Choosing Between NTP Daemons
[application]*Chrony* should be considered for all systems which are frequently suspended or otherwise intermittently disconnected and reconnected to a network. Mobile and virtual systems for example.
The `NTP` daemon (`ntpd`) should be considered for systems which are normally kept permanently on. Systems which are required to use broadcast or multicast `IP`, or to perform authentication of packets with the `Autokey` protocol, should consider using `ntpd`. [application]*Chrony* only supports symmetric key authentication using a message authentication code (MAC) with MD5, SHA1 or stronger hash functions, whereas `ntpd` also supports the `Autokey` authentication protocol which can make use of the PKI system. `Autokey` is described in [citetitle]_RFC 5906_.
Understanding chrony and Its Configuration
Understanding chronyd
The [application]*chrony* daemon, `chronyd`, running in user space, makes adjustments to the system clock which is running in the kernel. It does this by consulting external time sources, using the `NTP` protocol, when ever network access allows it to do so. When external references are not available, `chronyd` will use the last calculated drift stored in the drift file. It can also be commanded manually to make corrections, by [application]*chronyc*.
Understanding chronyc
The [application]*chrony* daemon, `chronyd`, can be controlled by the command line utility [application]*chronyc*. This utility provides a command prompt which allows entering of a number of commands to make changes to `chronyd`. The default configuration is for `chronyd` to only accept commands from a local instance of [application]*chronyc*, but [application]*chronyc* can be used to alter the configuration so that `chronyd` will allow external control. [application]*chronyc* can be run remotely after first configuring `chronyd` to accept remote connections. The `IP` addresses allowed to connect to `chronyd` should be tightly controlled.
Understanding the chrony Configuration Commands
The default configuration file for `chronyd` is `/etc/chrony.conf`. The [option]`-f` option can be used to specify an alternate configuration file path. See the `chronyd` man page for further options. For a complete list of the directives that can be used see [citetitle]_link:++https://chrony.tuxfamily.org/manual.html#Configuration-file++[https://chrony.tuxfamily.org/manual.html#Configuration-file]_. Below is a selection of configuration options:
Comments should be preceded by #, %, ; or !
Optionally specify a host, subnet, or network from which to allow `NTP` connections to a machine acting as `NTP` server. The default is not to allow connections. Examples:
allow server1.example.com
Use this form to specify a particular host, by its host name, to be allowed access.
Use this form to specify a particular network to be allowed access.
allow 2001:db8::/32