如何使用SHA散列认证构建chrony？

Question

我正在尝试为嵌入式linux系统构建chorny。我现在能够编译，运行和同步时间。我还可以使用MD5启用身份验证，这也是可行的。

我不知道如何启用SHA散列。在构建包时将使用它，但在配置中没有相应的选项。以前有人这么做过吗？

谢谢

如果我在chrony.keys文件中将散列类型设置为SHA1，则输出如下：

root@gsdm:~# chronyd -d 
2000-01-08T00:54:56Z chronyd version 2.2 starting (+CMDMON +NTP +REFCLOCK +RTC -PRIVDROP -SCFILTER -SECHASH +ASYNCDNS +IPV6 -DEBUG)
2000-01-08T00:54:56Z Unknown hash function in key 12
2000-01-08T00:54:56Z Initial frequency 1.355 ppm

当我运行./configure -h时，我得到这样的结果：

`configure' configures this package to adapt to many kinds of systems.

Usage: ./configure [OPTION]...

Defaults for the options are specified in brackets.

Configuration:
  -h, --help              display this help and exit

Installation directories:
  --prefix=PREFIX         install architecture-independent files in PREFIX
                          [/usr/local]
  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
                          [PREFIX]

By default, `make install' will install all the files in
`/usr/local/bin', `/usr/local/lib' etc.  You can specify
an installation prefix other than `/usr/local' using `--prefix',
for instance `--prefix=/home/user'.

For better control, use the options below.
  --disable-readline     Disable line editing support
  --without-readline     Don't use GNU readline even if it is available
  --without-editline     Don't use editline even if it is available
  --readline-dir=DIR     Specify parent of readline include and lib directories
  --readline-inc-dir=DIR Specify where readline include directory is
  --readline-lib-dir=DIR Specify where readline lib directory is
  --with-ncurses-library=DIR Specify where ncurses lib directory is
  --disable-sechash      Disable support for hashes other than MD5
  --without-nss          Don't use NSS even if it is available
  --without-tomcrypt     Don't use libtomcrypt even if it is available
  --disable-cmdmon       Disable command and monitoring support
  --disable-ntp          Disable NTP support
  --disable-refclock     Disable reference clock support
  --disable-phc          Disable PHC refclock driver
  --disable-pps          Disable PPS refclock driver
  --disable-ipv6         Disable IPv6 support
  --disable-rtc          Don't include RTC even on Linux
  --disable-privdrop     Disable support for dropping root privileges
  --without-libcap       Don't use libcap even if it is available
  --enable-scfilter      Enable support for system call filtering
  --without-seccomp      Don't use seccomp even if it is available
  --disable-asyncdns     Disable asynchronous name resolving
  --disable-forcednsretry Don't retry on permanent DNS error
  --with-ntp-era=SECONDS Specify earliest assumed NTP time in seconds
                         since 1970-01-01 [50*365 days ago]
  --with-user=USER       Specify default chronyd user [root]
  --with-hwclockfile=PATH Specify default path to hwclock(8) adjtime file
  --with-sendmail=PATH   Path to sendmail binary [/usr/lib/sendmail]
  --enable-debug         Enable debugging support

Fine tuning of the installation directories:
  --sysconfdir=DIR       chrony.conf location [/etc]
  --bindir=DIR           user executables [EPREFIX/bin]
  --sbindir=DIR          system admin executables [EPREFIX/sbin]
  --datarootdir=DIR      data root [PREFIX/share]
  --infodir=DIR          info documentation [DATAROOTDIR/info]
  --mandir=DIR           man documentation [DATAROOTDIR/man]
  --docdir=DIR           documentation root [DATAROOTDIR/doc/chrony]
  --localstatedir=DIR    modifiable single-machine data [/var]
  --chronysockdir=DIR    location for chrony sockets [LOCALSTATEDIR/run/chrony]
  --chronyvardir=DIR     location for chrony data [LOCALSTATEDIR/lib/chrony]

Overriding system detection when cross-compiling:
  --host-system=OS       Specify system name (uname -s)
  --host-release=REL     Specify system release (uname -r)
  --host-machine=CPU     Specify machine (uname -m)

Some influential environment variables:
  CC          C compiler command
  CFLAGS      C compiler flags
  CPPFLAGS    C preprocessor flags, e.g. -I<include dir> if you have
              headers in a nonstandard directory <include dir>
  LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
              nonstandard directory <lib dir>

Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.

Answer 1

安全散列需要tomcrypt或NSS，如果您的系统中存在这两个库中的任何一个，则会在配置时默认启用它。

没有启用它们的configure选项，但有禁用它们的选项：

--disable-sechash      Disable support for hashes other than MD5
--without-nss          Don't use NSS even if it is available
--without-tomcrypt     Don't use libtomcrypt even if it is available

chrony输出第一行中的-SECHASH表明安全散列选项在配置时被禁用，或者(更有可能的)您没有安装所需的库。

Answer 2

https://chrony.tuxfamily.org/doc/3.5/installation.html

If development files for the Nettle, NSS, or libtomcrypt library are available, chronyd will be built with support for other cryptographic hash functions than MD5, which can be used for NTP authentication with a symmetric key. 

-SECHASH表示没有使用Nettle、NSS或libtomcrypt编译的时序版本，所以如果您想使用SHA密钥，可以通过源代码安装它。

在alpine3.8中，我安装了nettle-dev库：

apk add nettle-dev
./configure
... ...
Checking for nettle : Yes
Features : +CMDMON +NTP +REFCLOCK +RTC -PRIVDROP -SCFILTER -SIGND +ASYNCDNS -READLINE +SECHASH +IPV6 -DEBUG
Creating Makefile
Creating doc/Makefile
Creating test/unit/Makefile

make install

功能显示SECHASH已启用。所以这个版本确实支持SHA1