CaffeineAddict
Well-Known Member
What?
This is my quick and short tutorial (because I don't like long ones) on how to set up NTS (Network Time Security) on Debian system.
The procedure can be applied to other distros just fine and probably without any modifications at all, but I tested this on Debian only so I've put it this into this subforum.
Quick intro to terms
NTP stands for Network Time Protocol, which enables you to sync your computer time with NTP servers to have accurate time on your PC.
NTS (Network Time Security) is protocol that enhances old fashioned NTP by introducing SSL/TLS to authenticate your NTP requests with NTS enabled NTP servers.
SNTP stands for Simple Network Time Protocol and that's what you're using by default on your system (
Why should I bother?
By default you're not using NTP but SNTP, SNTP is much simpler than NTP, it comes without complex algorithms that derive as precise time as possible.
Also SNTP does not support NTS.
Therefore the benefit of NTS is more precise time as well as time sync security, security is in that bad guys can't tamper with your PC time accuracy.
How it works?
Your NTS enabled NTP client contacts NTS enabled NTP server in 2 steps:
1.) In first step it uses TCP port 4460 for SSL/TLS for authentication and encrypted traffic initiation.
2.) In 2nd step it used UDP 123 to perform authenticated NTP time sync.
How to set up?
At this point modify configuration file by adding the following lines:
Replace
Further modify file with:
Replace
netfuture.ch
Set up at least 4
Finally comment out server lines which don't use NTS, default configuration may read (notice there is no
Comment out these and leave only nts server lines you added in previous step.
Save changes with
Restart service with:
How to verify configuration works?
Type the following commands one by one and press enter once you examine each:
Output lines of the first command should be prefixed with
Astersisk means you're sysnced with that server, if so it works.
Output of the second command should tell you
Troubleshooting, how to read logs?
Reference
If you want to read more about configuration and how it works:
This is my quick and short tutorial (because I don't like long ones) on how to set up NTS (Network Time Security) on Debian system.
The procedure can be applied to other distros just fine and probably without any modifications at all, but I tested this on Debian only so I've put it this into this subforum.
Quick intro to terms
NTP stands for Network Time Protocol, which enables you to sync your computer time with NTP servers to have accurate time on your PC.
NTS (Network Time Security) is protocol that enhances old fashioned NTP by introducing SSL/TLS to authenticate your NTP requests with NTS enabled NTP servers.
SNTP stands for Simple Network Time Protocol and that's what you're using by default on your system (
systemd-tymesyncd), no you're not using normal NTP!Why should I bother?
By default you're not using NTP but SNTP, SNTP is much simpler than NTP, it comes without complex algorithms that derive as precise time as possible.
Also SNTP does not support NTS.
Therefore the benefit of NTS is more precise time as well as time sync security, security is in that bad guys can't tamper with your PC time accuracy.
How it works?
Your NTS enabled NTP client contacts NTS enabled NTP server in 2 steps:
1.) In first step it uses TCP port 4460 for SSL/TLS for authentication and encrypted traffic initiation.
2.) In 2nd step it used UDP 123 to perform authenticated NTP time sync.
How to set up?
Bash:
sudo apt update
sudo apt install ntpsec
# This should open existing ntp.conf
sudo nano /etc/ntpsec/ntp.confAt this point modify configuration file by adding the following lines:
Code:
interface listen lo
interface listen YOUR_NIC_NAME
interface ignore 0.0.0.0
interface ignore ::Replace
YOUR_NIC_NAME with your primary NIC name, use ip link to learn your NIC name.Further modify file with:
Code:
logconfig =syncall +clockall
server SERVER_ADDRESS iburst ntsReplace
SERVER_ADDRESS with one of the NTS enabled servers from the link below:
Public NTS Server List
NTS (Network Time Security) is to NTP (Network Time Protocol) essentially what HTTPS is to HTTP: It provides authenticity of the information. Unlike HTTPS, NTS does not provide any confidentiality, as the current time is public information. Want to learn more about NTS? Here is an overview over m
netfuture.ch
Set up at least 4
server lines by specifying 4 servers, for e.g. to specify US server from the link:server time.0xt.ca iburst ntsFinally comment out server lines which don't use NTS, default configuration may read (notice there is no
nts at the end of each line):
Bash:
#pool 0.debian.pool.ntp.org iburst
#pool 1.debian.pool.ntp.org iburst
#pool 2.debian.pool.ntp.org iburst
#pool 3.debian.pool.ntp.org iburstComment out these and leave only nts server lines you added in previous step.
Save changes with
CTRL + O and CTRL + XRestart service with:
Bash:
sudo systemctl restart ntpsecHow to verify configuration works?
Type the following commands one by one and press enter once you examine each:
Bash:
ntpq -p
ntpq -c rvOutput lines of the first command should be prefixed with
+ or - or *Astersisk means you're sysnced with that server, if so it works.
Output of the second command should tell you
leap_none which means you're synced, if it tells you leap_alarm it means no sync happened.Troubleshooting, how to read logs?
ntpsec will log to syslog, therefore run sudo tail -f /var/log/syslog in 1 terminal and sudo systemctl restart ntpsec in another terminal to observe what it does.Reference
If you want to read more about configuration and how it works:
Last edited:
