From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Wed, 7 Jul 2021 14:45:46 +0000 (+0200)
Subject: doc: improve ntsserverkey/cert description
X-Git-Tag: 4.2-pre1~76
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=789817cd91695cbb9e8b4f1e90a0393c147c2c70;p=thirdparty%2Fchrony.git

doc: improve ntsserverkey/cert description

The files are read after dropping root privileges. They need to be
readable by the chrony user. The error message "Could not set
credentials : Error while reading file." does not make this requirement
very obvious.
---

diff --git a/doc/chrony.conf.adoc b/doc/chrony.conf.adoc
index 9134fb51..bd4f70d0 100644
--- a/doc/chrony.conf.adoc
+++ b/doc/chrony.conf.adoc
@@ -1604,7 +1604,8 @@ The port will be open only when a certificate and key is specified by the
 This directive specifies a file containing a certificate in the PEM format
 for *chronyd* to operate as an NTS server. The file should also include
 any intermediate certificates that the clients will need to validate the
-server's certificate.
+server's certificate. The file needs to be readable by the user under which
+*chronyd* is running after dropping root privileges.
 +
 This directive can be used multiple times to specify multiple certificates for
 different names of the server.
@@ -1616,7 +1617,9 @@ recommended for a near-seamless server operation.
 
 [[ntsserverkey]]*ntsserverkey* _file_::
 This directive specifies a file containing a private key in the PEM format
-for *chronyd* to operate as an NTS server.
+for *chronyd* to operate as an NTS server. The file needs to be readable by
+the user under which *chronyd* is running after dropping root privileges. For
+security reasons, it should not be readable by other users.
 +
 This directive can be used multiple times to specify multiple keys. The number
 of keys must be the same as the number of certificates and the corresponding