doc: warn about permissions in keyfile description

author Miroslav Lichvar <mlichvar@redhat.com>

Wed, 12 Sep 2018 08:43:01 +0000 (10:43 +0200)

committer Miroslav Lichvar <mlichvar@redhat.com>

Wed, 12 Sep 2018 08:43:01 +0000 (10:43 +0200)
author Miroslav Lichvar <mlichvar@redhat.com>
Wed, 12 Sep 2018 08:43:01 +0000 (10:43 +0200)
committer Miroslav Lichvar <mlichvar@redhat.com>
Wed, 12 Sep 2018 08:43:01 +0000 (10:43 +0200)
diff --git a/doc/chrony.conf.adoc b/doc/chrony.conf.adoc

index 4a39c21bff00c1d71de40e9e7dcbf83580bed07d..c4c7f68970115fa603b3e93eb75bc60a4137ec1b 100644 (file)
--- a/doc/chrony.conf.adoc
+++ b/doc/chrony.conf.adoc
@@ -2049,6 +2049,10 @@ that has password shorter than 80 bits.
  The <<chronyc.adoc#keygen,*keygen*>> command of *chronyc* can be used to
  generate random keys for the key file. By default, it generates 160-bit MD5 or
  SHA1 keys.
++
+For security reasons, the file should be readable only by root and the user
+under which *chronyd* is normally running (to allow *chronyd* to re-read the
+file when the <<chronyc.adoc#rekey,*rekey*>> command is issued by *chronyc*).
  
  [[lock_all]]*lock_all*::
  The *lock_all* directive will lock chronyd into RAM so that it will never be
author	Miroslav Lichvar <mlichvar@redhat.com>
	Wed, 12 Sep 2018 08:43:01 +0000 (10:43 +0200)
committer	Miroslav Lichvar <mlichvar@redhat.com>
	Wed, 12 Sep 2018 08:43:01 +0000 (10:43 +0200)