Date: Thu, 18 Sep 2008 08:28:51 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Da Rock <rock_on_the_web@comcen.com.au> Cc: freebsd-questions@freebsd.org Subject: Re: NTP authentication using kerberos Message-ID: <48D20333.6090100@infracaninophile.co.uk> In-Reply-To: <1221698808.29382.23.camel@laptop1> References: <1221698808.29382.23.camel@laptop1>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig53E2CB9497CC1258B65B46A9
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Da Rock wrote:
> This may be a stupid question, and/or a chicken and egg conundrum:
>=20
> Is it possible to use kerberos in authentication with an ntp server?
>=20
> Here is my reasoning for this (and please correct any wrong assumptions=
> I have here): In the handbook regarding kerberos (and nearly every othe=
r
> reliable source) kerberos is all or nothing- every service needs to be
> included or it is not as secure as it should be. On the other hand,
> there are problems with using kerberos if the time is not synchronised,=
> so use ntp.
>=20
> And so far I have only found simple key authentication similar to dhcp
> and dns to authenticate ntp with. But if kerberos provides keys then
> this could be simpler, yes?
>=20
> Once I have worked through this, I'd like to multicast ntp, but I think=
> I've got that sewn up already, unless anybody has some advice on this?
> I'll probably be using the 239 subnet rather than 224 if that is not an=
> issue.
>=20
> One more thing- if ntp uses the same sort of authentication as dhcp and=
> dns, is there a way to extend this kerberos setup (if it is possible
> with ntp) to dhcp and dns on my local network? Or am I just getting too=
> ambitious with everything here? :)
NTP doesn't support Kerberos style authentication. It has it's own
cryptographically secured authentication mechanisms. See ntp-keygen(8)
However, doing the full-blown crypto security thing is generally over the=
top for securing simple clients. It's good for NTP servers, especially
if you have your own heirarchy of Stratum 1 and perhaps Stratum 2 servers=
=20
and accurate timing really is critical for you. Remember you need at lea=
st=20
three independent time sources -- preferably four to give you some=20
resilience -- in order to be able to detect if the clock has gone wonky o=
n=20
any one of your servers.
For supplying a time signal by multicast or broadcast, you have to enable=
key based authentication on all the servers and clients. The basic metho=
d
just uses what is effectively an 8 character random string as a password.=
This is usually sufficient if all your client machines are on protected b=
ack end networks and taking a time signal from NTP servers entirely in=20
your control. You need to protect the ntp-keys file from exposure -- I=20
like to create a root-only directory to hold it:
mkdir /etc/ntp
mv ntp.keys /etc/ntp/
chown -R root:wheel /etc/ntp
chmod -R go-rwx /etc/ntp
For dhcp and DNS security -- there are all sorts of mechanisms for
authenticating and securing transactions between such servers. In the
case of DNS, I suggest you read up on 'Tsig' (Transaction Signatures)
and DNSSEC -- this is a good resource:=20
http://www.dnssec.net/why-deploy-dnssec
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enig53E2CB9497CC1258B65B46A9
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAkjSAzoACgkQ8Mjk52CukIxkUgCeOJrT4jP/WMY8Ov2yYhAzdvYL
QSkAn3E0Z1E/LmqFbAczXtNX7x8+HZhY
=TvJF
-----END PGP SIGNATURE-----
--------------enig53E2CB9497CC1258B65B46A9--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48D20333.6090100>