From owner-freebsd-questions@FreeBSD.ORG Thu Sep 18 01:25:49 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 88B29106566B for ; Thu, 18 Sep 2008 01:25:49 +0000 (UTC) (envelope-from rock_on_the_web@comcen.com.au) Received: from angel.comcen.com.au (angel.comcen.com.au [203.23.236.69]) by mx1.freebsd.org (Postfix) with ESMTP id 2434B8FC16 for ; Thu, 18 Sep 2008 01:25:48 +0000 (UTC) (envelope-from rock_on_the_web@comcen.com.au) Received: from [192.168.0.185] (202-172-126-254.cpe.qld-1.comcen.com.au [202.172.126.254] (may be forged)) by angel.comcen.com.au (8.13.4/8.12.9) with ESMTP id m8I0kb6H002583 for ; Thu, 18 Sep 2008 10:46:39 +1000 (EST) From: Da Rock To: freebsd-questions@freebsd.org Content-Type: text/plain Date: Thu, 18 Sep 2008 10:46:48 +1000 Message-Id: <1221698808.29382.23.camel@laptop1> Mime-Version: 1.0 X-Mailer: Evolution 2.12.3 (2.12.3-5.fc8) Content-Transfer-Encoding: 7bit X-comcen-MailScanner-Information: Please contact the ISP for more information X-comcen-MailScanner: Found to be clean X-comcen-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-6.746, required 4, autolearn=not spam, ALL_TRUSTED -1.80, AWL -2.35, BAYES_00 -2.60) X-comcen-MailScanner-From: rock_on_the_web@comcen.com.au Subject: NTP authentication using kerberos X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2008 01:25:49 -0000 This may be a stupid question, and/or a chicken and egg conundrum: Is it possible to use kerberos in authentication with an ntp server? Here is my reasoning for this (and please correct any wrong assumptions I have here): In the handbook regarding kerberos (and nearly every other reliable source) kerberos is all or nothing- every service needs to be included or it is not as secure as it should be. On the other hand, there are problems with using kerberos if the time is not synchronised, so use ntp. And so far I have only found simple key authentication similar to dhcp and dns to authenticate ntp with. But if kerberos provides keys then this could be simpler, yes? Once I have worked through this, I'd like to multicast ntp, but I think I've got that sewn up already, unless anybody has some advice on this? I'll probably be using the 239 subnet rather than 224 if that is not an issue. One more thing- if ntp uses the same sort of authentication as dhcp and dns, is there a way to extend this kerberos setup (if it is possible with ntp) to dhcp and dns on my local network? Or am I just getting too ambitious with everything here? :) Cheers