[ntp:questions] Re: Secure W32Time

Danny Mayer mayer at ntp.isc.org
Tue Mar 21 13:47:15 UTC 2006


malayter at gmail.com wrote:
> According to:
> http://tinyurl.com/ft435
>   and
> http://tinyurl.com/fh8uz
> 
> In Windows 2003 SP1 and later, a full NTPv3 implementation with NTPv4
> algoritmic enhancements is used. Windows Time Service is apparently no
> longer just SNTP, at least on the servier side.
> 
> However, it appears the only Windows servers in the same domain can
> share authenticated time (they use their existing Kerberos session keys
> as a shared secret). There does not seem to be a way to configure the
> Windows Time Service to use a specific pre-shared key with a
> manually-defined server.  I base this on a the list of command-line
> switches and registry settings provided in the links above. There may
> be undocumented ways of accomplishing this with Windows Time. This
> omission appears to be "okay" as far as NTP standards are concerned,
> because authentication is an optional part of RFC-1305 and RFC-2030.
> 

I skimmed through the first reference and was amused to see that it was
using Kerberos session keys for authentication. However, Kerberos is
time dependent.... Can you say chicken and egg?

Danny



More information about the questions mailing list