NTP: Difference between revisions

From Hackepedia
Jump to navigationJump to search
Initial page
 
No edit summary
Line 23: Line 23:


If you aren't using it, or something that performs the same task, you should be.
If you aren't using it, or something that performs the same task, you should be.
=== Security ===
The ntpd daemon can run as a non-privildged user.  It is suggested that you create an "ntp" user and group, and start the ntpd process with the options "-u ntp:ntp".  The daemon must be started as root, but it will drop privileges afterward.
The NTP protocol also supports using cryptographic keys for distributing time information.  Consider using them for any network that is not completely under your control.
The Linux "capabilities" security model is used, you may need to adjust your ntp.conf configuration a bit.  See http://gentoo-wiki.com/HOWTO_NTP for details.


=== See Also ===
=== See Also ===
http://openntpd.org
http://openntpd.org <br>
http://ntp.org
http://ntp.org

Revision as of 13:18, 21 September 2006

NTP

The Network Time Protocol is used to keep system clocks in sync with the "correct" time. The protocol uses UDP for all traffic, usually on [port] 123.

NTP has a concept of a "time server" and clients. Each client and server is assigned a "stratum" that indicates how close it is to an authoritative time source. Examples of authoritative sources are atomic clocks, GPS receivers (with outputs that can be read by the computer), and radio clocks. These sources are assigned stratum 0. A computer connected directly to a time source is assigned stratum 1; a client that speaks to a stratum 1 NTP server is assigned stratum 2; and so on... There are 16 total strata.

Using multiple servers, and on an uncongested network, NTP can be used to achive sub-millisecond accuracy.

Configuration

Basic configuration is quite simple:

restrict default noquery notrust nomodify
restrict 127.0.0.1
restrict 17.254.0.28
server 17.254.0.28

logfile /var/log/ntp.log
driftfile /var/lib/ntp/ntp.drift

The first 4 lines define what computers are allowed to tell us who the time is. Specifcally, the first line says "everyone is not trusted." The second and third lines indicate that we trust ourselves (127.0.0.1), and 17.254.0.28 (this is one of the hosts in the "time.apple.com" DNS pool). The fourth line indicates that we should actually use 17.254.0.28 as a time server.

The last two lines add logging, and tell the NTP daemon to track the "drift" of the local system clock relative to the "correct" time.

If you aren't using it, or something that performs the same task, you should be.

Security

The ntpd daemon can run as a non-privildged user. It is suggested that you create an "ntp" user and group, and start the ntpd process with the options "-u ntp:ntp". The daemon must be started as root, but it will drop privileges afterward.

The NTP protocol also supports using cryptographic keys for distributing time information. Consider using them for any network that is not completely under your control.

The Linux "capabilities" security model is used, you may need to adjust your ntp.conf configuration a bit. See http://gentoo-wiki.com/HOWTO_NTP for details.

See Also

http://openntpd.org
http://ntp.org