Authentication - users and protocols

There are several login and authentication protocols supported by TimeKeeper. The web interface, when used on a TimeKeeper client, does not require local accounts on the system. On TimeKeeper Grandmasters, there are local system accounts that can be used for web, SSH and console logins. These and external accounts can be configured for remote authentication with RADIUS and TACACS+. This section and the “Grandmaster authentication - users and protocols” section cover the specifics of each of these types of logins and how they are authenticated.

Web interface authentication

For details on web authentication on TimeKeeper grandmasters, please refer to the section, “Web interface authentication.” In this section, we’ll cover web authentication on non grandmaster installations of TimeKeepers - clients, servers, boundary clocks, etc.

Admin web user

When the web interface is enabled, users can log in with an “admin” account, with the default password “timekeeper”. Note: In earlier versions of TimeKeeper the default password was “fsmlabs”. This account is internal to TimeKeeper and is not a local system (Windows/Linux) account that can be logged into. On Grandmasters, TimeKeeper has a local system account, detailed in the section, “Grandmaster authentication - users and protocols.”

Logging in as admin will allow you to manage all aspects of TimeKeeper, including visualization, service management, configuration, and other supported options. For a more limited login, refer to the next section on the readonly user.

Readonly web user

A more limited user is also available with the readonly account that can be configured by the admin user via the web interface. The readonly user can log in and review TimeKeeper data, but cannot reconfigure or manage the system.

By default, the read-only user feature is present but not configured and cannot be used. To configure the readonly user, log in as admin. Select the Configuration tab, then select the Service & System Management subtab. The Set readonly password button will allow you to configure a password for the read-only user, which will be named readonly.

PAM authentication

To allow user logins with the PAM user name and password for Linux clients (non-Grandmaster installations), enable the ENABLE_PAM_AUTH parameter in the TimeKeeper configuration file. ENABLE_PAM_AUTH is supported only on Linux. Note that if the user is admin or readonly, they will not be authenticated via PAM. When the user successfully validates with PAM, they will have limited access, similar to the readonly account for the web interface. This feature enables LDAP authentication in the web interface on Linux.

TimeKeeper leverages PAM through the sshd config (typically /etc/pam.d/sshd) and will use this service for authentication. You can validate the LDAP-authenticated login using SSH as follows:

# ssh -o PasswordAuthentication=yes -o PreferredAuthentications=keyboard-interactive,password -o PubkeyAuthentication=no user@localhost

Issue this command on the TimeKeeper host that intends to allow LDAP-authenticated web logins.

NTP authentication

TimeKeeper supports NTP MD5 symmetric-key authentication. The path for the keys file on Linux is /etc/ntp/keys; on Windows, %ProgramData%\timekeeper\ntp.keys. The format of the keys file on Windows is the same as on Linux. On non-Grandmasters, it is up to the user to manage and secure this file.

To configure the keys on TimeKeeper Grandmasters, login as the admin user via keyboard/monitor, RS232 console, or ssh, and run timekeeper_cli. Select the “Configure NTP MD5 Keys” option to add or remove keys.