KB2026.704
FAQ: DTLinux Best Practices

This article applies to DTLinux, specifically best security practices.

Last Updated: 04 Jul 2026

The files for DTLinux, along with installation instructions may be found at the DTLinux Download Page.

DTLinux can be fully managed using the Windows Domain Time II Manager product. Manager allows you to edit the dtlinux.conf file, push out an updated keyring, discover which network adapters support which kind of timestamping, and generate problem reports to submit to support. You can also view the log and statistics in real time.

The default configuration file for DTLinux is designed for the most accommodating initial setup.

Step 1 - Timesources

The default configuration includes a set of default time sources
timesource = time.google.com protocol NTP comment "Google stratum 1 pool"
timesource = time.apple.com protocol NTP comment "Apple stratum 1 pool"
timesource = tick.greyware.com protocol DT2-UDP comment "Internet DT2 server"
timesource = tock.greyware.com protocol DT2-UDP comment "Internet DT2 server"
You should replace the default timesources with your own NTP appliances. Even if you are planning to use PTP, your list of timesources should include at least one (preferably three) reliable NTP sources local to your network. When using PTP, the NTP sources are used at reboot to get a rapid approximate sync, and thereafter as fallbacks when PTP drops or sends unexpected timestamps.

Step 2 - IP Access List

The default configuration grants access to the full RFC 1918 private network blocks
dt2Security:allow = 192.168.0.0/16 ; allow access from 192.168.*
dt2Security:allow = 172.16.0.0/12  ; allow access from 172.16.*
dt2Security:allow = 10.0.0.0/8     ; allow access from 10.*
dt2Security:allow = fe80::0/10     ; allow access IPv6 link-local
Each dt2Security:allow line may list a single IP address or a CIDR block. Use as few or as many as required for your network. Instead of allowing all private networks, you should limit access to just your Manager machines.

Step 3 - Authorized Managers List

In addition to limiting access by IP address, you should explicitly limit control access to your Manager machines. Use sudo dtcheck -authorize NameOrIP where NameOrIP is the name or IP address of each Manager machine you want to authorize. You can use the -revoke command to remove an entry or -authList to review the list.

Step 4 - Set a Password

Use sudo dtcheck -setPassword to set or change the password. Once a password is set, a remote Manager machine cannot control your DTLinux instance without knowing the password. Passwords never cross the wire. They are stored using a one-way salted hash on the Linux machine, and (optionally) as encrypted blobs on the Windows Manager machines in Credentials Manager. At the time of use, Manager uses the password combined with a single-use nonce to prove it knows the secret.

Copyright © 1995-2026 Greyware Automation Products, Inc.  All Rights Reserved
All Trademarks mentioned are the properties of their respective owners.
Greyware Automation Products, Inc.
308 Oriole Ct, Murphy, TX 75094
972-867-2794 (voice)

Close Printer-Friendly Version