sources: enable selection options with authentication

When authentication is enabled for an NTP source, unauthenticated NTP sources need to be disabled or limited in selection. That might be difficult to do when the configuration comes from different sources (e.g. networking scripts adding servers from DHCP). Define four modes for the source selection to consider authentication: require, prefer, mix, ignore. In different modes different selection options (require, trust, noselect) are added to authenticated and unauthenticated sources. The mode can be selected by the authselectmode directive. The mix mode is the default. The ignore mode enables the old behavior, where all sources are used exactly as specified in the configuration.
2025-12-07 03:25:06 -05:00 · 2020-05-06 13:02:45 +02:00
parent dfe877144a
commit bddb3b3228
7 changed files with 278 additions and 9 deletions
--- a/test/simulation/120-selectoptions
+++ b/test/simulation/120-selectoptions
@@ -65,4 +65,28 @@ check_packet_interval || test_fail
 check_source_selection && test_fail
 check_sync && test_fail

+cat > tmp/keys <<-EOF
+1 MD5 HEX:1B81CBF88D4A73F2E8CE59647F6E5C1719B6CAF5
+EOF
+
+server_conf="keyfile tmp/keys"
+client_server_conf="
+server 192.168.123.1 key 1
+server 192.168.123.2
+server 192.168.123.3"
+
+for authselectmode in require prefer mix ignore; do
+	client_conf="keyfile tmp/keys
+		     authselectmode $authselectmode"
+	run_test || test_fail
+	check_chronyd_exit || test_fail
+	check_source_selection || test_fail
+	check_packet_interval || test_fail
+	if [ $authselectmode = ignore ]; then
+		check_sync || test_fail
+	else
+		check_sync && test_fail
+	fi
+done
+
 test_pass