Clock Synchronization; Configuring The Kdc - Novell LINUX ENTERPRISE SERVER 10 SP2 - INSTALLATION AND ADMINISTRATION Installation Manual
Hide thumbs
Also See for LINUX ENTERPRISE SERVER 10 SP2 - INSTALLATION AND ADMINISTRATION:
- Manual (184 pages) ,
- Supplementary manual (50 pages) ,
- Quick manual (12 pages)
Table of Contents
Advertisement
6 Disable all user accounts except root's account by editing /etc/shadow and
replacing the hashed passwords with * or ! characters.
46.3 Clock Synchronization
To use Kerberos successfully, make sure that all system clocks within your organization
are synchronized within a certain range. This is important because Kerberos protects
against replayed credentials. An attacker might be able to observe Kerberos credentials
on the network and reuse them to attack the server. Kerberos employs several defenses
to prevent this. One of them is that it puts time stamps into its tickets. A server receiving
a ticket with a time stamp that differs from the current time rejects the ticket.
Kerberos allows a certain leeway when comparing time stamps. However, computer
clocks can be very inaccurate in keeping time—it is not unheard of for PC clocks to
lose or gain half an hour over the course of a week. For this reason, configure all hosts
on the network to synchronize their clocks with a central time source.
A simple way to do so is by installing an NTP time server on one machine and having
all clients synchronize their clocks with this server. Do this either by running an NTP
daemon in client mode on all these machines or by running ntpdate once a day from
all clients (this solution probably works for a small number of clients only). The KDC
itself needs to be synchronized to the common time source as well. Because running
an NTP daemon on this machine would be a security risk, it is probably a good idea to
do this by running ntpdate via a cron entry. To configure your machine as an NTP
client, proceed as outlined in Section 32.1, "Configuring an NTP Client with YaST"
(page 609).
It is also possible to adjust the maximum deviation Kerberos allows when checking
time stamps. This value (called clock skew) can be set in the krb5.conf file as de-
scribed in Section 46.5.3, "Adjusting the Clock Skew" (page 857).
46.4 Configuring the KDC
This section covers the initial configuration and installation of the KDC, including the
creation of an administrative principal. This procedure is consists of several steps:
Installing and Administering Kerberos
851
Advertisement
Table of Contents
Troubleshooting
