Network Time Synchronization

From Kicksecure
Jump to navigation Jump to search

A reasonably accurate host clock is required for many general security properties. An inaccurate clock can lead to broken internet connectivity and time related security issues.

Introduction[edit]

It is recommended to have a host clock with accuracy of up to ± 30 minutes. Clocks that are days, weeks, months or even years slow or fast can lead to many issues such as connectivity problems with Tor, inability to download operating system upgrades. [1]

Follow the platform-specific recommendations below to avoid Tor connectivity problems and to limit possible adverse security impacts.

All Platforms[edit]

If the host clock is more than 1 hour in the past or more than 3 hours in the future, Tor cannot connect. In this case, manually fix the host clock by right-clicking on it, and also check for an empty battery.

  • If using Kicksecure as a host operating system: Reboot. (Easiest.)
  • If using a VM: Then, power off and power on Kicksecure and Tor should be able to reconnect.
  • Due to Block Networking until sdwdate Finishes if Tor failed or took too long to connect, then you need to fix Tor connection first and then restart your sdwdate sudo systemctl restart sdwdate in your VM/Qube.

Easy instructions[edit]

Kicksecure in VMs or as a host operating system: It is strongly discouraged to use the pause / suspend / save / hibernate features.

Kicksecure for Qubes VMs: It is strongly discouraged to use the pause feature of Qube Manager, but it is is safe to use the suspend or hibernate feature of dom0.

Advanced instructions[edit]

If you are interested in using the pause / suspend / save / hibernate features, please click the expand button for further instructions.

Kicksecure as a host operating system or VM:

  • It is strongly discouraged to pause / suspend / save / hibernate Kicksecure. If this advice is ignored, restart sdwdate after resume. [2]

Kicksecure-Qubes:

  • VM: It is strongly discouraged to pause Kicksecure VMs using the pause feature of Qube Manager. If this advice is ignored, restart sdwdate after resume. [3]
  • dom0 suspend / hibernate: It is safe to use the suspend or hibernate feature of dom0 and a manual restart of sdwdate is unnecessary. [4]

Restart sdwdate[edit]

To restart sdwdate.

Start MenuApplicationsSystemTime Synchronization Monitor (sdwdate-gui)restart sdwdate

Or in a terminal. [5]

sudo /usr/lib/sdwdate/restart_fresh

Manually Set Clock Time and Date[edit]

Usually not required.

In case sdwdate fails to properly randomize the system clock, it is possible to manually set a random value.

The first step should be completed on the host to ensure the host clock is set to the correct time.

1. On the host (Kicksecure-Qubes: dom0), run the following command to report the time in UTC.

date -u

The output should be similar to the following. [6]

Mar 28 08:59:44 UTC 2024

2. Set the correct time in Kicksecure.

Run the following command with the correct date and time parameters. [7] [8]

  • clock-random-manual-gui: a randomized clock setting (in UTC) is entered via a GUI.
  • clock-random-manual-cli: a randomized clock setting (in UTC) is entered on the command line. For example [9]:

echo "Mar 28 08:59:44 UTC 2024" | sudo clock-random-manual-cli

3. Restart sdwdate.

sudo service sdwdate restart

4. If Tor is still not functional, try restarting Tor.

sudo service tor restart

Tor should work once correct clock values are set, but that can be manually tested with systemcheck.

Block Networking until sdwdate Finishes[edit]

sdwdate is a Tor-friendly replacement for rdate and ntpdate that sets the system's clock by communicating via end-to-end encrypted TCP with Tor onion webservers. Since timekeeping is crucial for security, blocking network access until sdwdate succeeds is sensible. [10]

Note: When using this feature, there will be no internet connectivity until sdwdate succeeded which could take approximately 2 minutes.

How to enable this feature? Unsupported. This feature is has not been implemented yet for Kicksecure. Developers are welcome to contribute to Kicksecure.

Summary[edit]

Table: Network Time Synchonization Summary

Platform Recommendations
All Platforms
  • Tor cannot connect if the host clock is grossly inaccurate. In this case, users should manually fix the host clock before powering the Kicksecure off and on again.
  • Periodically check the host clock to ensure that it is accurate or approximately so.
  • For greater security, block networking until sdwdate finishes.
Kicksecure
  • It is strongly discouraged to use the pause / suspend / save / hibernate features.
Kicksecure-Qubes
  • It is strongly discouraged to use the pause feature of Qube Manager.
  • it is is safe to use the suspend or hibernate feature of dom0.

Appendix[edit]

Deactivate Automatic TimeSync[edit]

Warning: This action is recommended against and is usually not required. In all cases, first check with the Kicksecure developers.

To deactivate sdwdate, run.

sudo service sdwdate stop

sudo systemctl mask sdwdate

Related[edit]

Footnotes[edit]

  1. Due to invalid (not yet or no longer valid) TLS certificates.
  2. Similarly, if users suspend or save the Kicksecure state, the clock will again lag behind the correct value. This can be manually fixed by running: Start MenuApplicationsSystemTime Synchronization Monitor (sdwdate-gui)restart sdwdate.
  3. Qubes does not dispatch the /etc/qubes/suspend-post.d / /etc/qubes/suspend-pre.d hooks upon pause / resume using Qube Manager.
  4. https://github.com/QubesOS/qubes-issues/issues/1764archive.org
  5. Simplified in next upgrade. sudo sdwdate-clock-jump
  6. Mon Apr 22 04:30:44 UTC 2019
  7. A non-zero exit codes signifies an error, while 0 means it succeeded.
  8. Also see: man clock-random-manual-gui man clock-random-manual-cli
  9. echo "Sat Oct 26 07:18:25 UTC 2019" | /usr/bin/clock-random-manual-cli
  10. https://forums.whonix.org/t/blocking-networking-until-sdwdate-finished/5372archive.org

Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!