From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Wed, 12 Sep 2018 08:43:01 +0000 (+0200)
Subject: doc: warn about permissions in keyfile description
X-Git-Tag: 3.4~16
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=692cea49f85a0e33651bf5f7732da1b66db7272d;p=thirdparty%2Fchrony.git

doc: warn about permissions in keyfile description
---

diff --git a/doc/chrony.conf.adoc b/doc/chrony.conf.adoc
index 4a39c21b..c4c7f689 100644
--- a/doc/chrony.conf.adoc
+++ b/doc/chrony.conf.adoc
@@ -2049,6 +2049,10 @@ that has password shorter than 80 bits.
 The <<chronyc.adoc#keygen,*keygen*>> command of *chronyc* can be used to
 generate random keys for the key file. By default, it generates 160-bit MD5 or
 SHA1 keys.
++
+For security reasons, the file should be readable only by root and the user
+under which *chronyd* is normally running (to allow *chronyd* to re-read the
+file when the <<chronyc.adoc#rekey,*rekey*>> command is issued by *chronyc*).
 
 [[lock_all]]*lock_all*::
 The *lock_all* directive will lock chronyd into RAM so that it will never be