test

Sun Enterprise Authentication Mechanism Guide

Synchronizing Clocks between KDCs and SEAM Clients

All hosts participating in the Kerberos authentication system must have their internal clocks synchronized within a specified maximum amount of time (known as clock skew), which provides another Kerberos security check. If the clock skew is exceeded between any of the participating hosts, client requests will be rejected.

The clock skew also determines how long application servers must keep track of all Kerberos protocol messages, in order to recognize and reject replayed requests. So, the longer the clock skew value, the more information that application servers have to collect.

The default value for the maximum clock skew is 300 seconds (five minutes), which you can change in the libdefaults section of the krb5.conf file.

Note -

For security reasons, do not increase the clock skew beyond 300 seconds.

Since it is important to maintain synchronized clocks between the KDCs and SEAM clients, it is recommended that you use the Network Time Protocol (NTP) software to do this. The Network Time Protocol (NTP) public domain software from the University of Delaware is included in the Solaris software starting with the Solaris 2.6 release.

Note -

Another way to synchronize clocks is to use the rdate command and cron jobs, which can be a less involved process than using NTP. However, this section will continue to focus on using NTP. And, if you use the network to synchronize the clocks, the clock synchronization protocol must itself be secure.

NTP enables you to manage precise time and/or network clock synchronization in a network environment. NTP is basically a server/client implementation. You pick one system to be the master clock (NTP server), and then you set up all your other systems to synchronize their clocks with the master clock (NTP clients). This is all done through the xntpd daemon, which sets and maintains a UNIX system time-of-day in agreement with Internet standard time servers. Figure 3-1 shows an example of the using the server/client NTP implementation.

Figure 3-1 Synchronizing Clocks Using NTP

Graphic

To ensure that the KDCs and SEAM clients maintain synchronized clocks, implement the following steps:

  1. Set up an NTP server on your network (this can be any system except the master KDC). See "How to Set Up an NTP Server".

  2. As you configure the KDCs and SEAM clients on the network, set them up to be NTP clients of the NTP server. See "How to Set Up an NTP Client".

How to Set Up an NTP Server

  1. Become superuser on the system to be the NTP server.

  2. Change to the /etc/inet directory.

  3. Copy the ntp.server file to the ntp.conf file.


    # cp ntp.server ntp.conf

  4. Change to the /etc/init.d directory.

  5. Start the xntpd daemon.


    # ./xntpd start

How to Set Up an NTP Client

  1. Become superuser on the system to be an NTP client.

  2. Change to the /etc/inet directory.

  3. Copy the ntp.client file to the ntp.conf file.


    # cp ntp.client ntp.conf

  4. Change to the /etc/init.d directory.

  5. Start the xntpd daemon.


    # ./xntpd start