Auto boutiques-francophones Simple and secure cloud storage Personal Care Pets Music Deals Store NFL Tools
Kerberos: The Definitive Guide: The Definitive Guide and over one million other books are available for Amazon Kindle. Learn more
CDN$ 43.26
  • List Price: CDN$ 53.01
  • You Save: CDN$ 9.75 (18%)
Only 1 left in stock (more on the way).
Ships from and sold by
Gift-wrap available.
has been added to your Cart
Have one to sell?
Flip to back Flip to front
Listen Playing... Paused   You're listening to a sample of the Audible audio edition.
Learn more
See this image

Kerberos: The Definitive Guide Paperback – Sep 5 2003

1 customer review

See all 2 formats and editions Hide other formats and editions
Amazon Price
New from Used from
Kindle Edition
"Please retry"
"Please retry"
CDN$ 43.26
CDN$ 31.22 CDN$ 24.68

No Kindle device required. Download one of the Free Kindle apps to start reading Kindle books on your smartphone, tablet, and computer.

  • Apple
  • Android
  • Windows Phone
  • Android

To get the free app, enter your e-mail address or mobile phone number.

Product Details

  • Paperback: 274 pages
  • Publisher: O'Reilly Media; 1 edition (Sept. 5 2003)
  • Language: English
  • ISBN-10: 0596004036
  • ISBN-13: 978-0596004033
  • Product Dimensions: 17.8 x 1.4 x 23.3 cm
  • Shipping Weight: 381 g
  • Average Customer Review: 4.0 out of 5 stars  See all reviews (1 customer review)
  • Amazon Bestsellers Rank: #374,747 in Books (See Top 100 in Books)
  • See Complete Table of Contents

Product Description

About the Author

Jason Garman is currently working with computer forensics for the national defense and intelligence communities at Aegis Research Corporation. Previously, he worked at several biotech firms in the Washington, DC area where he helped clients design and implement secure yet easy to use research networks. Jason enjoys working with the practical application of tools and techniques to solve computer and network security problems.

Inside This Book

(Learn More)
Browse Sample Pages
Front Cover | Copyright | Table of Contents | Excerpt | Index | Back Cover
Search inside this book:

Customer Reviews

4.0 out of 5 stars
5 star
4 star
3 star
2 star
1 star
See the customer review
Share your thoughts with other customers

Most helpful customer reviews

Format: Paperback
I purchased this book to assist in integrating Linux authentication with Active Directory. It provided about 90% of the information I needed, the rest came from the web. Offers a concise overview of Kerberos, pretty good coverage of interaction with Active Directory, and some great information on inter-realm trusts that was hard to find via Microsoft. All this talk of AD aside, plenty of high quality information here for the Open Source community.
Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again.
Report abuse

Most Helpful Customer Reviews on (beta) 10 reviews
35 of 36 people found the following review helpful
Kerberos intimidates a lot of people, don't be one of them Sept. 5 2005
By jose_monkey_org - Published on
Format: Paperback
I got started using Kerberos many moons ago, at my university. This is probably how many people got to know about it. While I didn't use it very much, it's there that I learned the basics and experimented a bit with Kerberos. Interest in it took off after Microsoft incorporated Kerberos authentication mechanisms into Windows 2000. Suddenly it wasn't such arcane knowledge.

Two open source Kerberos implementations exist, the MIT reference implementation, and the Heimdal Kerberos implementation. Even then, there are two main versions which you can find, Kerberos IV and Kerberos V. Kerberos IV went away for most environments with the passing of the Y2K mark, but some legacy apps need support. So, you still have to deal with it on occasion.

In writing Secure Architectures with OpenBSD, I got a lot more intimate with Kerberos, and even set up a decently sized realm in my house. Hence, I got to experience the turmoil of setup and debugging. A book like Kerberos: The Definitive Guide (K:TDG) would have been very welcome. Instead, I slogged my way through it, and got it to work for the most part.

K:TDG will help you set up your Kerberos world by introducing you to the complex subject, terminology, and the pieces. Once you learn the basics, you recognize that a simple realm is actually somewhat easy to set up. The author, Jason Garman, uses a mixed Mac OS X, UNIX, and Windows environment, focusing on UNIX most of the time. The bulk of the examples deal with MIT Kerberos 5 version 1.3 (krb5-1.3) but should work for most versions. Some attention is given to the Heimdal implementation (which is integrated with BSD, for example), and for the most part you'll be OK. Windows examples are also pretty copious but always come second. If you're comfortable with UNIX, you'll easily be able to translate these into Windows examples to help bridge the Windows gaps.

Chapter 1 is an obligatory Introduction, a short chapter that introduces the key concepts of Kerberos and what the book will cover. A very quick comparison of Kerberos to DCE, SESAME, and earlier versions of Kerberos is given. This chapter serves as a nice selling point for the book, it's the type of thing you'd flip through in the book store to decide if you should buy the book or not.

Chapter 2 is a decent overview for the new user of Kerberos to the system and how it works. Kerberos is placed into its role in a AAA infrastructure - authentication, authorization, and accounting - as well as some caveats that are commonly made. You'll learn about core Kerberos features like tickets, realms, principles, instances, ticket granting tickets, and the ticket cache. A decent overview for practical purposes is given, but you will definitely want another resource if you're interested in diving headlong into Kerberos.

These pieces come together in Chapter 3, where the actual protocols are described. They're laid out for a non-cryptographer, so go elsewhere if you want to learn the real formal material behind the system. Understanding the protocols is important to understanding the service as a whole. For someone new to Kerberos, you'll probably want to spend a little more time reading this to get oriented in the Kerberos world. The chapter doesn't mess around too much and delivers a fair treatment of the material.

Chapter 4 is the meat of the book's material, setting up your implementation. It all starts with the KDC (key distribution center) and realm initialization. Again, the bulk of the treatment is on the MIT implementation on UNIX, with the Heimdal and then Windows sections following next. Slave KDCs are also introduced, which is useful for large environments. An OS X server is missing, but Kerberos clients for all three (UNIX, Windows and OS X) is given. The role of DNS is also explained well, a useful touch that's missing in some Kerberos documents I've used in the past. This chapter will get you started, and with some of the supplied documentation you should be up and running in no time.

Chapter 5 is devoted to troubleshooting, an all too familiar task for a new Kerberos administrator. Common problems, their diagnosis, and resolution are discussed. I like the presentation of this chapter and think it will be useful for most real-world situations you'll encounter.

Security concerns with Kerberos are covered in Chapter 6, which discusses concrete and abstract attacks on the Kerberos scheme. Since all of the security in Kerberos resides in your KDC hosts, obviously this covers some of the material. However, the clients can exposes your Kerberos realm to attacks, as well, and how to circumvent these problems is covered. A decent and practical chapter, and covered on both UNIX and Windows.

In Chapter 7 a number of Kerberos enabled applications are discussed. After all, you can do more than just log on locally with Kerberos, you can use remote login programs like SSH, remote access scenarios like printing, and even control X via Kerberos. While not every application that I would have liked was covered, the treatment was fair and should get you started with a number of Kerberos enabled tools in your new realm.

A strong selling point of the book is given in Chapter 8, titled Advanced Topics. Three main topics are discussed. The first is cross-realm authentication, where you have more than one separate Kerberos realm on your network but you want to have users switch between the two without creating accounts in the other. This can get tricky, and the book does a decent job of introducing it, but it's not as complete as it could be. The second main topic in this chapter is Kerberos 4 and 5 interoperability, which is relatively straightforward. Most Kerberos 5 implementations come with tools to process Kerberos 4 ticket scenarios to handle legacy applications. And finally, a really valuable section covers UNIX and Windows Kerberos interoperability, a hairy issue. Again, incomplete but strong enough that you should be able to get it working with some elbow grease. This is probably the most valuable chapter of the book, which does a decent job at the introductory level, but you'll be left to tie up a few loose ends on your own.

An obligatory case study is given in Chapter 9, where you can see a number of configuration samples and even a mixed Windows-UNIX environment. Not terribly useful when compared to chapters 4 and 8, but overall worthwhile. It may answer some of your questions, even. Chapter 10 wraps up the book with looking at Kerberos futures, which isn't all that useful, honestly. What gets more useful is the appendix, which gives an administration reference. Lots of commands are given for MIT, Heimdal and even for Windows, so you can quickly jump there to refresh your memory on a topic.

Overall this book is recommended if you need a place to start working on Kerberos, especially in a mixed environment. The MIT and Heimdal documents are a fair place to start for a UNIX only Kerberos realm, but if you find they aren't enough, this is probably the right book for you. The book's main strength is that it covers Kerberos on the three main platforms in use (Windows, OS X, and UNIX), although it could provide a deeper treatment to the mixed environment than it gives. Still, you should be able to use this as a starting point, and it's probably the best treatment I've seen so far on Kerberos setup and administration.
23 of 25 people found the following review helpful
Concise, accurate, fair Windows coverage. June 28 2004
By T. Blikre - Published on
Format: Paperback Verified Purchase
I purchased this book to assist in integrating Linux authentication with Active Directory. It provided about 90% of the information I needed, the rest came from the web. Offers a concise overview of Kerberos, pretty good coverage of interaction with Active Directory, and some great information on inter-realm trusts that was hard to find via Microsoft. All this talk of AD aside, plenty of high quality information here for the Open Source community.
10 of 11 people found the following review helpful
Reasonably thorough introduction and guide, but needs updated July 17 2005
By Robert Pratte - Published on
Format: Paperback
Like most O'Reilly titles, this book covers the general topics one needs to be conversant in a given topic. Take what you read, do a few web searches, experiment with the technology, discuss the concepts with others - this book will give you a solid foundation to get started. Moreover, like other O'Reilly topics one can see errata, etc. on the O'Reilly website. This book easily meets the high expectations one has of a book from this publisher: conversational tone, lots of hands-on examples, and broad coverage of applications using this technology.

There are really two areas where this book falls short: 1) while broad and general concepts of Kerberos are discussed, when the examples roll out little effort is given to explain the reasons behind settings, configurations, etc., and 2) as with many technology-related books this book could already use an update. In terms of the former issue, I can see that it is difficult to cover the logic behind various implementations of Kerberos. This book attempts to cover Kerberos implementations in Kerberos 4, Kerberos 5, MIT, Heimdal, Windows, and a bit of Mac OS X, as well as various applications that can use Kerberos such as Cyrus, OpenSSH, and Reflection. There is a lot of material here: each of these applications could easily warrant an O'Reilly book of their own. Moreover, these applications change over time (and rather short times, at that). Thus, the second complaint: particularly in terms of OS X this book could use an updated version, though the majority of the text is still relevant.

To summarize a bit here, if you are looking for cutting-edge info on security, implementation (such as in OS X), or applications, then this book will fall a bit short. Further, if you are already well-versed in the Kerberos liturgy, there will be little to excite you here (though there may be some golden nuggets). However, if you are a manager, someone who needs to quickly assimilate the vast information on Kerberos, or a junior system administrator then this book will be a valuable guide for you. While it lacks the lowest levels of detail on Kerberos, this book should provide enough detail for the astute reader to find their way.
10 of 11 people found the following review helpful
Good Starting Point Nov. 15 2005
By Joaquin Menchaca - Published on
Format: Paperback
This has very superb explanations about the Kerberos authentication concepts. As a Windows system administrator, this has helped me immensely in understanding what's under the hood of Active Directory.

In delving into Windows-Linux interoperability experiments, this book was invaluable in presenting different scenarios. I decided to be bold and try have Linux directly authenticate to Windows Server 2003 KDC using information from Chapter 8 "Advanced Topics". I was able to learn the concepts and get started, but I ran into problems:

First the example (page 179) for exporting keytabs doesn't work with Windows 2003, as you need to use "nt4domain\unixhost" for ktpass -mapuser option.

Secondly, there's no coverage on what to do with these keytab files on the Unix side. I found later (googling) that I needed to install them using the kutil command.

Thirdly, there could have references to material on how to test and re-configure Linux to use Kerberos instead of shadow passwd system. "Chapter 7: Applications" covers this, but references to the PAM modules are rather outdated. There should have been detail on how to configure GDM, KDM, and xscreensaver to use Kerberos.

Lastly, I found is that troubleshooting presented earlier in Chapter 5 grossly needs to be expanded. I got specific error messages, and would have liked to see more specifics included. (Fortunately googling again help find some pointers)

Overall this book is great spring board, but as it is outdated and in some ways incomplete, you need to scour the Internet for the complete solution. Still, I honestly don't know how I could have gotten there without this book.
10 of 12 people found the following review helpful
Comprehensive and easy-to-understand Sept. 7 2004
By Don Bartlett - Published on
Format: Paperback
I hoped that this book would help answer all my questions about Kerberos. It did. I have worked with Active Directory frequently over the past 5 years. Also, I have a penchant for security and Open Source software. I was eager to know how Kerberos works behind the scenes, especially in complex scenarios such as cross-realm authentication in Active Directory forests. I was not disappointed.

Kerberos: The Definitive Guide covers everything from history and concepts through implementation and advanced topics. Everything you need to know about authentication, cryptography and security in order to understand and implement Kerberos is here.

Jason Garman does a good job of conveying a wealth of complex subject material in a simple, easy-to-digest way. This book is not a Kerberos "bible" -- it doesn't cover every possible aspect of Kerberos in detail -- but it is more than adequate to be used as an implementation guide, and it makes an excellent reference.

I can recommend this to anyone who works with Kerberos.