NTP

NTP
The Network Time Protocol is used to keep system clocks in sync with the "correct" time. The protocol uses UDP for all traffic, usually on port 123.

NTP has a concept of a time server and clients. Each client and server is assigned a stratum that indicates how close it is to an authoritative time source. Examples of authoritative sources are atomic clocks, GPS receivers (with outputs that can be read by the computer), and radio clocks. These sources are assigned stratum 0. A computer connected directly to a time source is assigned stratum 1; a client that speaks to a stratum 1 NTP server is assigned stratum 2; and so on... There are 16 total strata.

Using multiple servers, and on an uncongested network, NTP can be used to achive sub-millisecond accuracy.

Configuration
Basic configuration is quite simple:

restrict default noquery notrust nomodify restrict 127.0.0.1 restrict 17.254.0.28 server 17.254.0.28 logfile /var/log/ntp.log driftfile /var/lib/ntp/ntp.drift

The first 4 lines define what computers are allowed to tell us who the time is. Specifcally, the first line says "everyone is not trusted." The second and third lines indicate that we trust ourselves (127.0.0.1), and 17.254.0.28 (this is one of the hosts in the "time.apple.com" DNS pool). The fourth line indicates that we should actually use 17.254.0.28 as a time server.

The last two lines add logging, and tell the NTP daemon to track the "drift" of the local system clock relative to the "correct" time.

If you aren't using it, or something that performs the same task, you should be.

Security
The ntpd daemon can run as a non-privildged user. It is suggested that you create an "ntp" user and group, and start the ntpd process with the options "-u ntp:ntp". The daemon must be started as root, but it will drop privileges afterward.

The NTP protocol also supports using cryptographic keys for distributing time information. Consider using them for any network that is not completely under your control.

The Linux "capabilities" security model is used, you may need to adjust your ntp.conf configuration a bit. See http://gentoo-wiki.com/HOWTO_NTP for details.