如何使用SHA哈希认证构建chrony?

时间:2015-12-02 20:33:51

标签: hash md5 sha ntp

我正在尝试为嵌入式Linux系统构建chorny。我目前能够编译,运行和同步时间。我也可以使用MD5启用身份验证,这也可以。

我无法弄清楚如何启用SHA哈希。使用它将是在构建包时,但配置中没有选项。有没有人这样做过?

由于

如果我将chrony.keys文件中的哈希类型设置为SHA1:

,则这是输出
root@gsdm:~# chronyd -d 
2000-01-08T00:54:56Z chronyd version 2.2 starting (+CMDMON +NTP +REFCLOCK +RTC -PRIVDROP -SCFILTER -SECHASH +ASYNCDNS +IPV6 -DEBUG)
2000-01-08T00:54:56Z Unknown hash function in key 12
2000-01-08T00:54:56Z Initial frequency 1.355 ppm

当我跑./configure -h我得到这个:

`configure' configures this package to adapt to many kinds of systems.

Usage: ./configure [OPTION]...

Defaults for the options are specified in brackets.

Configuration:
  -h, --help              display this help and exit

Installation directories:
  --prefix=PREFIX         install architecture-independent files in PREFIX
                          [/usr/local]
  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
                          [PREFIX]

By default, `make install' will install all the files in
`/usr/local/bin', `/usr/local/lib' etc.  You can specify
an installation prefix other than `/usr/local' using `--prefix',
for instance `--prefix=/home/user'.

For better control, use the options below.
  --disable-readline     Disable line editing support
  --without-readline     Don't use GNU readline even if it is available
  --without-editline     Don't use editline even if it is available
  --readline-dir=DIR     Specify parent of readline include and lib directories
  --readline-inc-dir=DIR Specify where readline include directory is
  --readline-lib-dir=DIR Specify where readline lib directory is
  --with-ncurses-library=DIR Specify where ncurses lib directory is
  --disable-sechash      Disable support for hashes other than MD5
  --without-nss          Don't use NSS even if it is available
  --without-tomcrypt     Don't use libtomcrypt even if it is available
  --disable-cmdmon       Disable command and monitoring support
  --disable-ntp          Disable NTP support
  --disable-refclock     Disable reference clock support
  --disable-phc          Disable PHC refclock driver
  --disable-pps          Disable PPS refclock driver
  --disable-ipv6         Disable IPv6 support
  --disable-rtc          Don't include RTC even on Linux
  --disable-privdrop     Disable support for dropping root privileges
  --without-libcap       Don't use libcap even if it is available
  --enable-scfilter      Enable support for system call filtering
  --without-seccomp      Don't use seccomp even if it is available
  --disable-asyncdns     Disable asynchronous name resolving
  --disable-forcednsretry Don't retry on permanent DNS error
  --with-ntp-era=SECONDS Specify earliest assumed NTP time in seconds
                         since 1970-01-01 [50*365 days ago]
  --with-user=USER       Specify default chronyd user [root]
  --with-hwclockfile=PATH Specify default path to hwclock(8) adjtime file
  --with-sendmail=PATH   Path to sendmail binary [/usr/lib/sendmail]
  --enable-debug         Enable debugging support

Fine tuning of the installation directories:
  --sysconfdir=DIR       chrony.conf location [/etc]
  --bindir=DIR           user executables [EPREFIX/bin]
  --sbindir=DIR          system admin executables [EPREFIX/sbin]
  --datarootdir=DIR      data root [PREFIX/share]
  --infodir=DIR          info documentation [DATAROOTDIR/info]
  --mandir=DIR           man documentation [DATAROOTDIR/man]
  --docdir=DIR           documentation root [DATAROOTDIR/doc/chrony]
  --localstatedir=DIR    modifiable single-machine data [/var]
  --chronysockdir=DIR    location for chrony sockets [LOCALSTATEDIR/run/chrony]
  --chronyvardir=DIR     location for chrony data [LOCALSTATEDIR/lib/chrony]

Overriding system detection when cross-compiling:
  --host-system=OS       Specify system name (uname -s)
  --host-release=REL     Specify system release (uname -r)
  --host-machine=CPU     Specify machine (uname -m)

Some influential environment variables:
  CC          C compiler command
  CFLAGS      C compiler flags
  CPPFLAGS    C preprocessor flags, e.g. -I<include dir> if you have
              headers in a nonstandard directory <include dir>
  LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
              nonstandard directory <lib dir>

Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.

2 个答案:

答案 0 :(得分:0)

安全哈希需要tomcryptNSS,并且如果您的系统中存在其中任何一个库,则默认情况下会在配置时启用。

没有configure选项可以启用它们,但有一些选项可以禁用它们:

--disable-sechash      Disable support for hashes other than MD5
--without-nss          Don't use NSS even if it is available
--without-tomcrypt     Don't use libtomcrypt even if it is available

chrony输出第一行中的-SECHASH表示安全哈希选项在配置时被禁用,或者(更有可能)您没有安装必要的库。

答案 1 :(得分:0)

https://chrony.tuxfamily.org/doc/3.5/installation.html

If development files for the Nettle, NSS, or libtomcrypt library are available, chronyd will be built with support for other cryptographic hash functions than MD5, which can be used for NTP authentication with a symmetric key. 

-SECHASH表示不使用Nettle,NSS或libtomcrypt编译的完整版本,因此,如果要使用SHA密钥,可以通过源代码进行安装。
在Alpine 3.8中,我安装了nettle-dev库:

apk add nettle-dev
./configure
... ...
Checking for nettle : Yes
Features : +CMDMON +NTP +REFCLOCK +RTC -PRIVDROP -SCFILTER -SIGND +ASYNCDNS -READLINE +SECHASH +IPV6 -DEBUG
Creating Makefile
Creating doc/Makefile
Creating test/unit/Makefile

make install

功能表明SECHASH已启用。 所以这个版本确实支持SHA1