NTS adds encryption and authentication to NTP. This means you can ensure that the time information you receive comes from a trusted source.
This page explains how to set up an NTS client and how to connect to Netnod’s NTS servers.
Network Time Protocol (NTP) services are vulnerable to a range of attacks. With many of today’s most important security processes dependent on accurate time, the consequences of receiving time from a malicious source are serious. By using Network Time Security (NTS), you can be sure your devices are receiving accurate time from a reliable source.
Netnod have been running public NTS servers since late 2019. This page explains how you can start using NTS by setting up an NTS client and connecting to Netnod’s NTS servers.
Since NTS was accepted as RFC8915 in October 2020, many Linux distributions allow you to run either Chrony or NTPsec, both of which support NTS in the following versions:
It is also possible to install a docker container with either NTPsec or Chrony. It may even be possible to run an NTS client on Windows that way. Using docker or Windows is not covered in this document.
Which software to use, NTPsec or Chrony, is mostly a matter of taste. Both have support for NTS on most modern Linux distributions. NTPsec is a fork of the NTP reference implementation and supports just about every possible mode of NTP, even some esoteric use cases that are not in common use any more. Chrony is an independent implementation of the NTP protocol and only contains support for the most commonly used modes which makes it a bit easier to understand. On Fedora it is easier to get started with Chrony since it's the default software on that distribution.
If you run Debian or Ubuntu, follow instructions in section 2.
If you run Fedora, follow instructions in section 3.
If you are using Debian, make sure you are running Debian 11 (bullseye) or later.
If you are using Ubuntu, make sure you are running Ubuntu 21.10 (impish) or later.
All commands below should be run as the root user or with "sudo".
If you want to use NTPsec, continue with section 2.1
If you want to use Chrony, jump to section 2.2.
By default NTPsec is not installed. Install it using the package manager or by running the following command:
apt install ntpsecNote that if Chrony was previously installed it will automatically be uninstalled. Installing this package will automatically start the service and also enable the service so that it starts when the computer is restarted.
Start by verifying that the NTP software is working properly and able to act as an NTP client.
Run the "ntpq" command to verify that NTPsec is running:
ntpq -pThe output should look like this:
remote refid st t when poll reach delay offset jitter
===============================================================================
+mmo2.ntp.netnod .PPS. 1 u 26 64 17 9.2106 -3.7291 1.7848
svl2.ntp.netnod .INIT. 16 u - 64 0 0.0000 0.0000 0.0001
ntp1.sptime.se .INIT. 16 u - 64 0 0.0000 0.0000 0.0001
sth2.ntp.netnod .INIT. 16 u - 64 0 0.0000 0.0000 0.0001
*sth3.ntp.netnod .PPS. 1 u 25 64 17 1.0714 -3.8592 2.4286
NOTE: In the "refid" field above, ".PPS." indicates that the NTP server has a pulse per second input as its time source; ".INIT." indicates that NTPsec was recently restarted, is still initialising and has not communicated with the NTP server yet.
Netnod currently provides the following NTS servers:
Göteborg:
Luleå:
Malmö:
Stockholm:
Sundsvall:
There are other NTS servers out there, but we recommend you start by using Netnod's servers only. Find the configuration file for the NTP client: /etc/ntpsec/ntp.conf
Edit the configuration file and replace the existing NTP servers with Netnod's NTS servers. First comment out any lines starting with one of the words "pool", "server", "source" or "sourcedir" by adding a hash sign "#" at the beginning of the line.
# pool pool.ntp.org iburst
# server time.google.com iburstYou can enable these sources later, but comment them out for the moment since it will make it easier to see if the NTS servers are working. Then add Netnod's NTS servers. Note that the configuration line should contain "nts" which says that it uses the NTS protocol.
server sth1.nts.netnod.se nts iburst
server sth2.nts.netnod.se nts iburstSave the file and restart NTPsec service by running this command:
systemctl restart ntpsec
Continue with section 4.1
By default Chrony is not installed on Debian or Ubuntu. Install it using the package manager or by running the following command:
apt install chronyNote that if NTPsec was previously installed it will automatically be uninstalled. Installing this package will automatically start the service and also enable the service so that it is started when the computer is restarted.
Start by verifying that the NTP software is working properly and able to act as an NTP client.
Run the "chronyc" command to verify that Chrony is running:
chronyc sourcesThe output should look like this:
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^+ gbg2.ntp.netnod.se 1 6 17 22 -131us[ -115us] +/- 6088us
^* svl1.ntp.netnod.se 1 6 17 22 -74us[ -58us] +/- 6643us
Netnod currently provides the following NTS servers:
Göteborg:
Luleå:
Malmö:
Stockholm:
Sundsvall:
There are other NTS servers out there, but we recommend you start by using Netnod's servers only. Find the configuration file for the NTP client: /etc/chrony/chrony.conf
Edit the configuration file and replace the existing NTP servers with Netnod's NTS servers. First comment out any lines starting with one of the words "pool", "server", "source" or "sourcedir" by adding a hash sign "#" at the beginning of the line.
# pool pool.ntp.org iburst
# sourcedir /run/chrony-dhcp
# sourcedir /etc/chrony/sources.dYou can enable these sources later, but comment them out for the moment since it will make it easier to see if the NTS servers are working. Then add Netnod's NTS servers. Note that the configuration line should contain "nts" which says that it uses the NTS protocol.
server sth1.nts.netnod.se nts iburst
server sth2.nts.netnod.se nts iburstSave the file and restart the Chrony service by running this command:
systemctl restart chronyd
Continue with section 4.2
Make sure you are running Fedora 35 or later. All commands below should be run as the root user or with "sudo".
If you want to use NTPsec, jump to section 3.1.
If you want to use Chrony, go to section 3.2.
NTPsec is not installed by default on Fedora. Note that it is possible to have both Chrony and NTPsec installed on Fedora at the same time and this will cause conflicts if both are running at the same time. To install NTPsec on Fedora, use the package manager to first uninstall Chrony and then install NTPsec or run the following commands:
yum remove chrony
yum install ntpsecThe default SELinux rules on Fedora will stop NTS from working properly with NTPsec so set the SELinux policy for NTPsec to "permissive" by running the following command:
semanage permissive -a ntpd_tStart and enable NTPsec:
systemctl start ntpd
systemctl enable ntpdRun the "ntpq" command to verify that NTPsec is running:
ntpq -pThe output should look like this:
remote refid st t when poll reach delay offset jitter
===============================================================================
+mmo2.ntp.netnod .PPS. 1 u 26 64 17 9.2106 -3.7291 1.7848
svl2.ntp.netnod .INIT. 16 u - 64 0 0.0000 0.0000 0.0001
ntp1.sptime.se .INIT. 16 u - 64 0 0.0000 0.0000 0.0001
sth2.ntp.netnod .INIT. 16 u - 64 0 0.0000 0.0000 0.0001
*sth3.ntp.netnod .PPS. 1 u 25 64 17 1.0714 -3.8592 2.4286
NOTE: In the "refid" field above, ".PPS." indicates that the NTP server has a pulse per second input as its time source; ".INIT." indicates that NTPsec was recently restarted, is still initialising and has not communicated with the NTP server yet.
Netnod currently provides the following NTS servers:
Göteborg:
Luleå:
Malmö:
Stockholm:
Sundsvall:
There are other NTS servers out there, but we recommend you start by using Netnod's servers only. Find the configuration file for the NTP client: /etc/ntp.conf
Edit the configuration file and replace the existing NTP servers with Netnod's NTS servers. First comment out any lines starting with one of the words "pool", "server", "source" or "sourcedir" by adding a hash sign "#" at the beginning of the line.
# pool pool.ntp.org iburst
# server time.google.com iburstYou can enable these sources later, but comment them out for the moment since it will make it easier to see if the NTS servers are working. Then add Netnod's NTS servers. Note that the configuration line should contain "nts" which says that it uses the NTS protocol.
server sth1.nts.netnod.se nts iburst
server sth2.nts.netnod.se nts iburstSave the file and restart the NTPsec service by running the command:
systemctl restart ntpd
Continue with section 4.1.
Chrony is installed and enabled by default on a Fedora system. If you have a newly installed Fedora distribution you do not have to do anything.
Note that it is possible to have both Chrony and NTPsec installed on Fedora at the same time and this will cause conflicts if both are running at the same time. If you want to reinstall Chrony, use the package manager to first uninstall NTPsec and then install Chrony, or run the following commands:
yum remove ntpsec
yum install chronyThen start and enable the Chrony service:
systemctl enable chronyd
systemctl start chronydRun the "chronyc" command to verify that Chrony is running:
chronyc sourcesThe output should look like this:
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^+ gbg2.ntp.netnod.se 1 6 17 22 -131us[ -115us] +/- 6088us
^* svl1.ntp.netnod.se 1 6 17 22 -74us[ -58us] +/- 6643usNetnod currently provides the following NTS servers:
Göteborg:
Luleå:
Malmö:
Stockholm:
Sundsvall:
There are other NTS servers out there, but we recommend you start by using Netnod's servers only. Find the configuration file for the NTP client: /etc/chrony.conf
Edit the configuration file and replace the existing NTP servers with Netnod's NTS servers. First comment out any lines starting with one of the words "pool", "server", "source" or "sourcedir" by adding a hash sign "#" at the beginning of the line.
# pool pool.ntp.org iburst
# sourcedir /run/chrony-dhcp
# sourcedir /etc/chrony/sources.dYou can enable these sources later, but comment them out for the moment since it will make it easier to see if the NTS servers are working. Then add Netnod's NTS servers. Note that the configuration line should contain "nts" which says that it uses the NTS protocol.
server sth1.nts.netnod.se nts iburst
server sth2.nts.netnod.se nts iburstSave the file and restart the NTPsec service by running the following command:
systemctl restart chronyd
Continue with section 4.2.
Check the output from "ntpq":
ntpq -p
remote refid st t when poll reach delay offset jitter
===============================================================================
sth1-ts.nts.net .PPS. 1 8 201 256 1 1.0279 1.1612 0.0000
sth2-ts.nts.net .PPS. 1 8 200 256 1 0.9522 1.1305 0.0000“remote” is the name of the NTS server. Note that the name is “sth1-ts.nts.netnod.se”, not “sth1.nts.netnod.se” as specified in the configuration file. This is because the NTS protocol is split into two parts: first an encrypted TLS connection over TCP to an “NTS key establishment server”. When the client has received a set of keys, it will use the UDP based NTP protocol with NTS extensions for the actual timestamping. Netnod runs the key establishment server and the timestamping server on different addresses.
The characters at the beginning of the server name says what NTPsec thinks about the server. An asterix (*) means that NTPsec has decided to use this server as its primary reference. A plus sign (+) means that NTPsec uses this server in its algorithm to estimate the current time. “refid” is the reference ID for the server, that is, where the NTP server gets its time from. If you look up these IP addresses you will see that they are for Netnod’s NTP servers: sth1.ntp.se and sth2.ntp.se. “st” means “stratum”, which is how far away from a primary clock source, such as an atomic clock, the NTP server is. sth1.ntp.se and sth2.ntp.se are stratum 1 servers; Netnod’s NTS servers talk to them and are stratum 2 servers. The rest of the line shows statistics about NTPsec’s current time estimate relative to the servers time estimate. To read a more detailed description of the output see the NTPsec manual page for the ntpq command.
If you are really quick at running ntpq after you started ntpd it will show “nts.netnod.se” as the remote and “.NTS.” as the refid. That means that NTPsec is in the process of connecting to the NTS key establishment server and has not yet been able to talk to the timestamping server.
If your computer has IPv6 connectivity, NTPsec might be talking to Netnod's NTS servers over IPv6. In that case, NTPsec will usually show the IP address in the "remote" field instead of a host name. That is quite normal.
Check the output from "chronyc":
chronyc sources
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* sth1-ts.nts.netnod.se 1 6 377 3 +18us[ +22us] +/- 538us
^? sth1.nts.netnod.se 0 8 0 - +0ns[ +0ns] +/- 0ns
^? sth2.nts.netnod.se 0 8 0 - +0ns[ +0ns] +/- 0ns
^+ sth2-ts.nts.netnod.se 1 6 377 3 -43us[ -43us] +/- 524usThis looks a bit funny. The reason for that is rather technical. NTS is split into two phases: the NTS-KE phase where KE stands for "Key Establishment''. After that, the timestamping is performed using the normal NTP protocol with some extensions for NTS. Netnod's NTS servers run on physically different machines for the NTS-KE and NTS timestamping phases, and both of those machines will show up in the list of sources. The timestamping is performed on the sth1-ts/sth2-ts machines and those show up as reachable. The KE machines are not used after the initial key establishment and show as not being reachable. That is as it should be even though it might look a bit confusing.
To ensure you are receiving the most accurate and secure time, we recommend you connect to Netnod’s NTS servers as described above. If you would prefer to connect to an NTP server, you can find the list of Netnod’s NTP servers here and some best practices for connecting to NTP servers here.