! maxdrift 100
+# By default, chronyd allows synchronisation to an unauthenticated NTP
+# source (i.e. specified without the nts and key options) if it agrees with
+# a majority of authenticated NTP sources, or if no authenticated source is
+# specified. If you don't want chronyd to ever synchronise to an
+# unauthenticated NTP source, uncomment the first from the following lines.
+# If you don't want to synchronise to an unauthenticated NTP source only
+# when an authenticated source is specified, uncomment the second line.
+# If you want chronyd to ignore authentication in the source selection,
+# uncomment the third line.
+
+! authselectmode require
+! authselectmode prefer
+! authselectmode ignore
+
#######################################################################
### FILENAMES ETC
# Chrony likes to keep information about your computer's clock in files.
! keyfile /etc/chrony.keys
+# If you specify an NTP server with the nts option to enable authentication
+# with the Network Time Security (NTS) mechanism, or enable server NTS with
+# the ntsservercert and ntsserverkey directives below, the following line will
+# allow the client/server to save the NTS keys and cookies in order to reduce
+# the number of key establishments (NTS-KE sessions).
+
+ntsdumpdir /var/lib/chrony
+
+# If chronyd is configured to act as an NTP server and you want to enable NTS
+# for its clients, you will need a TLS certificate and private key. Uncomment
+# and edit the following lines to specify the locations of the certificate and
+# key.
+
+! ntsservercert /etc/.../foo.example.net.crt
+! ntsserverkey /etc/.../foo.example.net.key
+
# chronyd can save the measurement history for the servers to files when
-# it it exits. This is useful in 2 situations:
+# it exits. This is useful in 2 situations:
#
-# 1. On Linux, if you stop chronyd and restart it with '-r' (e.g. after
+# 1. If you stop chronyd and restart it with the '-r' option (e.g. after
# an upgrade), the old measurements will still be relevant when chronyd
# is restarted. This will reduce the time needed to get accurate
-# gain/loss measurements, especially with a dial-up link.
+# gain/loss measurements.
#
-# 2. Again on Linux, if you use the RTC support and start chronyd with
+# 2. On Linux, if you use the RTC support and start chronyd with
# '-r -s' on bootup, measurements from the last boot will still be
# useful (the real time clock is used to 'flywheel' chronyd between
# boots).
#
-# Enable these two options to use this.
+# Uncomment the following line to use this.
-! dumponexit
! dumpdir /var/lib/chrony
# chronyd writes its process ID to a file. If you try to start a second
#######################################################################
### ACTING AS AN NTP SERVER
# You might want the computer to be an NTP server for other computers.
-# e.g. you might be running chronyd on a dial-up machine that has a LAN
-# sitting behind it with several 'satellite' computers on it.
#
# By default, chronyd does not allow any clients to access it. You need
# to explicitly enable access using 'allow' and 'deny' directives.
# You can have as many allow and deny directives as you need. The order
# is unimportant.
-# If you want chronyd to act as an NTP broadcast server, enable and edit
-# (and maybe copy) the following line. This means that a broadcast
-# packet is sent to the address 192.168.1.255 every 60 seconds. The
-# address MUST correspond to the broadcast address of one of the network
-# interfaces on your machine. If you have multiple network interfaces,
-# add a broadcast line for each.
-
-! broadcast 60 192.168.1.255
-
# If you want to present your computer's time for others to synchronise
# with, even if you don't seem to be synchronised to any NTP servers
# yourself, enable the following line. The value 10 may be varied
projects / thirdparty / chrony.git / commitdiff
