haynes@felix.ucsc.edu (99700000) (02/06/91)
I just had my first instance of Kerberos failure caused by the server and client machines being too far out of agreement as to the time of day. How about somebody at MIT telling the rest of us how you synchronize clocks on the 1200 workstations through all the network routers and subnets and things.
Saltzer@MIT.EDU (Jerome H Saltzer) (02/07/91)
Question: How does Project Athena synchronize the clocks on its many workstations and fileservers? Answer #1: (Jonathan explained about the nntp version of timed) Answer #2: Before nntp was installed, there were a few halfway measures used to help keep from going completely insane: 1. All servers ran a network time service that simply reported the time on the local clock. 2. All workstations, whenever rebooted, set their clocks from a particular one of the time servers: the one running on the Kerberos server. Users were told that if they saw an error message that mentioned both tickets and clocks they should reboot their workstation and try again. 3. A program was written to compare the times reported by any two servers and display the number of seconds of difference. This program was periodically exercised, comparing every server with the Kerberos server, looking for server clocks that had drifted. When a drifted clock was found, that machine was rebooted. This set of measures certainly didn't solve the problem completely, but it kept things more or less under control for three years, until the version of timed that uses the nntp protocol became available. Jerry Saltzer
louie@SAYSHELL.UMD.EDU ("Louis A. Mamakos") (02/07/91)
> Answer #2: > > Before nntp was installed..... ... ... > This set of measures certainly didn't solve the problem completely, > but it kept things more or less under control for three years, until > the version of timed that uses the nntp protocol became available. > > Jerry Saltzer While `nntpd' might be more fun, I think Jerry meant to type `ntpd'. No, there are no hidden time synchronization functions in USENET news.. Louis A. Mamakos NTP weenie University of Maryland, College Park
Saltzer@MIT.EDU (Jerome H Saltzer) (02/07/91)
> While `nntpd' might be more fun, I think Jerry meant to type `ntpd'.
Oops. Yes, please change all mentions of "nntp" to "ntp" in my
message.
Jerry
bishop@WINDSOR.DARTMOUTH.EDU (Matt Bishop) (02/22/91)
Folks, If you're interested in the security issues raised by NTP version 2, I have a technical report that discusses a lot of them, especially the authentication mechanism and problems. If you want a copy, you can get a postscript version by anonymous ftp to dartvax.dartmouth.edu (get the file pub/dropoff/ntp2sec.ps); if you want a paper copy, send a note to Deb Minichiello (Debra.Minichiello@dartmouth.edu) asking for TR #154, "A Security Analysis of Version 2 of the Network Time Protocol NTP." Be aware that the file on dartvax will go away in a week (on 3/2). Enjoy! Matt Bishop