Secure config still picks up DHCP-advertised server

Here's an example of chronyc sources, before and after the suggested fix

Thanks for the report, nice thinking.

But then OTOH we would break lots of use cases where a network admin needs to change things by default and they are meant to continue to work.

I think the user needs to be able to opt-out of that to be even more secure, just as you can change the initial fallback connection. But that could not be the default to not break many cases out there.

Lukas can you have a look at documenting how to "harden" the default we ship to be even more secure e.g. against this change through dhcp.

I started drafting some documentation around this here: https://github.com/canonical/ubuntu-server-documentation/pull/312

I notice that the generated DHCP source line is not marked "prefer" as the ubuntu-ntp-pools sources are. If I understand the chrony docs correctly, that means the DHCP source would only be selected if the ubuntu sources were not accessible. So even though I found the inclusion of the DHCP source in the list surprising, it now does look quite harmless, and as Christian says, avoids breaking configurations that currently work. I agree mentioning it in the documentation is appropriate, although for people that don't read the docs (like me) maybe adding to the comment in /etc/chrony/chrony.conf would be worthwhile.

We've merged https://github.com/canonical/ubuntu-server-documentation/pull/312 with information about how to block DHCP-obtained NTP servers with chrony. I think we can thus close the case :)

Thanks for the quick action Jonas and Lukas!

I still think adding a small comment to chrony.conf, as suggested in comment #6, might be a good thing.

Docs can be found here: https://documentation.ubuntu.com/server/how-to/networking/chrony-client/#time-sources-provided-by-dhcp-option-42

And I'm re-opening the bug to add a comment into chrony.conf eventually, too.

This bug was fixed in the package chrony - 4.7-1ubuntu1

---------------
chrony (4.7-1ubuntu1) questing; urgency=medium

  * Merge with Debian experimental. Remaining changes: (LP: #2110435)
    - Set -x as default if unable to set time (e.g. in containers) (LP #1589780)
      Chrony is a single service which acts as both NTP client (i.e. syncing the
      local clock) and NTP server (i.e. providing NTP services to the network),
      and that is both desired and expected in the vast majority of cases.
      But in containers syncing the local clock is usually impossible, but this
      shall not break the providing of NTP services to the network.
      To some extent this makes chrony's default config more similar to 'ntpd',
      which complained in syslog but still provided NTP server service in those
      cases.
      + debian/chrony.service: allow the service to run without CAP_SYS_TIME
      + d/control: add new dependency libcap2-bin for capsh (usually
        installed anyway, but make them explicit to be sure).
      + d/chrony.default: new option SYNC_IN_CONTAINER to not fall
        back (Default off)
      + d/chronyd-starter.sh: wrapper to handle special cases in
        containers and if CAP_SYS_TIME is missing. Effectively allows
        running the NTP server in containers on a default installation
        and avoid failing to sync time (or if allowed to sync, avoid
        multiple containers fighting over it by accident).
      + d/install: Make chrony-starter.sh available on install.
      + d/docs, d/README.container: Provide documentation about the
        handling of this case.
    - d/rules, d/chrony.examples: Ship restricted service as an example
      not installed to the system for use. (See LP #2051028)
    - d/chrony.conf: remove Debian NTP pool
    - Install Ubuntu NTP sources in
      /etc/chrony/sources.d/ubuntu-ntp-pools.sources, gated on a low priority
      (default yes) debconf question (LP #2048876):
      + d/templates: Add debconf question to customize installation of
        /etc/chrony/sources.d/ubuntu-ntp-pools.sources
      + d/install, d/ubuntu-ntp-pools.sources: Install ubuntu-ntp-pools.sources
        in /usr/share/chrony
      + d/control: add dependency on debconf
      + d/postinst: handle Ubuntu pools via debconf and ucf
      + d/postrm: handle Ubuntu pools via debconf and ucf
      + d/NEWS: Add information about default time sources moving out from
        chrony.conf to /etc/chrony/sources.d/ubuntu-ntp-pools.sources.
      + d/chrony.config: debconf script to handle Ubuntu pools
      + d/t/control, d/t/default-ubuntu-sources-behavior: new test to check the
        debconf behavior
    - Use Ubuntu NTS servers by default (LP #2084585):
      + d/conf.d/ubuntu-nts.conf: refer to the CA used to sign the NTS bootstrap
        server
      + d/nts-bootstrap-{,staging}-ubuntu.crt: CA certificate for the NTS
        bootstrap servers
      + d/install: install the NTS bootstrap CAs
      + d/ubuntu-ntp-pools.sources: use NTS by default
      + d/t/default-ubuntu-sources-behavior: update tests for NTS support
      + d/NEWS: add news entry about the NTS change
  * Drop Changes:
    - d/t/helper-...