Network Time Security

Network Time Security (NTS) is an important security upgrade to the Network Time Protocol (NTP) that most computers use to set their clocks. It eliminates the possibility of security and denial-of-service issues caused by someone remotely tampering with the time on your system.

System76 is proud to offer five NTS-enabled NTP servers that are free to use anywhere in the world.

  • virginia.time.system76.com
  • ohio.time.system76.com
  • oregon.time.system76.com
  • paris.time.system76.com
  • brazil.time.system76.com

Contact: time@system76.com

Pop!_OS Configuration

NTS is enabled by default starting with Pop!_OS 22.04.

To confirm that you're connected to the System76 servers and using NTS, you can use the following two commands.

chronyc sources -v
sudo chronyc authdata -v

Fully Securing the Time

Since Pop!_OS is used on a variety of systems, the default configuration disables the time checks of the NTS servers' certificates on the first attempt. This is because the clock may not be accurate after booting on a system without an RTC (real-time clock) - or on a system where the clock has been manually altered. In these cases the certificate validation can fail, leaving no way to get the correct time!

However, some users may want to harden their system so that the certificate activation and expiration times are always validated. This can be done with the following commands.

echo "nocerttimecheck 0" | sudo tee /etc/chrony/conf.d/20-always-check-certs.conf
sudo systemctl restart chrony
 

In this case, if the clock is ever off by a large amount, it will need to be manually restored to a close approximation of the true time before it can sync up again.

The default configuration also allows for a fallback to insecure time in the event our servers cannot be reached. This is necessary because some ISPs and firewalls wrongly block the larger NTS enhanced NTP packets or the NTS Key Exchange itself. If you can verify that you have connectivity to our servers you can disable this fallback.

echo "authselectmode prefer" | sudo tee /etc/chrony/conf.d/30-disable-insecure-fallback.conf
sudo systemctl restart chrony
 

If you are able to identify an ISP or firewall that blocks NTS from working, please let our team know at time@system76.com.