Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Advisory Watch: March 6th, 2015
Linux Advisory Watch: February 27th, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Time Synchronization

4. Time Synchronization

4.1. The Importance of Time Synchronization

Since the security of Kerberos authentication is in part based upon the time stamps of tickets, it is critical to have accurately set clocks on Kerberos servers. As we mentioned in the introduction to Kerberos, a short lifetime for tickets is used to prevent attackers from performing successful brute force attacks or replay attacks.

If you allow your clocks of your servers to drift, you will make your network vulnerable to such attacks. Since clock synchronization is so important in the security of the Kerberos protocol, if clocks are not synchronized with in a reasonable window Kerberos will report fatal errors and refuse to function. Clients attempting to authenticate from a machine with an inaccurate clock will be failed by the KDC in authentication attempts due to the time difference with the KDC's clock.

4.2. Introduction to NTP

The Network Time Protocol (NTP) is available for the time synchronization of servers. A number of public NTP servers are available for synchronization. NTP is capable of synchronizing client clocks within milliseconds on LANs, and tens of milliseconds over WANs. NTP servers are divided by stratum. Primary NTP servers are classified as stratum 1. These public primary servers should not be used for synchronization of client machines due to the relatively small number of them. Public stratum 2 servers are available for client machine synchronization and synchronize their own clocks with the public stratum 1 servers. For our Kerberos servers, we'll set up NTP to query against three stratum two servers. A maintained list of public stratum two servers can be found here.

4.3. NTP Installation and Configuration

In order to turn NTP on GNU/Linux, you must install the NTP package and edit the configuration filename. By default, the NTP configuration filename is /etc/ntp.conf. The default values in the configuration are acceptable. All that needs to be done is to add the servers we wish to use to synchronize our clocks. Authentication is not necessary, but authentication can be enabled from additional security. If you're using NTP servers on your LAN, you may wish to use authentication. Here is a sample ntp.conf filename from the Gnu University Dublin.

Finally we put a cron job in place to do the actual synchronization:

30 * * * * /usr/sbin/ntpdate -s

If our systems are behind a firewall we may need to provide use -su rather than just -s. The -u argument will direct ntpdate to use an unprivileged port for its outgoing connection to the stratum 2 time servers.



Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
CSI: Cyber: We Watched So You Didnít Have To
PATCH FREAK NOW: Cloud providers faulted for slow response
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.