Since the security of Kerberos authentication is in part based upon the time stamps of tickets, it is critical to have accurately set clocks on Kerberos servers. As we mentioned in the introduction to Kerberos, a short lifetime for tickets is used to prevent attackers from performing successful brute force attacks or replay attacks.
If you allow your clocks of your servers to drift, you will make your network vulnerable to such attacks. Since clock synchronization is so important in the security of the Kerberos protocol, if clocks are not synchronized with in a reasonable window Kerberos will report fatal errors and refuse to function. Clients attempting to authenticate from a machine with an inaccurate clock will be failed by the KDC in authentication attempts due to the time difference with the KDC's clock.
The Network Time Protocol (NTP) is available for the time synchronization of servers. A number of public NTP servers are available for synchronization. NTP is capable of synchronizing client clocks within milliseconds on LANs, and tens of milliseconds over WANs. NTP servers are divided by stratum. Primary NTP servers are classified as stratum 1. These public primary servers should not be used for synchronization of client machines due to the relatively small number of them. Public stratum 2 servers are available for client machine synchronization and synchronize their own clocks with the public stratum 1 servers. For our Kerberos servers, we'll set up NTP to query against three stratum two servers. A maintained list of public stratum two servers can be found here.
In order to turn NTP on GNU/Linux, you must install the NTP package and edit the configuration filename. By default, the NTP configuration filename is /etc/ntp.conf
. The default values in the configuration are acceptable. All that needs to be done is to add the servers we wish to use to synchronize our clocks. Authentication is not necessary, but authentication can be enabled from additional security. If you're using NTP servers on your LAN, you may wish to use authentication. Here is a sample ntp.conf
filename from the Gnu University Dublin.
Finally we put a cron job in place to do the actual synchronization:
30 * * * * /usr/sbin/ntpdate -s
If our systems are behind a firewall we may need to provide use -su rather than just -s. The -u argument will direct ntpdate to use an unprivileged port for its outgoing connection to the stratum 2 time servers.