Bug 904260 - [FEAT] chronyc - authenticate without password when chrony.keys is readable
Summary: [FEAT] chronyc - authenticate without password when chrony.keys is readable
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: chrony
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Lichvar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-01-25 21:32 UTC by Aleksandar Kostadinov
Modified: 2013-08-06 00:22 UTC (History)
1 user (show)

Fixed In Version: chrony-1.28-1.fc18
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-05-16 12:54:16 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Aleksandar Kostadinov 2013-01-25 21:32:07 UTC 
chrony-1.27-0.5.pre1.git1ca844.fc18.x86_64
running as root:

chronyc> reselect
501 Not authorised

I have not modified key file and conf file from defaults and can't spot any problem with them. FYI I've installed since beta if that matters.
Comment 1 Miroslav Lichvar 2013-02-01 16:18:59 UTC 
The communication between chronyc and chronyd is done over UDP, so it needs to be authorized before issuing commands such as reselect. To authorize, you need to use the authhash and password commands. Alternatively, you can use the chrony-helper wrapper, which will do that automatically.

/usr/libexec/chrony-helper command reselect
Comment 2 Aleksandar Kostadinov 2013-02-01 16:32:28 UTC 
I have to disagree here. According to docs /etc/chrony.keys is used for authentication. "commandkey 1" is present in configuration. 

So in a default installation chronyc should be able to command chronyd if it is run by root or any other user having read access to /etc/chrony.keys

Am I misinterpreting something?

In any case it makes sense after a standard installation of chrony to be able to control it with chronyc. I can't understand what is the reason for this to not work out of the box. But my request is to have chronyc authenticate with daemon out of the box after installation. Actually I have it configured by firstboot so the bug can be there instead.
Comment 3 Miroslav Lichvar 2013-02-01 16:46:51 UTC 
The documentation says you need to use the password command:

http://chrony.tuxfamily.org/manual.html#Security-with-chronyc

Yes, chronyc could parse chrony.conf and the key file if it's run under root, but it doesn't do that (yet). I think that would be a feature request. Is that what you meant?
Comment 4 Aleksandar Kostadinov 2013-02-01 19:26:58 UTC 
I didn't think this is a feature request until you pointed that out. :) so be it.

Changed issue summary to reflect that.

Thanks.
Comment 5 Miroslav Lichvar 2013-05-16 12:54:16 UTC 
In upstream git chronyc now supports automatic authentication with new -a option. Instead of having to specify the password, one can now run "chronyc -a reselect" directly.
Comment 6 Fedora Update System 2013-06-21 16:31:08 UTC 
chrony-1.28-0.1.pre1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/chrony-1.28-0.1.pre1.fc19
Comment 7 Fedora Update System 2013-07-02 00:33:24 UTC 
chrony-1.28-0.1.pre1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2013-07-18 15:12:39 UTC 
chrony-1.28-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/chrony-1.28-1.fc18
Comment 9 Fedora Update System 2013-08-06 00:22:39 UTC 
chrony-1.28-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.