X11Forwarding This option controls whether or not clients can forward the graphics from X programs to their client workstations. Since X has had such a long history of security issues, many admins disable this without a second thought. Third−party X11 forwarders are available, however, and could be installed by anyone with shell access. Also, denying X11 forwarding doesn't stop someone from manually forwarding X over unencrypted TCP/IP. While this option defaults to no, if you have shell users you might as well turn it on.
System Time
Your users will expect the computer to know what time it is. If a database starts entering dates three hours behind, or if emails arrive from tomorrow, you'll hear about it pretty quickly. You have three tools for managing system time: the time zone, tzsetup(8); the network time protocol tools, ntpdate(8); and ntpd(8). Set your time zone before you do anything else.
Setting the Time Zone
The time zone is simple to set with tzsetup(8), a menu−driven program that will make the appropriate changes on your system. Large companies might use a default of Greenwich Mean Time on their systems, while others use their own local time. Follow the geographic prompts and choose the appropriate time zone for your situation.
Network Time Protocol
When using network time protocol (NTP), each system states its system time on request. Clients can accept this time and match it, or they can use times from several different systems to compute an average time. The average time is the best for long−term use.
Network time protocol requires the use of time servers, and many Internet servers provide a time service accessible to the public. The servers are roughly lumped into two types, Tier 1 and Tier 2.
Time Server Tiers
Tier 1 clocks are directly connected to some highly accurate time−keeping device, such as an atomic clock. They are designed to be absurdly accurate. If you need this sort of accuracy, then what you really need is your own atomic clock. Prices have dropped quite a bit in the recent past; a reasonably good atomic clock can be had for only thousands of dollars. You can also use other systems, such as a radio clock, if the time lag caused by the speed−of−light delay is acceptable. If you don't need this accuracy in your timekeeping, look at the Tier 2 servers.
Tier 2 NTP servers feed off of the Tier 1 servers, providing their time service as a public service. This service is accurate to within a fraction of a second, and is more than good enough for almost all applications. Some digging will even lead you to Tier 3 time servers, which feed off of Tier 2 servers. While you should use the lowest tier number you can, any Internet server will be perfectly happy getting its time from either a Tier 2 or 3 server.
If you do a Web search for NTP servers, you'll quickly find an up−to−date list of public NTP servers. For each of your servers, pick two nearby NTP servers, and write down their names and IP addresses. We'll use them to set up ntpdate and ntpd.
309
Ntpdate
Ntpdate(8) connects to a single NTP server, grabs the correct date, sets the system clock correctly, and exits. While you would normally run ntpdate only once, usually at system boot, you can run it easily at the command line, giving ntpdate the name or IP address of an NTP server:
...............................................................................................
# ntpdate kerberos.digex.net
30 Sep 17:30:44 ntpdate[616]: step time server 204.91.99.129 offset −35.707691 sec
#
...............................................................................................
As you can see here, the system time was off by about 35 seconds, but it is now synchronized with the NTP server kerberos.digex.net.
Ntpdate at Boot
You can run ntpdate at boottime with the following flags, giving the name of the time server you want:
...............................................................................................
ntpdate_enable="YES"
ntpdate_flags="timeserver.AbsoluteBSD.com"
...............................................................................................
Note Do not do this on a busy server with time−sensitive programs, such as database servers! If all of your times suddenly jump by an hour or two, your database administrator or clients will be most annoyed.
Ntpdate Flaws
Ntpdate checks the time once, and never again. If your system has hardware problems, the system time can slowly fall out of sync. While this isn't a concern on desktop operating systems, it is a problem for machines that are expected to be up for months or years. On long−living systems, you want to either run ntp−date on a regular basis or use ntpd.
Ntpd
Ntpd(8) intermittently checks the system time against a list of time servers. It takes a reasonable average of those times, and slowly adjusts the system time to match the average. If any of those time servers is badly off from the others, it discards that value. This gives you the most accurate system time possible, without demanding too much from any one server, and it helps keep errant hardware in check.
Ntpd Versions
The original time protocol daemon was called ntpd; the improved version found in FreeBSD is technically known as xntpd. Since the original has long since faded into obscurity, everywhere you look on the system xntpd is known as ntpd. Don't be confused by this.
310