝试为嵌入式 linux 系统构建 chorny。我目前能够编译、运行和同步时间。我还可以使用 MD5 启用身份验证,并且效果也很好。

我不知道如何启用 SHA 哈希。在构建包时使用它,但配置中没有选项。以前有人做过吗?

谢谢

这是我将 chrony.keys 文件中的哈希类型设置为 SHA1 时的输出:

root@gsdm:~# chronyd -d 
2000-01-08T00:54:56Z chronyd version 2.2 starting (+CMDMON +NTP +REFCLOCK +RTC -PRIVDROP -SCFILTER -SECHASH +ASYNCDNS +IPV6 -DEBUG)
2000-01-08T00:54:56Z Unknown hash function in key 12
2000-01-08T00:54:56Z Initial frequency 1.355 ppm

当我运行 ./configure -h 我得到这个:

`configure' configures this package to adapt to many kinds of systems.

Usage: ./configure [OPTION]...

Defaults for the options are specified in brackets.

Configuration:
  -h, --help              display this help and exit

Installation directories:
  --prefix=PREFIX         install architecture-independent files in PREFIX
                          [/usr/local]
  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
                          [PREFIX]

By default, `make install' will install all the files in
`/usr/local/bin', `/usr/local/lib' etc.  You can specify
an installation prefix other than `/usr/local' using `--prefix',
for instance `--prefix=/home/user'.

For better control, use the options below.
  --disable-readline     Disable line editing support
  --without-readline     Don't use GNU readline even if it is available
  --without-editline     Don't use editline even if it is available
  --readline-dir=DIR     Specify parent of readline include and lib directories
  --readline-inc-dir=DIR Specify where readline include directory is
  --readline-lib-dir=DIR Specify where readline lib directory is
  --with-ncurses-library=DIR Specify where ncurses lib directory is
  --disable-sechash      Disable support for hashes other than MD5
  --without-nss          Don't use NSS even if it is available
  --without-tomcrypt     Don't use libtomcrypt even if it is available
  --disable-cmdmon       Disable command and monitoring support
  --disable-ntp          Disable NTP support
  --disable-refclock     Disable reference clock support
  --disable-phc          Disable PHC refclock driver
  --disable-pps          Disable PPS refclock driver
  --disable-ipv6         Disable IPv6 support
  --disable-rtc          Don't include RTC even on Linux
  --disable-privdrop     Disable support for dropping root privileges
  --without-libcap       Don't use libcap even if it is available
  --enable-scfilter      Enable support for system call filtering
  --without-seccomp      Don't use seccomp even if it is available
  --disable-asyncdns     Disable asynchronous name resolving
  --disable-forcednsretry Don't retry on permanent DNS error
  --with-ntp-era=SECONDS Specify earliest assumed NTP time in seconds
                         since 1970-01-01 [50*365 days ago]
  --with-user=USER       Specify default chronyd user [root]
  --with-hwclockfile=PATH Specify default path to hwclock(8) adjtime file
  --with-sendmail=PATH   Path to sendmail binary [/usr/lib/sendmail]
  --enable-debug         Enable debugging support

Fine tuning of the installation directories:
  --sysconfdir=DIR       chrony.conf location [/etc]
  --bindir=DIR           user executables [EPREFIX/bin]
  --sbindir=DIR          system admin executables [EPREFIX/sbin]
  --datarootdir=DIR      data root [PREFIX/share]
  --infodir=DIR          info documentation [DATAROOTDIR/info]
  --mandir=DIR           man documentation [DATAROOTDIR/man]
  --docdir=DIR           documentation root [DATAROOTDIR/doc/chrony]
  --localstatedir=DIR    modifiable single-machine data [/var]
  --chronysockdir=DIR    location for chrony sockets [LOCALSTATEDIR/run/chrony]
  --chronyvardir=DIR     location for chrony data [LOCALSTATEDIR/lib/chrony]

Overriding system detection when cross-compiling:
  --host-system=OS       Specify system name (uname -s)
  --host-release=REL     Specify system release (uname -r)
  --host-machine=CPU     Specify machine (uname -m)

Some influential environment variables:
  CC          C compiler command
  CFLAGS      C compiler flags
  CPPFLAGS    C preprocessor flags, e.g. -I<include dir> if you have
              headers in a nonstandard directory <include dir>
  LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
              nonstandard directory <lib dir>

Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.

【问题讨论】:

    标签: hash md5 sha ntp


    【解决方案1】:

    https://chrony.tuxfamily.org/doc/3.5/installation.html

    If development files for the Nettle, NSS, or libtomcrypt library are available, chronyd will be built with support for other cryptographic hash functions than MD5, which can be used for NTP authentication with a symmetric key. 
    

    -SECHASH 表示没有 Nettle、NSS 或 libtomcrypt 编译的 chrony 版本,所以如果你想使用 SHA 密钥,你可以通过源代码安装它。
    在 Alpine 3.8 中,我安装了 nettle-dev 库:

    apk add nettle-dev
    ./configure
    ... ...
    Checking for nettle : Yes
    Features : +CMDMON +NTP +REFCLOCK +RTC -PRIVDROP -SCFILTER -SIGND +ASYNCDNS -READLINE +SECHASH +IPV6 -DEBUG
    Creating Makefile
    Creating doc/Makefile
    Creating test/unit/Makefile
    
    make install
    

    功能显示 SECHASH 已启用。 所以这个版本确实支持SHA1

    【讨论】:

      【解决方案2】:

      安全哈希需要tomcryptNSS,如果您的系统上存在这些库中的任何一个,则默认情况下将在配置时启用。

      没有启用它们的configure 选项,但有禁用它们的选项:

      --disable-sechash      Disable support for hashes other than MD5
      --without-nss          Don't use NSS even if it is available
      --without-tomcrypt     Don't use libtomcrypt even if it is available
      

      chrony 输出第一行中的-SECHASH 表示在配置时禁用了安全哈希选项,或者(更有可能)您没有安装必要的库。

      【讨论】:

        猜你喜欢
        • 2015-10-06
        • 1970-01-01
        • 1970-01-01
        • 2020-02-17
        • 2012-09-12
        • 2014-08-19
        • 1970-01-01
        • 1970-01-01
        • 1970-01-01
        相关资源
        最近更新 更多