stsd - Secure Time Sync Daemon ============================== Set system date based on HTTP 'date' headers over TLS. Inspired by Whonix's sdwdate, and Madaidan's secure-time-sync script. What's wrong with NTP? ---------------------- Standard NTP does not make use any kind of cryptography. No encryption, no authentication. This means NTP requests can be sniffed and tampered with to send a system the wrong time [1]. Correct system time is essential for the use of modern public key cryptography (TLS/SSL for example). stsd aims to overcome these shortcomings of NTP and provide a secure way of keeping a system's time accurate. How it works ------------ At random intervals (between 60 minutes and 180 minutes) stsd sets the system time based on the timestamp extracted from HTTP headers (RFC2616) over TLS. The website it gets this header from is randomly selected from a pool file. Optionally stsd can do this all over Tor; favouring onion addresses specified in the pool file. Caveats ------- Currently stsd does a lot of things that are generally not ideal for security-critical software: - It must be run as root, since on most systems only root can change the system's date. - It shells out to date(1) to update the system time. Note that stsd is currently in a very pre-alpha state - in the future it is possible that these pitfalls in stsd's design can be remedied. OS support ---------- As mentioned previously stsd works by shelling out to date(1) to set the system time - as a side-effect of this all systems with a POSIX compliant date(1) command are supported. This includes: - MacOS - {Net,Free,DragonFly,Open}BSD - Most Linux distributions Usage ----- usage: stsd [--pool-file=file] [--use-proxy=proxy | --use-tor[=proxy]] where: --pool-file=file use the specified pool file (default: /etc/stsd_pool). --use-proxy=proxy proxy network requests through 'proxy' url. --use-tor use tor for network requests. favours onion addresses from the pool file. tor's proxy url can be configured by passing as an argument flag: '--use-tor=proxy' (default tor proxy url: 'socks5://localhost:9050') Pool file format ---------------- The pool file contains a newline separated list of HTTPS URLs. Each URL can optionally have an associated onion address. The optional onion address will be favoured over the clearnet address when the --use-tor argument is given. Each line in the file is of the format: <url>[,onion] Empty lines, and lines starting with a '#' are ignored. An example pool file (stsd_pool_example) is also provided. Forcing an update ----------------- Sending stsd the SIGUSR1 signal forces a date update. Currently this does not cancel the next date update scheduled. See also -------- If you use OpenBSD's OpenNTPD, it is possible to set 'constraint' URLs. These tell ntpd to make use of HTTPS date headers to act as an authenticated constraint - NTP packets falling outside of the range of the constraint are discarded and NTP servers sending these packets are marked as invalid [2]. This strikes a good balance between the accuracy of NTP and authentication via TLS. sdwdate: https://www.whonix.org/wiki/Sdwdate secure-time-sync: https://gitlab.com/madaidan/secure-time-sync References ---------- 1: https://blog.hboeck.de/archives/863-Dont-update-NTP-stop-using-it.html 2: https://man.openbsd.org/ntpd.conf#CONSTRAINTS (https://openntpd.org/)
Secure Time Sync Daemon
Similar Resources
GopherTalk: a multi-user chat powered by GO to explore its standard library and features like sockets, goroutines, channels and sync package
GopherTalk GopherTalk is a multi-user chat powered by GO to explore its standard
A Crypto-Secure, Production-Grade Reliable-UDP Library for golang with FEC
Introduction kcp-go is a Production-Grade Reliable-UDP library for golang. This library intents to provide a smooth, resilient, ordered, error-checked
A Stable & Secure Tunnel based on KCP with N:M multiplexing and FEC. Available for ARM, MIPS, 386 and AMD64。KCPプロトコルに基づく安全なトンネル。KCP 프로토콜을 기반으로 하는 보안 터널입니다。
Disclaimer: kcptun maintains a single website — github.com/xtaci/kcptun. Any websites other than github.com/xtaci/kcptun are not endorsed by xtaci. Re
A secure image proxy server
go-camo Contents About How it works Differences from Camo Installing pre-built binaries Building Running Running on Heroku Securing an installation Co
Package telnet provides TELNET and TELNETS client and server implementations, for the Go programming language, in a style similar to the "net/http" library that is part of the Go standard library, including support for "middleware"; TELNETS is secure TELNET, with the TELNET protocol over a secured TLS (or SSL) connection.
go-telnet Package telnet provides TELNET and TELNETS client and server implementations, for the Go programming language. The telnet package provides a
Secure-by-default HTTP servers in Go.
go-safeweb DISCLAIMER: This is not an officially supported Google product. go-safeweb is a collection of libraries for writing secure-by-default HTTP
The easiest, most secure way to use WireGuard and 2FA.
This repository contains all the open source Tailscale client code and the tailscaled daemon and tailscale CLI tool. The tailscaled daemon runs primarily on Linux; it also works to varying degrees on FreeBSD, OpenBSD, Darwin, and Windows.
Simple, secure and modern Go HTTP server to serve static sites, single-page applications or a file with ease
srv srv is a simple, secure and modern HTTP server, written in Go, to serve static sites, single-page applications or a file with ease. You can use it
Comments
-
Use unprivileged subprocess to make network requests
Running the entire daemon as root is not ideal. We want to implement privilege separation as much as possible.
Ideas I've had:
Option 1:
- Daemon runs as unprivileged user
- Shell out to sudo/doas to run date command
One downside to this option is that it requires the user to modify their sudo configuration. Also some systems don't come with sudo or similar, so I think it should be avoided.
Option 2:
- Daemon (parent) runs as root
- Fork child process to run as unprivileged user
- Child process does all the internal work, waiting, network requests, etc
- Via some IPC it tells the parent to use privileges to shell out to date to set time
This is similar to what OpenNTPD does. This option requires an unprivileged user to be setup for the daemon - but this isn't uncommon.
Edit: It looks like a C-style fork() in Golang is a bit tricky. But it might still be doable?
-
Time not syncing accurately
After running overnight, I noticed my time is a few seconds (2-5) off to my phone.
Perhaps that means it needs to update the time more often, maybe every 64-1024 like NTP?
-
Add back SIGUSR1 to force time update
Sending
SIGUSR1
should force a time update.Due to the major restructuring of the codebase to accommodate for the child network process, this feature was temporarily removed.
Related tags
shoutrrr daemon
shoutrrr daemon Orginal repositories: shoutrrr repository shoutrrr documentation Installation & Configuration Create a services.yaml with the followin
Aidos Kuneen (v2 network) daemon program that is controlled through the command line and remotely via RPC calls
adk-daemon: aidosd.v2 aidosd (v2) is a deamon which acts as bitcoind for adk. This version has been built specifically for network mesh version 2+ For
DNS synchronization daemon for the AIRE project.
dns-sync Database structure: { "name": "example-host.example.com", "content": "127.1.33.7" } ENV parameters: DEBUG: true|false DNS_FILTER: Reg
NDP Proxy + Responder daemon
PNDPD - NDP Responder + Proxy Features Efficiently process incoming packets using bpf (which runs in the kernel) Respond to all NDP solicitations on a
Wrapper for Lightning Network Daemon (lnd). It provides separate accounts with minimum trust for end users.
LndHub.go Wrapper for Lightning Network Daemon (lnd). It provides separate accounts with minimum trust for end users. LndHub compatible API implemente
CoreRAD is an extensible and observable IPv6 Neighbor Discovery Protocol router advertisement daemon. Apache 2.0 Licensed.
CoreRAD CoreRAD is an extensible and observable IPv6 Neighbor Discovery Protocol router advertisement daemon. Apache 2.0 Licensed. To get started with
Ephemeral One Time/Build-Time gRPC TLS PKI system.
PkiSauce Ephemeral Build Time TLS PKI saucing for your intra services GRPC (or not) communications. Description A simple attempt to avoid deploying co
Cross platform local network clipboard sync.
clipSync Synchronize clipboard content across multiple devices. Features Rapidly synchronize clipboard content to all devices in same local network. S
An API Client package for Studyplus for School SYNC API
Studyplus for School SYNC API Client This project is currently alpha, possibility having breaking changes. studyplus_for_school_sync_go is a API clien
server-to-server sync application, written in go/golang.
svcpy: server to server copy a basic server-to-server copy application. on a single binary, it can be a server or a client. example usage: on the serv