Authentication - users and protocols
There are several login and authentication protocols supported by TimeKeeper. The web interface, when used on a TimeKeeper client, does not require local accounts on the system. On TimeKeeper Grandmasters, there are local system accounts that can be used for web, SSH and console logins. These and external accounts can be configured for remote authentication with RADIUS and TACACS+. This section and this one cover the specifics of each of these types of logins and how they are authenticated.
Web interface authentication
For details on web authentication on TimeKeeper grandmasters, please refer to this. In this section, we’ll cover web authentication on non grandmaster installations of TimeKeepers - clients, servers, boundary clocks, etc.
Admin web user
When the web interface is enabled, users can log in with an “admin” account, with the default password “timekeeper”. Note: In earlier versions of TimeKeeper the default password was “fsmlabs”. This account is internal to TimeKeeper and is not a local system (Windows/Linux) account that can be logged into. On Grandmasters, TimeKeeper has a local system account, detailed here.
Logging in as admin will allow you to manage all aspects of TimeKeeper, including visualization, service management, configuration, and other supported options. For a more limited login, refer to the next section on the readonly user.
Readonly web user
A more limited user is also available with the readonly account that can be configured by the admin user via the web interface. The readonly user can log in and review TimeKeeper data, but cannot reconfigure or manage the system.
By default, the read-only user feature is present but not configured and cannot be used. To configure the readonly user, log in as admin. Select the Configuration tab, then select the Service & System Management subtab. The Set readonly password button will allow you to configure a password for the read-only user, which will be named readonly.
TimeKeeper supports NTP MD5 symmetric-key authentication. The path for the keys file on Linux is /etc/ntp/keys; on Windows, %ProgramData%\timekeeper\ntp.keys. The format of the keys file on Windows is the same as on Linux. On non-Grandmasters, it is up to the user to manage and secure this file.
To configure the keys on TimeKeeper Grandmasters, login as the admin user via keyboard/monitor, RS232 console, or ssh, and run timekeeper_cli. Select the “Configure NTP MD5 Keys” option to add or remove keys.