head 1.2; access; symbols pkgsrc-2024Q1:1.2.0.26 pkgsrc-2024Q1-base:1.2 pkgsrc-2023Q4:1.2.0.24 pkgsrc-2023Q4-base:1.2 pkgsrc-2023Q3:1.2.0.22 pkgsrc-2023Q3-base:1.2 pkgsrc-2023Q2:1.2.0.20 pkgsrc-2023Q2-base:1.2 pkgsrc-2023Q1:1.2.0.18 pkgsrc-2023Q1-base:1.2 pkgsrc-2022Q4:1.2.0.16 pkgsrc-2022Q4-base:1.2 pkgsrc-2022Q3:1.2.0.14 pkgsrc-2022Q3-base:1.2 pkgsrc-2022Q2:1.2.0.12 pkgsrc-2022Q2-base:1.2 pkgsrc-2022Q1:1.2.0.10 pkgsrc-2022Q1-base:1.2 pkgsrc-2021Q4:1.2.0.8 pkgsrc-2021Q4-base:1.2 pkgsrc-2021Q3:1.2.0.6 pkgsrc-2021Q3-base:1.2 pkgsrc-2021Q2:1.2.0.4 pkgsrc-2021Q2-base:1.2 pkgsrc-2021Q1:1.2.0.2 pkgsrc-2021Q1-base:1.2 pkgsrc-2020Q4:1.1.0.20 pkgsrc-2020Q4-base:1.1 pkgsrc-2020Q3:1.1.0.18 pkgsrc-2020Q3-base:1.1 pkgsrc-2020Q2:1.1.0.16 pkgsrc-2020Q2-base:1.1 pkgsrc-2020Q1:1.1.0.12 pkgsrc-2020Q1-base:1.1 pkgsrc-2019Q4:1.1.0.14 pkgsrc-2019Q4-base:1.1 pkgsrc-2019Q3:1.1.0.10 pkgsrc-2019Q3-base:1.1 pkgsrc-2019Q2:1.1.0.8 pkgsrc-2019Q2-base:1.1 pkgsrc-2019Q1:1.1.0.6 pkgsrc-2019Q1-base:1.1 pkgsrc-2018Q4:1.1.0.4 pkgsrc-2018Q4-base:1.1 pkgsrc-2018Q3:1.1.0.2; locks; strict; comment @# @; 1.2 date 2021.03.12.09.57.18; author nia; state Exp; branches; next 1.1; commitid prT7AGNrGu44h0LC; 1.1 date 2018.10.01.15.53.58; author nia; state Exp; branches 1.1.2.1; next ; commitid VGHjKiy4lYqUWgUA; 1.1.2.1 date 2018.10.01.15.53.58; author spz; state dead; branches; next 1.1.2.2; commitid FdIrNsBkLUYmyTUA; 1.1.2.2 date 2018.10.06.12.08.32; author spz; state Exp; branches; next ; commitid FdIrNsBkLUYmyTUA; desc @@ 1.2 log @chrony: Update to 4.0 New in version 4.0 ================== Enhancements ------------ * Add support for Network Time Security (NTS) authentication * Add support for AES-CMAC keys (AES128, AES256) with Nettle * Add authselectmode directive to control selection of unauthenticated sources * Add binddevice, bindacqdevice, bindcmddevice directives * Add confdir directive to better support fragmented configuration * Add sourcedir directive and "reload sources" command to support dynamic NTP sources specified in files * Add clockprecision directive * Add dscp directive to set Differentiated Services Code Point (DSCP) * Add -L option to limit log messages by severity * Add -p option to print whole configuration with included files * Add -U option to allow start under non-root user * Allow maxsamples to be set to 1 for faster update with -q/-Q option * Avoid replacing NTP sources with sources that have unreachable address * Improve pools to repeat name resolution to get "maxsources" sources * Improve source selection with trusted sources * Improve NTP loop test to prevent synchronisation to itself * Repeat iburst when NTP source is switched from offline state to online * Update clock synchronisation status and leap status more frequently * Update seccomp filter * Add "add pool" command * Add "reset sources" command to drop all measurements * Add authdata command to print details about NTP authentication * Add selectdata command to print details about source selection * Add -N option and sourcename command to print original names of sources * Add -a option to some commands to print also unresolved sources * Add -k, -p, -r options to clients command to select, limit, reset data Bug fixes --------- * Don't set interface for NTP responses to allow asymmetric routing * Handle RTCs that don't support interrupts * Respond to command requests with correct address on multihomed hosts Removed features ---------------- * Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320) * Drop support for long (non-standard) MACs in NTPv4 packets (chrony 2.x clients using non-MD5/SHA1 keys need to use option "version 3") * Drop support for line editing with GNU Readline @ text @$NetBSD: patch-examples_chrony.conf.example3,v 1.1 2018/10/01 15:53:58 nia Exp $ Prepare for SUBST, not processed by configure. --- examples/chrony.conf.example3.orig 2020-10-07 15:27:34.000000000 +0000 +++ examples/chrony.conf.example3 @@@@ -1,7 +1,7 @@@@ ####################################################################### # # This is an example chrony configuration file. You should copy it to -# /etc/chrony.conf after uncommenting and editing the options that you +# @@PKG_SYSCONFDIR@@/chrony.conf after uncommenting and editing the options that you # want to enable. The more obscure options are not included. Refer # to the documentation for these. # @@@@ -79,12 +79,12 @@@@ # immediately so that it doesn't gain or lose any more time. You # generally want this, so it is uncommented. -driftfile /var/lib/chrony/drift +driftfile @@VARBASE@@/lib/chrony/drift # If you want to enable NTP authentication with symmetric keys, you will need # to uncomment the following line and edit the file to set up the keys. -! keyfile /etc/chrony.keys +! keyfile @@PKG_SYSCONFDIR@@/chrony.keys # If you specify an NTP server with the nts option to enable authentication # with the Network Time Security (NTS) mechanism, or enable server NTS with @@@@ -92,15 +92,15 @@@@ driftfile /var/lib/chrony/drift # allow the client/server to save the NTS keys and cookies in order to reduce # the number of key establishments (NTS-KE sessions). -ntsdumpdir /var/lib/chrony +ntsdumpdir @@VARBASE@@/lib/chrony # If chronyd is configured to act as an NTP server and you want to enable NTS # for its clients, you will need a TLS certificate and private key. Uncomment # and edit the following lines to specify the locations of the certificate and # key. -! ntsservercert /etc/.../foo.example.net.crt -! ntsserverkey /etc/.../foo.example.net.key +! ntsservercert @@PKG_SYSCONFDIR@@/.../foo.example.net.crt +! ntsserverkey @@PKG_SYSCONFDIR@@/.../foo.example.net.key # chronyd can save the measurement history for the servers to files when # it exits. This is useful in 2 situations: @@@@ -117,14 +117,14 @@@@ ntsdumpdir /var/lib/chrony # # Uncomment the following line to use this. -! dumpdir /var/lib/chrony +! dumpdir @@VARBASE@@/lib/chrony # chronyd writes its process ID to a file. If you try to start a second # copy of chronyd, it will detect that the process named in the file is # still running and bail out. If you want to change the path to the PID # file, uncomment this line and edit it. The default path is shown. -! pidfile /var/run/chrony/chronyd.pid +! pidfile @@VARBASE@@/run/chrony/chronyd.pid # If the system timezone database is kept up to date and includes the # right/UTC timezone, chronyd can use it to determine the current @@@@ -165,7 +165,7 @@@@ ntsdumpdir /var/lib/chrony # produce some graphs of your system's timekeeping performance, or you # need help in debugging a problem. -! logdir /var/log/chrony +! logdir @@VARBASE@@/log/chrony ! log measurements statistics tracking # If you have real time clock support enabled (see below), you might want @@@@ -289,7 +289,7 @@@@ ntsdumpdir /var/lib/chrony # You need to have 'enhanced RTC support' compiled into your Linux # kernel. (Note, these options apply only to Linux.) -! rtcfile /var/lib/chrony/rtc +! rtcfile @@VARBASE@@/lib/chrony/rtc # Your RTC can be set to keep Universal Coordinated Time (UTC) or local # time. (Local time means UTC +/- the effect of your timezone.) If you @ 1.1 log @net/chrony: update to version 3.4. Changes: 19 Sep 2018: chrony-3.4 released Enhancements Add filter option to server/pool/peer directive Add minsamples and maxsamples options to hwtimestamp directive Add support for faster frequency adjustments in Linux 4.19 Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd without root privileges to remove it on exit Disable sub-second polling intervals for distant NTP sources Extend range of supported sub-second polling intervals Get/set IPv4 destination/source address of NTP packets on FreeBSD Make burst options and command useful with short polling intervals Modify auto_offline option to activate when sending request failed Respond from interface that received NTP request if possible Add onoffline command to switch between online and offline state according to current system network configuration Improve example NetworkManager dispatcher script Bug fixes Avoid waiting in Linux getrandom system call Fix PPS support on FreeBSD and NetBSD 4 Apr 2018: chrony-3.3 released Enhancements Add burst option to server/pool directive Add stratum and tai options to refclock directive Add support for Nettle crypto library Add workaround for missing kernel receive timestamps on Linux Wait for late hardware transmit timestamps Improve source selection with unreachable sources Improve protection against replay attacks on symmetric mode Allow PHC refclock to use socket in /var/run/chrony Add shutdown command to stop chronyd Simplify format of response to manual list command Improve handling of unknown responses in chronyc Bug fixes Respond to NTPv1 client requests with zero mode Fix -x option to not require CAP_SYS_TIME under non-root user Fix acquisitionport directive to work with privilege separation Fix handling of socket errors on Linux to avoid high CPU usage Fix chronyc to not get stuck in infinite loop after clock step 15 Sep 2017: chrony-3.2 released Enhancements Improve stability with NTP sources and reference clocks Improve stability with hardware timestamping Improve support for NTP interleaved modes Control frequency of system clock on macOS 10.13 and later Set TAI-UTC offset of system clock with leapsectz directive Minimise data in client requests to improve privacy Allow transmit-only hardware timestamping Add support for new timestamping options introduced in Linux 4.13 Add root delay, root dispersion and maximum error to tracking log Add mindelay and asymmetry options to server/peer/pool directive Add extpps option to PHC refclock to timestamp external PPS signal Add pps option to refclock directive to treat any refclock as PPS Add width option to refclock directive to filter wrong pulse edges Add rxfilter option to hwtimestamp directive Add -x option to disable control of system clock Add -l option to log to specified file instead of syslog Allow multiple command-line options to be specified together Allow starting without root privileges with -Q option Update seccomp filter for new glibc versions Dump history on exit by default with dumpdir directive Use hardening compiler options by default Bug fixes Don’t drop PHC samples with low-resolution system clock Ignore outliers in PHC tracking, RTC tracking, manual input Increase polling interval when peer is not responding Exit with error message when include directive fails Don’t allow slash after hostname in allow/deny directive/command Try to connect to all addresses in chronyc before giving up 31 Jan 2017: chrony-3.1 released Enhancements Add support for precise cross timestamping of PHC on Linux Add minpoll, precision, nocrossts options to hwtimestamp directive Add rawmeasurements option to log directive and modify measurements option to log only valid measurements from synchronised sources Allow sub-second polling interval with NTP sources Bug fixes Fix time smoothing in interleaved mode 16 Jan 2017: chrony-3.0 released Enhancements Add support for software and hardware timestamping on Linux Add support for client/server and symmetric interleaved modes Add support for MS-SNTP authentication in Samba Add support for truncated MACs in NTPv4 packets Estimate and correct for asymmetric network jitter Increase default minsamples and polltarget to improve stability with very low jitter Add maxjitter directive to limit source selection by jitter Add offset option to server/pool/peer directive Add maxlockage option to refclock directive Add -t option to chronyd to exit after specified time Add partial protection against replay attacks on symmetric mode Don’t reset polling interval when switching sources to online state Allow rate limiting with very short intervals Improve maximum server throughput on Linux and NetBSD Remove dump files after start Add tab-completion to chronyc with libedit/readline Add ntpdata command to print details about NTP measurements Allow all source options to be set in add server/peer command Indicate truncated addresses/hostnames in chronyc output Print reference IDs as hexadecimal numbers to avoid confusion with IPv4 addresses Bug fixes Fix crash with disabled asynchronous name resolving 21 Nov 2016: chrony-2.4.1 released Bug fixes Fix processing of kernel timestamps on non-Linux systems Fix crash with smoothtime directive Fix validation of refclock sample times Fix parsing of refclock directive 7 Jun 2016: chrony-2.4 released Enhancements Add orphan option to local directive for orphan mode compatible with ntpd Add distance option to local directive to set activation threshold (1 second by default) Add maxdrift directive to set maximum allowed drift of system clock Try to replace NTP sources exceeding maximum distance Randomise source replacement to avoid getting stuck with bad sources Randomise selection of sources from pools on start Ignore reference timestamp as ntpd doesn’t always set it correctly Modify tracking report to use same values as seen by NTP clients Add -c option to chronyc to write reports in CSV format Provide detailed manual pages Bug fixes Fix SOCK refclock to work correctly when not specified as last refclock Fix initstepslew and -q/-Q options to accept time from own NTP clients Fix authentication with keys using 512-bit hash functions Fix crash on exit when multiple signals are received Fix conversion of very small floating-point numbers in command packets Removed features Drop documentation in Texinfo format 16 Feb 2016: chrony-2.3 released Enhancements Add support for NTP and command response rate limiting Add support for dropping root privileges on Mac OS X, FreeBSD, Solaris Add require and trust options for source selection Enable logchange by default (1 second threshold) Set RTC on Mac OS X with rtcsync directive Allow binding to NTP port after dropping root privileges on NetBSD Drop CAP_NET_BIND_SERVICE capability on Linux when NTP port is disabled Resolve names in separate process when seccomp filter is enabled Replace old records in client log when memory limit is reached Don’t reveal local time and synchronisation state in client packets Don’t keep client sockets open for longer than necessary Ignore poll in KoD RATE packets as ntpd doesn’t always set it correctly Warn when using keys shorter than 80 bits Add keygen command to generate random keys easily Add serverstats command to report NTP and command packet statistics Bug fixes Fix clock correction after making step on Mac OS X Fix building on Solaris 20 Jan 2016: chrony-2.2.1 and chrony-1.31.2 released Security fixes Restrict authentication of NTP server/peer to specified key (CVE-2016-1567) CVE-2016-1567: Impersonation between authenticated peers When a server/peer was specified with a key number to enable authentication with a symmetric key, packets received from the server/peer were accepted if they were authenticated with any of the keys contained in the key file and not just the specified key. This allowed an attacker who knew one key of a client/peer to modify packets from its servers/peers that were authenticated with other keys in a man-in-the-middle (MITM) attack. For example, in a network where each NTP association had a separate key and all hosts had only keys they needed, a client of a server could not attack other clients of the server, but it could attack the server and also attack its own clients (i.e. modify packets from other servers). To not allow the server/peer to be authenticated with other keys, the authentication test was extended to check if the key ID in the received packet is equal to the configured key number. As a consequence, it’s no longer possible to authenticate two peers to each other with two different keys, both peers have to be configured to use the same key. This issue was discovered by Matt Street of Cisco ASIG. 19 Oct 2015: chrony-2.2 released Enhancements Add support for configuration and monitoring over Unix domain socket (accessible by root or chrony user when root privileges are dropped) Add support for system call filtering with seccomp on Linux (experimental) Add support for dropping root privileges on NetBSD Control frequency of system clock on FreeBSD, NetBSD, Solaris Add system leap second handling mode on FreeBSD, NetBSD, Solaris Add dynamic drift removal on Mac OS X Add support for setting real-time priority on Mac OS X Add maxdistance directive to limit source selection by root distance (3 seconds by default) Add refresh command to get new addresses of NTP sources Allow wildcard patterns in include directive Restore time from driftfile with -s option if later than RTC time Add configure option to set default hwclockfile Add -d option to chronyc to enable debug messages Allow multiple addresses to be specified for chronyc with -h option and reconnect when no valid reply is received Make check interval in waitsync command configurable Bug fixes Fix building on NetBSD, Solaris Restore time from driftfile with -s option if reading RTC failed Removed features Drop support for authentication with command key (run-time configuration is now allowed only for local users that can access the Unix domain socket) 23 Jun 2015: chrony-2.1.1 released Bug fixes Fix clock stepping by integer number of seconds on Linux 22 Jun 2015: chrony-2.1 released Enhancements Add support for Mac OS X Try to replace unreachable and falseticker servers/peers specified by name like pool sources Add leaponly option to smoothtime directive to allow synchronised leap smear between multiple servers Use specific reference ID when smoothing served time Add smoothing command to report time smoothing status Add smoothtime command to activate or reset time smoothing Bug fixes Fix crash in source selection with preferred sources Fix resetting of time smoothing Include packet precision in peer dispersion Fix crash in chronyc on invalid command syntax 27 Apr 2015: chrony-2.0 released Enhancements Update to NTP version 4 (RFC 5905) Add pool directive to specify pool of NTP servers Add leapsecmode directive to select how to correct clock for leap second Add smoothtime directive to smooth served time and enable leap smear Add minsources directive to set required number of selectable sources Add minsamples and maxsamples options for all sources Add tempcomp configuration with list of points Allow unlimited number of NTP sources, refclocks and keys Allow unreachable sources to remain selected Improve source selection Handle offline sources as unreachable Open NTP server port only when necessary (client access is allowed by allow directive/command or peer/broadcast is configured) Change default bindcmdaddress to loopback address Change default maxdelay to 3 seconds Change default stratumweight to 0.001 Update adjtimex synchronisation status Use system headers for adjtimex Check for memory allocation errors Reduce memory usage Add configure options to compile without NTP, cmdmon, refclock support Extend makestep command to set automatic clock stepping Bug fixes Add sanity checks for time and frequency offset Don’t report synchronised status during leap second Don’t combine reference clocks with close NTP sources Fix accepting requests from configured sources Fix initial fallback drift setting @ text @d1 1 a1 1 $NetBSD$ d5 1 a5 1 --- examples/chrony.conf.example3.orig 2018-09-19 14:38:15.000000000 +0000 d16 1 a16 1 @@@@ -65,12 +65,12 @@@@ d29 19 d49 4 a52 3 # it it exits. This is useful in 2 situations: @@@@ -88,14 +88,14 @@@@ driftfile /var/lib/chrony/drift # Enable these two options to use this. a53 1 ! dumponexit d67 1 a67 1 @@@@ -124,7 +124,7 @@@@ driftfile /var/lib/chrony/drift d76 1 a76 1 @@@@ -259,7 +259,7 @@@@ driftfile /var/lib/chrony/drift @ 1.1.2.1 log @file patch-examples_chrony.conf.example3 was added on branch pkgsrc-2018Q3 on 2018-10-06 12:08:32 +0000 @ text @d1 65 @ 1.1.2.2 log @Pullup ticket #5838 - requested by nia net/chrony: security update Revisions pulled up: - net/chrony/Makefile 1.36 - net/chrony/PLIST 1.7 - net/chrony/distinfo 1.12 - net/chrony/patches/patch-Makefile.in 1.2 - net/chrony/patches/patch-conf.c deleted - net/chrony/patches/patch-doc_Makefile.in 1.1 - net/chrony/patches/patch-examples_chrony.conf.example3 1.1 - net/chrony/patches/patch-examples_chrony.keys.example deleted - net/chrony/patches/patch-ntp__io.c deleted ------------------------------------------------------------------- Module Name: pkgsrc Committed By: nia Date: Mon Oct 1 15:53:58 UTC 2018 Modified Files: pkgsrc/net/chrony: Makefile PLIST distinfo pkgsrc/net/chrony/patches: patch-Makefile.in Added Files: pkgsrc/net/chrony/patches: patch-doc_Makefile.in patch-examples_chrony.conf.example3 Removed Files: pkgsrc/net/chrony/patches: patch-conf.c patch-examples_chrony.keys.example patch-ntp__io.c Log Message: net/chrony: update to version 3.4. Changes: 19 Sep 2018: chrony-3.4 released Enhancements Add filter option to server/pool/peer directive Add minsamples and maxsamples options to hwtimestamp directive Add support for faster frequency adjustments in Linux 4.19 Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd without root privileges to remove it on exit Disable sub-second polling intervals for distant NTP sources Extend range of supported sub-second polling intervals Get/set IPv4 destination/source address of NTP packets on FreeBSD Make burst options and command useful with short polling intervals Modify auto_offline option to activate when sending request failed Respond from interface that received NTP request if possible Add onoffline command to switch between online and offline state according to current system network configuration Improve example NetworkManager dispatcher script Bug fixes Avoid waiting in Linux getrandom system call Fix PPS support on FreeBSD and NetBSD 4 Apr 2018: chrony-3.3 released Enhancements Add burst option to server/pool directive Add stratum and tai options to refclock directive Add support for Nettle crypto library Add workaround for missing kernel receive timestamps on Linux Wait for late hardware transmit timestamps Improve source selection with unreachable sources Improve protection against replay attacks on symmetric mode Allow PHC refclock to use socket in /var/run/chrony Add shutdown command to stop chronyd Simplify format of response to manual list command Improve handling of unknown responses in chronyc Bug fixes Respond to NTPv1 client requests with zero mode Fix -x option to not require CAP_SYS_TIME under non-root user Fix acquisitionport directive to work with privilege separation Fix handling of socket errors on Linux to avoid high CPU usage Fix chronyc to not get stuck in infinite loop after clock step 15 Sep 2017: chrony-3.2 released Enhancements Improve stability with NTP sources and reference clocks Improve stability with hardware timestamping Improve support for NTP interleaved modes Control frequency of system clock on macOS 10.13 and later Set TAI-UTC offset of system clock with leapsectz directive Minimise data in client requests to improve privacy Allow transmit-only hardware timestamping Add support for new timestamping options introduced in Linux 4.13 Add root delay, root dispersion and maximum error to tracking log Add mindelay and asymmetry options to server/peer/pool directive Add extpps option to PHC refclock to timestamp external PPS signal Add pps option to refclock directive to treat any refclock as PPS Add width option to refclock directive to filter wrong pulse edges Add rxfilter option to hwtimestamp directive Add -x option to disable control of system clock Add -l option to log to specified file instead of syslog Allow multiple command-line options to be specified together Allow starting without root privileges with -Q option Update seccomp filter for new glibc versions Dump history on exit by default with dumpdir directive Use hardening compiler options by default Bug fixes Don’t drop PHC samples with low-resolution system clock Ignore outliers in PHC tracking, RTC tracking, manual input Increase polling interval when peer is not responding Exit with error message when include directive fails Don’t allow slash after hostname in allow/deny directive/command Try to connect to all addresses in chronyc before giving up 31 Jan 2017: chrony-3.1 released Enhancements Add support for precise cross timestamping of PHC on Linux Add minpoll, precision, nocrossts options to hwtimestamp directive Add rawmeasurements option to log directive and modify measurements option to log only valid measurements from synchronised sources Allow sub-second polling interval with NTP sources Bug fixes Fix time smoothing in interleaved mode 16 Jan 2017: chrony-3.0 released Enhancements Add support for software and hardware timestamping on Linux Add support for client/server and symmetric interleaved modes Add support for MS-SNTP authentication in Samba Add support for truncated MACs in NTPv4 packets Estimate and correct for asymmetric network jitter Increase default minsamples and polltarget to improve stability with very low jitter Add maxjitter directive to limit source selection by jitter Add offset option to server/pool/peer directive Add maxlockage option to refclock directive Add -t option to chronyd to exit after specified time Add partial protection against replay attacks on symmetric mode Don’t reset polling interval when switching sources to online state Allow rate limiting with very short intervals Improve maximum server throughput on Linux and NetBSD Remove dump files after start Add tab-completion to chronyc with libedit/readline Add ntpdata command to print details about NTP measurements Allow all source options to be set in add server/peer command Indicate truncated addresses/hostnames in chronyc output Print reference IDs as hexadecimal numbers to avoid confusion with IPv4 addresses Bug fixes Fix crash with disabled asynchronous name resolving 21 Nov 2016: chrony-2.4.1 released Bug fixes Fix processing of kernel timestamps on non-Linux systems Fix crash with smoothtime directive Fix validation of refclock sample times Fix parsing of refclock directive 7 Jun 2016: chrony-2.4 released Enhancements Add orphan option to local directive for orphan mode compatible with ntpd Add distance option to local directive to set activation threshold (1 second by default) Add maxdrift directive to set maximum allowed drift of system clock Try to replace NTP sources exceeding maximum distance Randomise source replacement to avoid getting stuck with bad sources Randomise selection of sources from pools on start Ignore reference timestamp as ntpd doesn’t always set it correctly Modify tracking report to use same values as seen by NTP clients Add -c option to chronyc to write reports in CSV format Provide detailed manual pages Bug fixes Fix SOCK refclock to work correctly when not specified as last refclock Fix initstepslew and -q/-Q options to accept time from own NTP clients Fix authentication with keys using 512-bit hash functions Fix crash on exit when multiple signals are received Fix conversion of very small floating-point numbers in command packets Removed features Drop documentation in Texinfo format 16 Feb 2016: chrony-2.3 released Enhancements Add support for NTP and command response rate limiting Add support for dropping root privileges on Mac OS X, FreeBSD, Solaris Add require and trust options for source selection Enable logchange by default (1 second threshold) Set RTC on Mac OS X with rtcsync directive Allow binding to NTP port after dropping root privileges on NetBSD Drop CAP_NET_BIND_SERVICE capability on Linux when NTP port is disabled Resolve names in separate process when seccomp filter is enabled Replace old records in client log when memory limit is reached Don’t reveal local time and synchronisation state in client packets Don’t keep client sockets open for longer than necessary Ignore poll in KoD RATE packets as ntpd doesn’t always set it correctly Warn when using keys shorter than 80 bits Add keygen command to generate random keys easily Add serverstats command to report NTP and command packet statistics Bug fixes Fix clock correction after making step on Mac OS X Fix building on Solaris 20 Jan 2016: chrony-2.2.1 and chrony-1.31.2 released Security fixes Restrict authentication of NTP server/peer to specified key (CVE-2016-1567) CVE-2016-1567: Impersonation between authenticated peers When a server/peer was specified with a key number to enable authentication with a symmetric key, packets received from the server/peer were accepted if they were authenticated with any of the keys contained in the key file and not just the specified key. This allowed an attacker who knew one key of a client/peer to modify packets from its servers/peers that were authenticated with other keys in a man-in-the-middle (MITM) attack. For example, in a network where each NTP association had a separate key and all hosts had only keys they needed, a client of a server could not attack other clients of the server, but it could attack the server and also attack its own clients (i.e. modify packets from other servers). To not allow the server/peer to be authenticated with other keys, the authentication test was extended to check if the key ID in the received packet is equal to the configured key number. As a consequence, it’s no longer possible to authenticate two peers to each other with two different keys, both peers have to be configured to use the same key. This issue was discovered by Matt Street of Cisco ASIG. 19 Oct 2015: chrony-2.2 released Enhancements Add support for configuration and monitoring over Unix domain socket (accessible by root or chrony user when root privileges are dropped) Add support for system call filtering with seccomp on Linux (experimental) Add support for dropping root privileges on NetBSD Control frequency of system clock on FreeBSD, NetBSD, Solaris Add system leap second handling mode on FreeBSD, NetBSD, Solaris Add dynamic drift removal on Mac OS X Add support for setting real-time priority on Mac OS X Add maxdistance directive to limit source selection by root distance (3 seconds by default) Add refresh command to get new addresses of NTP sources Allow wildcard patterns in include directive Restore time from driftfile with -s option if later than RTC time Add configure option to set default hwclockfile Add -d option to chronyc to enable debug messages Allow multiple addresses to be specified for chronyc with -h option and reconnect when no valid reply is received Make check interval in waitsync command configurable Bug fixes Fix building on NetBSD, Solaris Restore time from driftfile with -s option if reading RTC failed Removed features Drop support for authentication with command key (run-time configuration is now allowed only for local users that can access the Unix domain socket) 23 Jun 2015: chrony-2.1.1 released Bug fixes Fix clock stepping by integer number of seconds on Linux 22 Jun 2015: chrony-2.1 released Enhancements Add support for Mac OS X Try to replace unreachable and falseticker servers/peers specified by name like pool sources Add leaponly option to smoothtime directive to allow synchronised leap smear between multiple servers Use specific reference ID when smoothing served time Add smoothing command to report time smoothing status Add smoothtime command to activate or reset time smoothing Bug fixes Fix crash in source selection with preferred sources Fix resetting of time smoothing Include packet precision in peer dispersion Fix crash in chronyc on invalid command syntax 27 Apr 2015: chrony-2.0 released Enhancements Update to NTP version 4 (RFC 5905) Add pool directive to specify pool of NTP servers Add leapsecmode directive to select how to correct clock for leap second Add smoothtime directive to smooth served time and enable leap smear Add minsources directive to set required number of selectable sources Add minsamples and maxsamples options for all sources Add tempcomp configuration with list of points Allow unlimited number of NTP sources, refclocks and keys Allow unreachable sources to remain selected Improve source selection Handle offline sources as unreachable Open NTP server port only when necessary (client access is allowed by allow directive/command or peer/broadcast is configured) Change default bindcmdaddress to loopback address Change default maxdelay to 3 seconds Change default stratumweight to 0.001 Update adjtimex synchronisation status Use system headers for adjtimex Check for memory allocation errors Reduce memory usage Add configure options to compile without NTP, cmdmon, refclock support Extend makestep command to set automatic clock stepping Bug fixes Add sanity checks for time and frequency offset Don’t report synchronised status during leap second Don’t combine reference clocks with close NTP sources Fix accepting requests from configured sources Fix initial fallback drift setting To generate a diff of this commit: cvs rdiff -u -r1.35 -r1.36 pkgsrc/net/chrony/Makefile cvs rdiff -u -r1.6 -r1.7 pkgsrc/net/chrony/PLIST cvs rdiff -u -r1.11 -r1.12 pkgsrc/net/chrony/distinfo cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/chrony/patches/patch-Makefile.in cvs rdiff -u -r1.1 -r0 pkgsrc/net/chrony/patches/patch-conf.c \ pkgsrc/net/chrony/patches/patch-examples_chrony.keys.example cvs rdiff -u -r0 -r1.1 pkgsrc/net/chrony/patches/patch-doc_Makefile.in \ pkgsrc/net/chrony/patches/patch-examples_chrony.conf.example3 cvs rdiff -u -r1.2 -r0 pkgsrc/net/chrony/patches/patch-ntp__io.c @ text @a0 65 $NetBSD$ Prepare for SUBST, not processed by configure. --- examples/chrony.conf.example3.orig 2018-09-19 14:38:15.000000000 +0000 +++ examples/chrony.conf.example3 @@@@ -1,7 +1,7 @@@@ ####################################################################### # # This is an example chrony configuration file. You should copy it to -# /etc/chrony.conf after uncommenting and editing the options that you +# @@PKG_SYSCONFDIR@@/chrony.conf after uncommenting and editing the options that you # want to enable. The more obscure options are not included. Refer # to the documentation for these. # @@@@ -65,12 +65,12 @@@@ # immediately so that it doesn't gain or lose any more time. You # generally want this, so it is uncommented. -driftfile /var/lib/chrony/drift +driftfile @@VARBASE@@/lib/chrony/drift # If you want to enable NTP authentication with symmetric keys, you will need # to uncomment the following line and edit the file to set up the keys. -! keyfile /etc/chrony.keys +! keyfile @@PKG_SYSCONFDIR@@/chrony.keys # chronyd can save the measurement history for the servers to files when # it it exits. This is useful in 2 situations: @@@@ -88,14 +88,14 @@@@ driftfile /var/lib/chrony/drift # Enable these two options to use this. ! dumponexit -! dumpdir /var/lib/chrony +! dumpdir @@VARBASE@@/lib/chrony # chronyd writes its process ID to a file. If you try to start a second # copy of chronyd, it will detect that the process named in the file is # still running and bail out. If you want to change the path to the PID # file, uncomment this line and edit it. The default path is shown. -! pidfile /var/run/chrony/chronyd.pid +! pidfile @@VARBASE@@/run/chrony/chronyd.pid # If the system timezone database is kept up to date and includes the # right/UTC timezone, chronyd can use it to determine the current @@@@ -124,7 +124,7 @@@@ driftfile /var/lib/chrony/drift # produce some graphs of your system's timekeeping performance, or you # need help in debugging a problem. -! logdir /var/log/chrony +! logdir @@VARBASE@@/log/chrony ! log measurements statistics tracking # If you have real time clock support enabled (see below), you might want @@@@ -259,7 +259,7 @@@@ driftfile /var/lib/chrony/drift # You need to have 'enhanced RTC support' compiled into your Linux # kernel. (Note, these options apply only to Linux.) -! rtcfile /var/lib/chrony/rtc +! rtcfile @@VARBASE@@/lib/chrony/rtc # Your RTC can be set to keep Universal Coordinated Time (UTC) or local # time. (Local time means UTC +/- the effect of your timezone.) If you @