Kerberos: The Definitive Guide: The Definitive Guide and over one million other books are available for Amazon Kindle. Learn more

Vous voulez voir cette page en français ? Cliquez ici.

Sign in to turn on 1-Click ordering.
More Buying Choices
Have one to sell? Sell yours here
Start reading Kerberos: The Definitive Guide: The Definitive Guide on your Kindle in under a minute.

Don't have a Kindle? Get your Kindle here, or download a FREE Kindle Reading App.

Kerberos: The Definitive Guide [Paperback]

Jason Garman
4.0 out of 5 stars  See all reviews (1 customer review)
List Price: CDN$ 49.99
Price: CDN$ 26.30 & FREE Shipping. Details
You Save: CDN$ 23.69 (47%)
o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o
Usually ships within 2 to 4 weeks.
Ships from and sold by Gift-wrap available.


Amazon Price New from Used from
Kindle Edition CDN $17.28  
Paperback CDN $26.30  

Book Description

Sept. 5 2003 0596004036 978-0596004033 1

Kerberos, the single sign-on authentication system originally developed at MIT, deserves its name. It's a faithful watchdog that keeps intruders out of your networks. But it has been equally fierce to system administrators, for whom the complexity of Kerberos is legendary.Single sign-on is the holy grail of network administration, and Kerberos is the only game in town. Microsoft, by integrating Kerberos into Active Directory in Windows 2000 and 2003, has extended the reach of Kerberos to all networks large or small. Kerberos makes your network more secure and more convenient for users by providing a single authentication system that works across the entire network. One username; one password; one login is all you need.Fortunately, help for administrators is on the way. Kerberos: The Definitive Guide shows you how to implement Kerberos for secure authentication. In addition to covering the basic principles behind cryptographic authentication, it covers everything from basic installation to advanced topics like cross-realm authentication, defending against attacks on Kerberos, and troubleshooting.In addition to covering Microsoft's Active Directory implementation, Kerberos: The Definitive Guide covers both major implementations of Kerberos for Unix and Linux: MIT and Heimdal. It shows you how to set up Mac OS X as a Kerberos client. The book also covers both versions of the Kerberos protocol that are still in use: Kerberos 4 (now obsolete) and Kerberos 5, paying special attention to the integration between the different protocols, and between Unix and Windows implementations.If you've been avoiding Kerberos because it's confusing and poorly documented, it's time to get on board! This book shows you how to put Kerberos authentication to work on your Windows and Unix systems.

Frequently Bought Together

Kerberos: The Definitive Guide + LDAP System Administration
Price For Both: CDN$ 52.60

  • LDAP System Administration CDN$ 26.30

Customers Who Bought This Item Also Bought

Product Details

Product Description

About the Author

Jason Garman is currently working with computer forensics for the national defense and intelligence communities at Aegis Research Corporation. Previously, he worked at several biotech firms in the Washington, DC area where he helped clients design and implement secure yet easy to use research networks. Jason enjoys working with the practical application of tools and techniques to solve computer and network security problems.

Inside This Book (Learn More)
Browse Sample Pages
Front Cover | Copyright | Table of Contents | Excerpt | Index | Back Cover
Search inside this book:

Customer Reviews

5 star
3 star
2 star
1 star
4.0 out of 5 stars
4.0 out of 5 stars
Most helpful customer reviews
4.0 out of 5 stars Concise, accurate, fair Windows coverage. June 28 2004
I purchased this book to assist in integrating Linux authentication with Active Directory. It provided about 90% of the information I needed, the rest came from the web. Offers a concise overview of Kerberos, pretty good coverage of interaction with Active Directory, and some great information on inter-realm trusts that was hard to find via Microsoft. All this talk of AD aside, plenty of high quality information here for the Open Source community.
Was this review helpful to you?
Most Helpful Customer Reviews on (beta) 3.9 out of 5 stars  10 reviews
35 of 36 people found the following review helpful
4.0 out of 5 stars Kerberos intimidates a lot of people, don't be one of them Sept. 5 2005
By jose_monkey_org - Published on
I got started using Kerberos many moons ago, at my university. This is probably how many people got to know about it. While I didn't use it very much, it's there that I learned the basics and experimented a bit with Kerberos. Interest in it took off after Microsoft incorporated Kerberos authentication mechanisms into Windows 2000. Suddenly it wasn't such arcane knowledge.

Two open source Kerberos implementations exist, the MIT reference implementation, and the Heimdal Kerberos implementation. Even then, there are two main versions which you can find, Kerberos IV and Kerberos V. Kerberos IV went away for most environments with the passing of the Y2K mark, but some legacy apps need support. So, you still have to deal with it on occasion.

In writing Secure Architectures with OpenBSD, I got a lot more intimate with Kerberos, and even set up a decently sized realm in my house. Hence, I got to experience the turmoil of setup and debugging. A book like Kerberos: The Definitive Guide (K:TDG) would have been very welcome. Instead, I slogged my way through it, and got it to work for the most part.

K:TDG will help you set up your Kerberos world by introducing you to the complex subject, terminology, and the pieces. Once you learn the basics, you recognize that a simple realm is actually somewhat easy to set up. The author, Jason Garman, uses a mixed Mac OS X, UNIX, and Windows environment, focusing on UNIX most of the time. The bulk of the examples deal with MIT Kerberos 5 version 1.3 (krb5-1.3) but should work for most versions. Some attention is given to the Heimdal implementation (which is integrated with BSD, for example), and for the most part you'll be OK. Windows examples are also pretty copious but always come second. If you're comfortable with UNIX, you'll easily be able to translate these into Windows examples to help bridge the Windows gaps.

Chapter 1 is an obligatory Introduction, a short chapter that introduces the key concepts of Kerberos and what the book will cover. A very quick comparison of Kerberos to DCE, SESAME, and earlier versions of Kerberos is given. This chapter serves as a nice selling point for the book, it's the type of thing you'd flip through in the book store to decide if you should buy the book or not.

Chapter 2 is a decent overview for the new user of Kerberos to the system and how it works. Kerberos is placed into its role in a AAA infrastructure - authentication, authorization, and accounting - as well as some caveats that are commonly made. You'll learn about core Kerberos features like tickets, realms, principles, instances, ticket granting tickets, and the ticket cache. A decent overview for practical purposes is given, but you will definitely want another resource if you're interested in diving headlong into Kerberos.

These pieces come together in Chapter 3, where the actual protocols are described. They're laid out for a non-cryptographer, so go elsewhere if you want to learn the real formal material behind the system. Understanding the protocols is important to understanding the service as a whole. For someone new to Kerberos, you'll probably want to spend a little more time reading this to get oriented in the Kerberos world. The chapter doesn't mess around too much and delivers a fair treatment of the material.

Chapter 4 is the meat of the book's material, setting up your implementation. It all starts with the KDC (key distribution center) and realm initialization. Again, the bulk of the treatment is on the MIT implementation on UNIX, with the Heimdal and then Windows sections following next. Slave KDCs are also introduced, which is useful for large environments. An OS X server is missing, but Kerberos clients for all three (UNIX, Windows and OS X) is given. The role of DNS is also explained well, a useful touch that's missing in some Kerberos documents I've used in the past. This chapter will get you started, and with some of the supplied documentation you should be up and running in no time.

Chapter 5 is devoted to troubleshooting, an all too familiar task for a new Kerberos administrator. Common problems, their diagnosis, and resolution are discussed. I like the presentation of this chapter and think it will be useful for most real-world situations you'll encounter.

Security concerns with Kerberos are covered in Chapter 6, which discusses concrete and abstract attacks on the Kerberos scheme. Since all of the security in Kerberos resides in your KDC hosts, obviously this covers some of the material. However, the clients can exposes your Kerberos realm to attacks, as well, and how to circumvent these problems is covered. A decent and practical chapter, and covered on both UNIX and Windows.

In Chapter 7 a number of Kerberos enabled applications are discussed. After all, you can do more than just log on locally with Kerberos, you can use remote login programs like SSH, remote access scenarios like printing, and even control X via Kerberos. While not every application that I would have liked was covered, the treatment was fair and should get you started with a number of Kerberos enabled tools in your new realm.

A strong selling point of the book is given in Chapter 8, titled Advanced Topics. Three main topics are discussed. The first is cross-realm authentication, where you have more than one separate Kerberos realm on your network but you want to have users switch between the two without creating accounts in the other. This can get tricky, and the book does a decent job of introducing it, but it's not as complete as it could be. The second main topic in this chapter is Kerberos 4 and 5 interoperability, which is relatively straightforward. Most Kerberos 5 implementations come with tools to process Kerberos 4 ticket scenarios to handle legacy applications. And finally, a really valuable section covers UNIX and Windows Kerberos interoperability, a hairy issue. Again, incomplete but strong enough that you should be able to get it working with some elbow grease. This is probably the most valuable chapter of the book, which does a decent job at the introductory level, but you'll be left to tie up a few loose ends on your own.

An obligatory case study is given in Chapter 9, where you can see a number of configuration samples and even a mixed Windows-UNIX environment. Not terribly useful when compared to chapters 4 and 8, but overall worthwhile. It may answer some of your questions, even. Chapter 10 wraps up the book with looking at Kerberos futures, which isn't all that useful, honestly. What gets more useful is the appendix, which gives an administration reference. Lots of commands are given for MIT, Heimdal and even for Windows, so you can quickly jump there to refresh your memory on a topic.

Overall this book is recommended if you need a place to start working on Kerberos, especially in a mixed environment. The MIT and Heimdal documents are a fair place to start for a UNIX only Kerberos realm, but if you find they aren't enough, this is probably the right book for you. The book's main strength is that it covers Kerberos on the three main platforms in use (Windows, OS X, and UNIX), although it could provide a deeper treatment to the mixed environment than it gives. Still, you should be able to use this as a starting point, and it's probably the best treatment I've seen so far on Kerberos setup and administration.
23 of 25 people found the following review helpful
4.0 out of 5 stars Concise, accurate, fair Windows coverage. June 28 2004
By T. Blikre - Published on
Format:Paperback|Verified Purchase
I purchased this book to assist in integrating Linux authentication with Active Directory. It provided about 90% of the information I needed, the rest came from the web. Offers a concise overview of Kerberos, pretty good coverage of interaction with Active Directory, and some great information on inter-realm trusts that was hard to find via Microsoft. All this talk of AD aside, plenty of high quality information here for the Open Source community.
9 of 10 people found the following review helpful
4.0 out of 5 stars Reasonably thorough introduction and guide, but needs updated July 17 2005
By Robert Pratte - Published on
Like most O'Reilly titles, this book covers the general topics one needs to be conversant in a given topic. Take what you read, do a few web searches, experiment with the technology, discuss the concepts with others - this book will give you a solid foundation to get started. Moreover, like other O'Reilly topics one can see errata, etc. on the O'Reilly website. This book easily meets the high expectations one has of a book from this publisher: conversational tone, lots of hands-on examples, and broad coverage of applications using this technology.

There are really two areas where this book falls short: 1) while broad and general concepts of Kerberos are discussed, when the examples roll out little effort is given to explain the reasons behind settings, configurations, etc., and 2) as with many technology-related books this book could already use an update. In terms of the former issue, I can see that it is difficult to cover the logic behind various implementations of Kerberos. This book attempts to cover Kerberos implementations in Kerberos 4, Kerberos 5, MIT, Heimdal, Windows, and a bit of Mac OS X, as well as various applications that can use Kerberos such as Cyrus, OpenSSH, and Reflection. There is a lot of material here: each of these applications could easily warrant an O'Reilly book of their own. Moreover, these applications change over time (and rather short times, at that). Thus, the second complaint: particularly in terms of OS X this book could use an updated version, though the majority of the text is still relevant.

To summarize a bit here, if you are looking for cutting-edge info on security, implementation (such as in OS X), or applications, then this book will fall a bit short. Further, if you are already well-versed in the Kerberos liturgy, there will be little to excite you here (though there may be some golden nuggets). However, if you are a manager, someone who needs to quickly assimilate the vast information on Kerberos, or a junior system administrator then this book will be a valuable guide for you. While it lacks the lowest levels of detail on Kerberos, this book should provide enough detail for the astute reader to find their way.
9 of 10 people found the following review helpful
4.0 out of 5 stars Good Starting Point Nov. 15 2005
By Joaquin Menchaca - Published on
This has very superb explanations about the Kerberos authentication concepts. As a Windows system administrator, this has helped me immensely in understanding what's under the hood of Active Directory.

In delving into Windows-Linux interoperability experiments, this book was invaluable in presenting different scenarios. I decided to be bold and try have Linux directly authenticate to Windows Server 2003 KDC using information from Chapter 8 "Advanced Topics". I was able to learn the concepts and get started, but I ran into problems:

First the example (page 179) for exporting keytabs doesn't work with Windows 2003, as you need to use "nt4domain\unixhost" for ktpass -mapuser option.

Secondly, there's no coverage on what to do with these keytab files on the Unix side. I found later (googling) that I needed to install them using the kutil command.

Thirdly, there could have references to material on how to test and re-configure Linux to use Kerberos instead of shadow passwd system. "Chapter 7: Applications" covers this, but references to the PAM modules are rather outdated. There should have been detail on how to configure GDM, KDM, and xscreensaver to use Kerberos.

Lastly, I found is that troubleshooting presented earlier in Chapter 5 grossly needs to be expanded. I got specific error messages, and would have liked to see more specifics included. (Fortunately googling again help find some pointers)

Overall this book is great spring board, but as it is outdated and in some ways incomplete, you need to scour the Internet for the complete solution. Still, I honestly don't know how I could have gotten there without this book.
10 of 12 people found the following review helpful
4.0 out of 5 stars Comprehensive and easy-to-understand Sept. 7 2004
By Don Bartlett - Published on
I hoped that this book would help answer all my questions about Kerberos. It did. I have worked with Active Directory frequently over the past 5 years. Also, I have a penchant for security and Open Source software. I was eager to know how Kerberos works behind the scenes, especially in complex scenarios such as cross-realm authentication in Active Directory forests. I was not disappointed.

Kerberos: The Definitive Guide covers everything from history and concepts through implementation and advanced topics. Everything you need to know about authentication, cryptography and security in order to understand and implement Kerberos is here.

Jason Garman does a good job of conveying a wealth of complex subject material in a simple, easy-to-digest way. This book is not a Kerberos "bible" -- it doesn't cover every possible aspect of Kerberos in detail -- but it is more than adequate to be used as an implementation guide, and it makes an excellent reference.

I can recommend this to anyone who works with Kerberos.
Search Customer Reviews
Only search this product's reviews

Look for similar items by category