|
KB2026.704
FAQ: DTLinux Best Practices
This article applies to DTLinux, specifically best security practices.
Last Updated: 04 Jul 2026
The files for DTLinux, along with installation instructions may be found at the
DTLinux Download Page.
DTLinux can be fully managed using the Windows Domain Time II Manager product. Manager allows you to edit
the dtlinux.conf file, push out an updated keyring, discover which network adapters support which kind of
timestamping, and generate problem reports to submit to support. You can also view the log and statistics
in real time.
The default configuration file for DTLinux is designed for the most accommodating initial setup.
Step 1 - Timesources
The default configuration includes a set of default time sources
timesource = time.google.com protocol NTP comment "Google stratum 1 pool"
timesource = time.apple.com protocol NTP comment "Apple stratum 1 pool"
timesource = tick.greyware.com protocol DT2-UDP comment "Internet DT2 server"
timesource = tock.greyware.com protocol DT2-UDP comment "Internet DT2 server"
You should replace the default timesources with your own NTP appliances. Even if you are planning
to use PTP, your list of timesources should include at least one (preferably three) reliable NTP
sources local to your network. When using PTP, the NTP sources are used at reboot to get a rapid
approximate sync, and thereafter as fallbacks when PTP drops or sends unexpected timestamps.
Step 2 - IP Access List
The default configuration grants access to the full RFC 1918 private network blocks
dt2Security:allow = 192.168.0.0/16 ; allow access from 192.168.*
dt2Security:allow = 172.16.0.0/12 ; allow access from 172.16.*
dt2Security:allow = 10.0.0.0/8 ; allow access from 10.*
dt2Security:allow = fe80::0/10 ; allow access IPv6 link-local
Each dt2Security:allow line may list a single IP address or a CIDR block. Use as few or as many
as required for your network. Instead of allowing all private networks, you should limit access
to just your Manager machines.
Step 3 - Authorized Managers List
In addition to limiting access by IP address, you should explicitly limit control access to your
Manager machines. Use sudo dtcheck -authorize NameOrIP where
NameOrIP is the name or IP address of each Manager machine you want to authorize.
You can use the -revoke command to remove an entry or -authList
to review the list.
Step 4 - Set a Password
Use sudo dtcheck -setPassword to set or change the password. Once a password
is set, a remote Manager machine cannot control your DTLinux instance without knowing the
password. Passwords never cross the wire. They are stored using a one-way salted hash on the Linux
machine, and (optionally) as encrypted blobs on the Windows Manager machines in Credentials Manager.
At the time of use, Manager uses the password combined with a single-use nonce to prove it knows
the secret.
|
My Account |
Contact Us |
Privacy Policy |
Printer-Friendly Version
Copyright © 1995-2026 Greyware Automation Products, Inc. All Rights Reserved
All Trademarks mentioned are the properties of their respective owners.
|