From owner-freebsd-security Thu May 24 13: 9:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28]) by hub.freebsd.org (Postfix) with ESMTP id B163F37B424 for ; Thu, 24 May 2001 13:09:24 -0700 (PDT) (envelope-from veldy@veldy.net) Received: from HP2500B (fuggle.veldy.net [64.1.117.28]) by veldy.net (Postfix) with SMTP id 9C9CDBA40; Thu, 24 May 2001 15:09:20 -0500 (CDT) Message-ID: <00a401c0e48d$32db04f0$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: "Hank Wethington" , "Dominic Marks" Cc: References: Subject: Re: setting time without changing securelevel Date: Thu, 24 May 2001 15:07:44 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org A cron job using ntpdate actually changes your time. Which may not be good for data going into a database, especially data keyed off of the time. ntpd will adjust the speed of your system clock so that it slows down or speeds up to match the "network" clock. This is friendly to database activity. I don't see why I would need a hardware extension to keep time accurate. Accurate time is not that much of an issue (a minute or two is OK with me), but I do want all my machines synced. Also, I don't expose the time daemon to the outside world, so the exploit is only local, and my users are trusted. FreeBSD doesn't actually use xntpd, it migrated over (back?) to ntp some time back. I think the xntpd knob should probably be changed. Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "Hank Wethington" To: "Thomas T. Veldhouse" ; "Dominic Marks" Cc: Sent: Thursday, May 24, 2001 2:39 PM Subject: RE: setting time without changing securelevel > An issue you might have to look into would be the fact that there is a > exploit for ntpd that does extend to xntpd. If your just getting time > periodically and not having to be a server for the rest of the network, then > a cron job for using ntpdate would probably be a better way to go. If you do > need it for network time serving, you might be better off getting a GPS > setup to give ntp the time over a serial connection. > > Hank Wethington > Information Logistics > > ================================================ > www.GoInfoLogistics.com > mailto:info@GoInfoLogistics.com > ================================================ > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Thomas T. > Veldhouse > Sent: Thursday, May 24, 2001 12:32 PM > To: Dominic Marks > Cc: freebsd-security@freebsd.org > Subject: Re: setting time without changing securelevel > > > I found a similar article myself (I don't remember the URL though). I have > had it running for quite some time (well -- a week or so). I didn't see > that it recommends you use more than one server to sychronize with. I am > currently using 4 public servers. > > That looks like a pretty decent article. It, like the rest, fail to inform > you how to run your new server as a time server for the rest of your > network. I can ntptrace ot it on the local machine, but it won't respond to > other clients on my LAN. > > Tom Veldhouse > veldy@veldy.net > > > ----- Original Message ----- > From: "Dominic Marks" > To: "Thomas T. Veldhouse" > Cc: > Sent: Thursday, May 24, 2001 2:25 PM > Subject: Re: setting time without changing securelevel > > Hello, > > On Thu, May 24, 2001 at 09:43:48AM -0500, Thomas T. Veldhouse wrote: > > knob). It is not hard to setup, but the documentation [that is readable] > is > > scarce. > > > > Tom Veldhouse > > veldy@veldy.net > > I suggest: http://freebsddiary.org/xntpd.html > > One problem I had was having to create an /etc/localtime as there > wasn't one on the machine to begin with. Symlinking it to my city > in /usr/share/zoneinfo/etc/etc works great in combination with the > processes described in the above article. > > -- > Dominic Marks > > Don't talk to me about Naval tradition. > It's nothing but rum, sodomy and the lash." > -- Winston Churchill > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message