Date: Thu, 18 Sep 2008 08:28:51 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Da Rock <rock_on_the_web@comcen.com.au> Cc: freebsd-questions@freebsd.org Subject: Re: NTP authentication using kerberos Message-ID: <48D20333.6090100@infracaninophile.co.uk> In-Reply-To: <1221698808.29382.23.camel@laptop1> References: <1221698808.29382.23.camel@laptop1>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig53E2CB9497CC1258B65B46A9 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Da Rock wrote: > This may be a stupid question, and/or a chicken and egg conundrum: >=20 > Is it possible to use kerberos in authentication with an ntp server? >=20 > Here is my reasoning for this (and please correct any wrong assumptions= > I have here): In the handbook regarding kerberos (and nearly every othe= r > reliable source) kerberos is all or nothing- every service needs to be > included or it is not as secure as it should be. On the other hand, > there are problems with using kerberos if the time is not synchronised,= > so use ntp. >=20 > And so far I have only found simple key authentication similar to dhcp > and dns to authenticate ntp with. But if kerberos provides keys then > this could be simpler, yes? >=20 > Once I have worked through this, I'd like to multicast ntp, but I think= > I've got that sewn up already, unless anybody has some advice on this? > I'll probably be using the 239 subnet rather than 224 if that is not an= > issue. >=20 > One more thing- if ntp uses the same sort of authentication as dhcp and= > dns, is there a way to extend this kerberos setup (if it is possible > with ntp) to dhcp and dns on my local network? Or am I just getting too= > ambitious with everything here? :) NTP doesn't support Kerberos style authentication. It has it's own cryptographically secured authentication mechanisms. See ntp-keygen(8) However, doing the full-blown crypto security thing is generally over the= top for securing simple clients. It's good for NTP servers, especially if you have your own heirarchy of Stratum 1 and perhaps Stratum 2 servers= =20 and accurate timing really is critical for you. Remember you need at lea= st=20 three independent time sources -- preferably four to give you some=20 resilience -- in order to be able to detect if the clock has gone wonky o= n=20 any one of your servers. For supplying a time signal by multicast or broadcast, you have to enable= key based authentication on all the servers and clients. The basic metho= d just uses what is effectively an 8 character random string as a password.= This is usually sufficient if all your client machines are on protected b= ack end networks and taking a time signal from NTP servers entirely in=20 your control. You need to protect the ntp-keys file from exposure -- I=20 like to create a root-only directory to hold it: mkdir /etc/ntp mv ntp.keys /etc/ntp/ chown -R root:wheel /etc/ntp chmod -R go-rwx /etc/ntp For dhcp and DNS security -- there are all sorts of mechanisms for authenticating and securing transactions between such servers. In the case of DNS, I suggest you read up on 'Tsig' (Transaction Signatures) and DNSSEC -- this is a good resource:=20 http://www.dnssec.net/why-deploy-dnssec Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig53E2CB9497CC1258B65B46A9 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkjSAzoACgkQ8Mjk52CukIxkUgCeOJrT4jP/WMY8Ov2yYhAzdvYL QSkAn3E0Z1E/LmqFbAczXtNX7x8+HZhY =TvJF -----END PGP SIGNATURE----- --------------enig53E2CB9497CC1258B65B46A9--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48D20333.6090100>