NTPsec

From ArchWiki

The NTP is an unencrypted UDP based protocol and has been abused for attacks in the past. There have been several attempts to provide replacements, however the difficult nature of the protocol and its usage make this quite challenging. While the NTP provides capabilities for encryption, they have been proven to be unreliable. With NTPsec a 'secure' replacement is possible.

Installation

You can install NTPsec via the ntpsecAUR package.

It is necessary to import a new GPG key to your keyring with:

$ gpg --recv-keys 5A22E330161C3978
gpg: key 5A22E330161C3978: 6 signatures not checked due to missing keys
gpg: key 5A22E330161C3978: public key "NTPsec Contact <contact@ntpsec.org>" imported
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   8  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 8u
gpg: next trustdb check due at 2019-12-03
gpg: Total number processed: 1
gpg:               imported: 1

Starting the service

Normally start/enable the ntpd.service.

Note: Currently, ntpsecAUR will only uninstall ntp during its installation. If you were using another NTP implementation, make sure to stop/disable the service

Enable NTS

NTS is a method for using TLS/SSL to authenticate NTP traffic on the net

Note: The NTP Pool and the Arch NT Pool does not currently support NTS.

Append the keyword nts to the end of your server lines. Do this only for servers that speak NTS. If the server uses a port other than 4460 for NTS key exchange, you also need to specify the port number.

For example:

/etc/ntp.d/use-pool
server time.cloudflare.com         nts iburst
server virginia.time.system76.com  nts iburst
server nts.netnod.se:4460          nts iburst

Here is an unofficial list of NTP servers supporting NTS.

Warning: You should not pick some random hosts from the Internet but ask your local authorities, other public entities, or corporations with existing NTP service to add NTS.

See also