Product Description

Single sign-on is the holy grail of network administration, and Kerberos is the only game in town. Microsoft, by integrating Kerberos into Active Directory in Windows 2000 and 2003, has extended the reach of Kerberos to all networks large or small. Kerberos makes your network more secure and more convenient for users by providing a single authentication system that works across the entire network. One username; one password; one login is all you need. Fortunately, help for administrators is on the way. Kerberos: The Definitive Guide shows you how to implement Kerberos for secure authentication. In addition to covering the basic principles behind cryptographic authentication, it covers everything from basic installation to advanced topics like cross-realm authentication, defending against attacks on Kerberos, and troubleshooting. In addition to covering Microsoft's Active Directory implementation, Kerberos: The Definitive Guide covers both major implementations of Kerberos for Unix and Linux: MIT and Heimdal. It shows you how to set up Mac OS X as a Kerberos client. The book also covers both versions of the Kerberos protocol that are still in use: Kerberos 4 (now obsolete) and Kerberos 5, paying special attention to the integration between the different protocols, and between Unix and Windows implementations. If you've been avoiding Kerberos because it's confusing and poorly documented, it's time to get on board! This book shows you how to put Kerberos authentication to work on your Windows and Unix systems.

Product Details

• Amazon Sales Rank: #231031 in Books
• Published on: 2003-12-15
• Format: Illustrated
• Original language: English
• Number of items: 1
• Binding: Paperback
• 270 pages

About the Author
Jason Garman is currently working with computer forensics for the national defense and intelligence communities at Aegis Research Corporation. Previously, he worked at several biotech firms in the Washington, DC area where he helped clients design and implement secure yet easy to use research networks. Jason enjoys working with the practical application of tools and techniques to solve computer and network security problems.

Customer Reviews

Will Get You Up and Running (1stEd)
First I would like to justify my 5 star rating. This book helped me out of a nasty multi-homed host and DNS problem when no other source could. Without this book I would have been troubleshooting this issue for days. I feel the book has paid for itself.

However, I wouldn't consider this "The Definitive Guide." It lacks documentation on the krb5.conf configuration file. I found myself referencing the krb5.conf(5) man page for additional info. Also, the documentation that comes with Heimdal is a very good good source for configuration settings.

Another deficiency is the GSSAPI coverage. I did have some trouble setting up my GSSAPI aware SSH with Kerberos. I found myself digging through the ssh man pages and doing some trial and error. Chapter 7 discusses Kerberos enabled applications. SSH is covered there, but I felt the GSSAPI aspect was lacking. Although the author mentions that GSSAPI is not specific to any authentication method and is somewhat out of place in a Kerberos book, I feel this is where the author could have went the extra mile and claimed the right to the title "The Definitive Guide." There are many Kerberized applications today not mentioned in Chapter 7. It would be nice to see a second edition that covers them.

What this book has that you will not find in any other single source is comprehensive coverage of the history, protocols, and implementation of Kerberos complete with diagrams. From a security standpoint, this will really help you understand what is going on in your network. For example, when setting up my firewall rules and NIDS, I really had a grasp on what traffic was going where and what needed to be blocked/detected.

Chapter 6, Security, is very comprehensive and outlines various root compromises, dictionary and brute-force, replay, and man-in-the-middle attacks. It also details the importance of pre-authentication in Kerberos V as well as best practices to protect your key distribution center (KDC).

My Kerberos network is a 10 host homogeneous OpenBSD network running the Heimdal Kerberos V version 0.7.2. Although this book covers the older Heimdal 0.6, it was still very relevant. It also covers the MIT 1.3 implementation (MIT is currently at version 1.6.3). Although this book was published in 2003, it is still worth its price brand new in 2008.

Good Starting Point
This has very superb explanations about the Kerberos authentication concepts. As a Windows system administrator, this has helped me immensely in understanding what's under the hood of Active Directory.

In delving into Windows-Linux interoperability experiments, this book was invaluable in presenting different scenarios. I decided to be bold and try have Linux directly authenticate to Windows Server 2003 KDC using information from Chapter 8 "Advanced Topics". I was able to learn the concepts and get started, but I ran into problems:

First the example (page 179) for exporting keytabs doesn't work with Windows 2003, as you need to use "nt4domain\unixhost" for ktpass -mapuser option.

Secondly, there's no coverage on what to do with these keytab files on the Unix side. I found later (googling) that I needed to install them using the kutil command.

Thirdly, there could have references to material on how to test and re-configure Linux to use Kerberos instead of shadow passwd system. "Chapter 7: Applications" covers this, but references to the PAM modules are rather outdated. There should have been detail on how to configure GDM, KDM, and xscreensaver to use Kerberos.

Lastly, I found is that troubleshooting presented earlier in Chapter 5 grossly needs to be expanded. I got specific error messages, and would have liked to see more specifics included. (Fortunately googling again help find some pointers)

Overall this book is great spring board, but as it is outdated and in some ways incomplete, you need to scour the Internet for the complete solution. Still, I honestly don't know how I could have gotten there without this book.

Kerberos intimidates a lot of people, don't be one of them
I got started using Kerberos many moons ago, at my university. This is probably how many people got to know about it. While I didn't use it very much, it's there that I learned the basics and experimented a bit with Kerberos. Interest in it took off after Microsoft incorporated Kerberos authentication mechanisms into Windows 2000. Suddenly it wasn't such arcane knowledge.

Two open source Kerberos implementations exist, the MIT reference implementation, and the Heimdal Kerberos implementation. Even then, there are two main versions which you can find, Kerberos IV and Kerberos V. Kerberos IV went away for most environments with the passing of the Y2K mark, but some legacy apps need support. So, you still have to deal with it on occasion.

In writing Secure Architectures with OpenBSD, I got a lot more intimate with Kerberos, and even set up a decently sized realm in my house. Hence, I got to experience the turmoil of setup and debugging. A book like Kerberos: The Definitive Guide (K:TDG) would have been very welcome. Instead, I slogged my way through it, and got it to work for the most part.

K:TDG will help you set up your Kerberos world by introducing you to the complex subject, terminology, and the pieces. Once you learn the basics, you recognize that a simple realm is actually somewhat easy to set up. The author, Jason Garman, uses a mixed Mac OS X, UNIX, and Windows environment, focusing on UNIX most of the time. The bulk of the examples deal with MIT Kerberos 5 version 1.3 (krb5-1.3) but should work for most versions. Some attention is given to the Heimdal implementation (which is integrated with BSD, for example), and for the most part you'll be OK. Windows examples are also pretty copious but always come second. If you're comfortable with UNIX, you'll easily be able to translate these into Windows examples to help bridge the Windows gaps.

Chapter 1 is an obligatory Introduction, a short chapter that introduces the key concepts of Kerberos and what the book will cover. A very quick comparison of Kerberos to DCE, SESAME, and earlier versions of Kerberos is given. This chapter serves as a nice selling point for the book, it's the type of thing you'd flip through in the book store to decide if you should buy the book or not.

Chapter 2 is a decent overview for the new user of Kerberos to the system and how it works. Kerberos is placed into its role in a AAA infrastructure - authentication, authorization, and accounting - as well as some caveats that are commonly made. You'll learn about core Kerberos features like tickets, realms, principles, instances, ticket granting tickets, and the ticket cache. A decent overview for practical purposes is given, but you will definitely want another resource if you're interested in diving headlong into Kerberos.

These pieces come together in Chapter 3, where the actual protocols are described. They're laid out for a non-cryptographer, so go elsewhere if you want to learn the real formal material behind the system. Understanding the protocols is important to understanding the service as a whole. For someone new to Kerberos, you'll probably want to spend a little more time reading this to get oriented in the Kerberos world. The chapter doesn't mess around too much and delivers a fair treatment of the material.

Chapter 4 is the meat of the book's material, setting up your implementation. It all starts with the KDC (key distribution center) and realm initialization. Again, the bulk of the treatment is on the MIT implementation on UNIX, with the Heimdal and then Windows sections following next. Slave KDCs are also introduced, which is useful for large environments. An OS X server is missing, but Kerberos clients for all three (UNIX, Windows and OS X) is given. The role of DNS is also explained well, a useful touch that's missing in some Kerberos documents I've used in the past. This chapter will get you started, and with some of the supplied documentation you should be up and running in no time.

Chapter 5 is devoted to troubleshooting, an all too familiar task for a new Kerberos administrator. Common problems, their diagnosis, and resolution are discussed. I like the presentation of this chapter and think it will be useful for most real-world situations you'll encounter.

Security concerns with Kerberos are covered in Chapter 6, which discusses concrete and abstract attacks on the Kerberos scheme. Since all of the security in Kerberos resides in your KDC hosts, obviously this covers some of the material. However, the clients can exposes your Kerberos realm to attacks, as well, and how to circumvent these problems is covered. A decent and practical chapter, and covered on both UNIX and Windows.

In Chapter 7 a number of Kerberos enabled applications are discussed. After all, you can do more than just log on locally with Kerberos, you can use remote login programs like SSH, remote access scenarios like printing, and even control X via Kerberos. While not every application that I would have liked was covered, the treatment was fair and should get you started with a number of Kerberos enabled tools in your new realm.

A strong selling point of the book is given in Chapter 8, titled Advanced Topics. Three main topics are discussed. The first is cross-realm authentication, where you have more than one separate Kerberos realm on your network but you want to have users switch between the two without creating accounts in the other. This can get tricky, and the book does a decent job of introducing it, but it's not as complete as it could be. The second main topic in this chapter is Kerberos 4 and 5 interoperability, which is relatively straightforward. Most Kerberos 5 implementations come with tools to process Kerberos 4 ticket scenarios to handle legacy applications. And finally, a really valuable section covers UNIX and Windows Kerberos interoperability, a hairy issue. Again, incomplete but strong enough that you should be able to get it working with some elbow grease. This is probably the most valuable chapter of the book, which does a decent job at the introductory level, but you'll be left to tie up a few loose ends on your own.

An obligatory case study is given in Chapter 9, where you can see a number of configuration samples and even a mixed Windows-UNIX environment. Not terribly useful when compared to chapters 4 and 8, but overall worthwhile. It may answer some of your questions, even. Chapter 10 wraps up the book with looking at Kerberos futures, which isn't all that useful, honestly. What gets more useful is the appendix, which gives an administration reference. Lots of commands are given for MIT, Heimdal and even for Windows, so you can quickly jump there to refresh your memory on a topic.

Overall this book is recommended if you need a place to start working on Kerberos, especially in a mixed environment. The MIT and Heimdal documents are a fair place to start for a UNIX only Kerberos realm, but if you find they aren't enough, this is probably the right book for you. The book's main strength is that it covers Kerberos on the three main platforms in use (Windows, OS X, and UNIX), although it could provide a deeper treatment to the mixed environment than it gives. Still, you should be able to use this as a starting point, and it's probably the best treatment I've seen so far on Kerberos setup and administration.