Ubuntu is changing the way time management is handled in its next release, to bolster the distro’s out-of-the-box security.

Chrony replaces systemd-timesync in Ubuntu 25.10 Questing Quokka, and has Network Time Security (NTS) support enabled by default.

NTS is considered more secure than relying solely on Network Time Protocol (NTP), as systemd-timesync does.

NTP doesn’t authenticate its time source, which can lead to a system being given the wrong time by a malicious server — and accurate time is a critical part in cryptography related tasks, like web site certificates.

NTS address that vulnerability, establishing a secure handshake with the time server (a bit like HTTPS on websites, this verifies it’s connecting to a legitimate server before accepting any data). It does this over TCP rather than UDP too as it requires reliability.

NTS uses the port 4460/TCP for its NTS KeyExchange, in addition to the normal port 123/UDP for NTP, to allow for authenticated time synchronization. Time is a critical factor in cryptography and needs to be trusted, e.g. when checking certificate validity or when enabling DNSSEC.

Lukas Märdian, Canonical

If everything is as it should be, time synchronisation happens. If not, your system can’t be fooled by rogue time servers.

Ubuntu 25.10 Uses Chrony + NTS

Ubuntu 25.10 uses Chrony + NTS out-of-the-box, but only for new installations.

Those upgrading from Ubuntu 25.04 will, per the plans outlined on Launchpad, stay using systemd-timesyncd. Users will be able to transition to the securer setup by running a command or two, but the plan is to “play this safe” this cycle.

If you use Ubuntu 25.04 and would like to make the switch yourself, you can. Chrony with NTS support is available in main in the Plucky repos. Use the commands from this Ubuntu mailing list post to switch – or revert, if needed.

For most Ubuntu users, the impact in this switch won’t be visible and won’t affect day-to-day usage in beyond the reassurance of knowing overall system security is now strengthened against potential nefarious networked time exploits.