Network Time Synchronization

From Kicksecure
Jump to navigation Jump to search

TineSynchronization2134234.jpg

Introduction[edit]

It is recommended to have a host clock with accuracy of up to ± 30 minutes. Clocks that are days, weeks, months or even years slow or fast can lead to many issues such as connectivity problems with Tor, inability to download operating system upgrades. [1]

Follow the platform-specific recommendations below to avoid Tor connectivity problems and to limit possible adverse security impacts.

All Platforms[edit]

If the host clock is more than 1 hour in the past or more than 3 hours in the future, Tor cannot connect. In this case, manually fix the host clock by right-clicking on it, and also check for an empty battery.

  • If using Kicksecure ™ as a host operating system: Reboot. (Easiest.)
  • If using a VM: Then, power off and power on Kicksecure ™ and Tor should be able to reconnect.

Easy instructions[edit]

Kicksecure in VMs or as a host operating system: It is strongly discouraged to use the pause / suspend / save / hibernate features.

Kicksecure ™ for Qubes VMs: It is strongly discouraged to use the pause feature of Qube Manager, but it is is safe to use the suspend or hibernate feature of dom0.

Advanced instructions[edit]

If you are interested in using the pause / suspend / save / hibernate features, please click the expand button for further instructions.

Kicksecure ™ as a host operating system or VM:

  • It is strongly discouraged to pause / suspend / save / hibernate Kicksecure ™. If this advice is ignored, restart sdwdate after resume. [2]

Kicksecure ™ for Qubes:

  • VM: It is strongly discouraged to pause Kicksecure ™ VMs using the pause feature of Qube Manager. If this advice is ignored, restart sdwdate after resume. [3]
  • dom0 suspend / hibernate: It is safe to use the suspend or hibernate feature of dom0 and a manual restart of sdwdate is unnecessary. [4]

Restart sdwdate[edit]

To restart sdwdate.

Start MenuApplicationsSystemTime Synchronization Monitor (sdwdate-gui)restart sdwdate

Or in a terminal. [5]

sudo /usr/lib/sdwdate/restart_fresh

Manually Set Clock Time and Date[edit]

Usually not required.

In case sdwdate fails to properly randomize the system clock, it is possible to manually set a random value.

The first step should be completed on the host to ensure the host clock is set to the correct time.

1. On the host (Kicksecure ™ for Qubes: dom0), run the following command to report the time in UTC.

date -u

The output should be similar to the following. [6]

May 18 13:57:44 UTC 2022

2. Set the correct time in Kicksecure ™.

Run the following command with the correct date and time parameters. [7] [8]

  • clock-random-manual-gui: a randomized clock setting (in UTC) is entered via a GUI.
  • clock-random-manual-cli: a randomized clock setting (in UTC) is entered on the command line. For example [9]:

echo "May 18 13:57:44 UTC 2022" | sudo clock-random-manual-cli

3. Restart sdwdate.

sudo service sdwdate restart

4. If Tor is still not functional, try restarting Tor.

sudo service tor restart

Tor should work once correct clock values are set, but that can be manually tested with systemcheck.

Block Networking until sdwdate Finishes[edit]

sdwdate is a Tor-friendly replacement for rdate and ntpdate that sets the system's clock by communicating via end-to-end encrypted TCP with Tor onion webservers. Since timekeeping is crucial for security, blocking network access until sdwdate succeeds is sensible. [10]

Summary[edit]

Table: Network Time Synchonization Summary

Platform Recommendations
All Platforms
  • Tor cannot connect if the host clock is grossly inaccurate. In this case, users should manually fix the host clock before powering the Kicksecure ™ off and on again.
  • Periodically check the host clock to ensure that it is accurate or approximately so.
  • For greater security, block networking until sdwdate finishes.
Kicksecure
Kicksecure-Qubes
  • It is strongly discouraged to use the pause feature of Qube Manager.
  • it is is safe to use the suspend or hibernate feature of dom0.

Appendix[edit]

Deactivate Automatic TimeSync[edit]

Ambox warning pn.svg.png Warning: This action is recommended against and is usually not required. In all cases, first check with the Kicksecure ™ developers.

To deactivate sdwdate, run.

sudo service sdwdate stop

sudo systemctl mask sdwdate

Related[edit]

Footnotes[edit]

  1. Due to invalid (not yet or no longer valid) TLS certificates.
  2. Similarly, if users suspend or save the Kicksecure ™ state, the clock will again lag behind the correct value. This can be manually fixed by running: Start MenuApplicationsSystemTime Synchronization Monitor (sdwdate-gui)restart sdwdate.
  3. Qubes does not dispatch the /etc/qubes/suspend-post.d / /etc/qubes/suspend-pre.d hooks upon pause / resume using Qube Manager.
  4. https://github.com/QubesOS/qubes-issues/issues/1764
  5. Simplified in next upgrade.
    sudo sdwdate-clock-jump
  6. Mon Apr 22 04:30:44 UTC 2019
  7. A non-zero exit codes signifies an error, while 0 means it succeeded.
  8. Also see:
    man clock-random-manual-gui
    man clock-random-manual-cli
  9. echo "Sat Oct 26 07:18:25 UTC 2019" | /usr/bin/clock-random-manual-cli
  10. https://forums.whonix.org/t/testers-wanted-blocking-networking-until-sdwdate-finished-status-of-sdwdate-gui/5372


Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.