From owner-freebsd-questions@FreeBSD.ORG  Thu Sep 18 07:29:27 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id EC8C1106564A
	for <freebsd-questions@freebsd.org>;
	Thu, 18 Sep 2008 07:29:26 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1::1])
	by mx1.freebsd.org (Postfix) with ESMTP id 31B318FC1C
	for <freebsd-questions@freebsd.org>;
	Thu, 18 Sep 2008 07:29:26 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1])
	(authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id
	m8I7SwFb057962; Thu, 18 Sep 2008 08:29:00 +0100 (BST)
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: Sendmail DKIM Filter v2.7.1 smtp.infracaninophile.co.uk m8I7SwFb057962
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
	d=infracaninophile.co.uk; s=200708; t=1221722940; bh=k196pP8woNunH0
	wg7UujolPxQ+K+qKNSfod9v8tV3zo=; h=Message-ID:Date:From:MIME-Version:
	To:CC:Subject:References:In-Reply-To:Content-Type:Cc:Content-Type:
	Date:From:In-Reply-To:Message-ID:Mime-Version:References:To; z=Mes
	sage-ID:=20<48D20333.6090100@infracaninophile.co.uk>|Date:=20Thu,=2
	018=20Sep=202008=2008:28:51=20+0100|From:=20Matthew=20Seaman=20<m.s
	eaman@infracaninophile.co.uk>|Organization:=20Infracaninophile|User
	-Agent:=20Thunderbird=202.0.0.16=20(X11/20080726)|MIME-Version:=201
	.0|To:=20Da=20Rock=20<rock_on_the_web@comcen.com.au>|CC:=20freebsd-
	questions@freebsd.org|Subject:=20Re:=20NTP=20authentication=20using
	=20kerberos|References:=20<1221698808.29382.23.camel@laptop1>|In-Re
	ply-To:=20<1221698808.29382.23.camel@laptop1>|X-Enigmail-Version:=2
	00.95.6|Content-Type:=20multipart/signed=3B=20micalg=3Dpgp-sha256=3
	B=0D=0A=20protocol=3D"application/pgp-signature"=3B=0D=0A=20boundar
	y=3D"------------enig53E2CB9497CC1258B65B46A9"; b=WDV8B1dLDGexa9VH2
	CdAqye1MVjbhr0TYYdsUV1ZnS2j5MnJIW3p1Pjn63xWxpOdwtSWK9tyNESLzRDSGUeC
	Gd+8sGjXgpSIuCI22oJV+g+CNIJ8r6SH8b+ob5TVoPjkj1Lz8g74320fCUm0PTFC66M
	AdLFBjaa5eEIVCoQTKas=
Message-ID: <48D20333.6090100@infracaninophile.co.uk>
Date: Thu, 18 Sep 2008 08:28:51 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Organization: Infracaninophile
User-Agent: Thunderbird 2.0.0.16 (X11/20080726)
MIME-Version: 1.0
To: Da Rock <rock_on_the_web@comcen.com.au>
References: <1221698808.29382.23.camel@laptop1>
In-Reply-To: <1221698808.29382.23.camel@laptop1>
X-Enigmail-Version: 0.95.6
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="------------enig53E2CB9497CC1258B65B46A9"
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0
	(smtp.infracaninophile.co.uk [IPv6:::1]);
	Thu, 18 Sep 2008 08:29:00 +0100 (BST)
X-Virus-Scanned: ClamAV 0.93.3/8275/Thu Sep 18 02:16:55 2008 on
	happy-idiot-talk.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED,
	DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	happy-idiot-talk.infracaninophile.co.uk
Cc: freebsd-questions@freebsd.org
Subject: Re: NTP authentication using kerberos
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Sep 2008 07:29:27 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig53E2CB9497CC1258B65B46A9
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Da Rock wrote:
> This may be a stupid question, and/or a chicken and egg conundrum:
>=20
> Is it possible to use kerberos in authentication with an ntp server?
>=20
> Here is my reasoning for this (and please correct any wrong assumptions=

> I have here): In the handbook regarding kerberos (and nearly every othe=
r
> reliable source) kerberos is all or nothing- every service needs to be
> included or it is not as secure as it should be. On the other hand,
> there are problems with using kerberos if the time is not synchronised,=

> so use ntp.
>=20
> And so far I have only found simple key authentication similar to dhcp
> and dns to authenticate ntp with. But if kerberos provides keys then
> this could be simpler, yes?
>=20
> Once I have worked through this, I'd like to multicast ntp, but I think=

> I've got that sewn up already, unless anybody has some advice on this?
> I'll probably be using the 239 subnet rather than 224 if that is not an=

> issue.
>=20
> One more thing- if ntp uses the same sort of authentication as dhcp and=

> dns, is there a way to extend this kerberos setup (if it is possible
> with ntp) to dhcp and dns on my local network? Or am I just getting too=

> ambitious with everything here? :)

NTP doesn't support Kerberos style authentication.  It has it's own
cryptographically secured authentication mechanisms.  See ntp-keygen(8)
However, doing the full-blown crypto security thing is generally over the=

top for securing simple clients.  It's good for NTP servers, especially
if you have your own heirarchy of Stratum 1 and perhaps Stratum 2 servers=
=20
and accurate timing really is critical for you.  Remember you need at lea=
st=20
three independent time sources -- preferably four to give you some=20
resilience -- in order to be able to detect if the clock has gone wonky o=
n=20
any one of your servers.

For supplying a time signal by multicast or broadcast, you have to enable=

key based authentication on all the servers and clients.  The basic metho=
d
just uses what is effectively an 8 character random string as a password.=

This is usually sufficient if all your client machines are on protected b=
ack end networks and taking a time signal from NTP servers entirely in=20
your control.  You need to protect the ntp-keys file from exposure -- I=20
like to create a root-only directory to hold it:

	mkdir /etc/ntp
        mv ntp.keys /etc/ntp/
        chown -R root:wheel /etc/ntp
        chmod -R go-rwx /etc/ntp

For dhcp and DNS security -- there are all sorts of mechanisms for
authenticating and securing transactions between such servers.  In the
case of DNS, I suggest you read up on 'Tsig' (Transaction Signatures)
and DNSSEC -- this is a good resource:=20

http://www.dnssec.net/why-deploy-dnssec

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW


--------------enig53E2CB9497CC1258B65B46A9
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAkjSAzoACgkQ8Mjk52CukIxkUgCeOJrT4jP/WMY8Ov2yYhAzdvYL
QSkAn3E0Z1E/LmqFbAczXtNX7x8+HZhY
=TvJF
-----END PGP SIGNATURE-----

--------------enig53E2CB9497CC1258B65B46A9--