Kerberos: The Definitive Guide

First I would like to justify my 5 star rating. This book helped me out of a nasty multi-homed host and DNS problem when no other source could. Without this book I would have been troubleshooting this issue for days. I feel the book has paid for itself. However, I wouldn't consider this "The Definitive Guide." It lacks documentation on the krb5.conf configuration file. I found myself referencing the krb5.conf(5) man page for additional info. Also, the documentation that comes with Heimdal is a very good good source for configuration settings. Another deficiency is the GSSAPI coverage. I did have some trouble setting up my GSSAPI aware SSH with Kerberos. I found myself digging through the ssh man pages and doing some trial and error. Chapter 7 discusses Kerberos enabled applications. SSH is covered there, but I felt the GSSAPI aspect was lacking. Although the author mentions that GSSAPI is not specific to any authentication method and is somewhat out of place in a Kerberos book, I feel this is where the author could have went the extra mile and claimed the right to the title "The Definitive Guide." There are many Kerberized applications today not mentioned in Chapter 7. It would be nice to see a second edition that covers them. What this book has that you will not find in any other single source is comprehensive coverage of the history, protocols, and implementation of Kerberos complete with diagrams. From a security standpoint, this will really help you understand what is going on in your network. For example, when setting up my firewall rules and NIDS, I really had a grasp on what traffic was going where and what needed to be blocked/detected. Chapter 6, Security, is very comprehensive and outlines various root compromises, dictionary and brute-force, replay, and man-in-the-middle attacks. It also details the importance of pre-authentication in Kerberos V as well as best practices to protect your key distribution center (KDC). My Kerberos network is a 10 host homogeneous OpenBSD network running the Heimdal Kerberos V version 0.7.2. Although this book covers the older Heimdal 0.6, it was still very relevant. It also covers the MIT 1.3 implementation (MIT is currently at version 1.6.3). Although this book was published in 2003, it is still worth its price brand new in 2008.

This has very superb explanations about the Kerberos authentication concepts. As a Windows system administrator, this has helped me immensely in understanding what's under the hood of Active Directory. In delving into Windows-Linux interoperability experiments, this book was invaluable in presenting different scenarios. I decided to be bold and try have Linux directly authenticate to Windows Server 2003 KDC using information from Chapter 8 "Advanced Topics". I was able to learn the concepts and get started, but I ran into problems: First the example (page 179) for exporting keytabs doesn't work with Windows 2003, as you need to use "nt4domain\unixhost" for ktpass -mapuser option. Secondly, there's no coverage on what to do with these keytab files on the Unix side. I found later (googling) that I needed to install them using the kutil command. Thirdly, there could have references to material on how to test and re-configure Linux to use Kerberos instead of shadow passwd system. "Chapter 7: Applications" covers this, but references to the PAM modules are rather outdated. There should have been detail on how to configure GDM, KDM, and xscreensaver to use Kerberos. Lastly, I found is that troubleshooting presented earlier in Chapter 5 grossly needs to be expanded. I got specific error messages, and would have liked to see more specifics included. (Fortunately googling again help find some pointers) Overall this book is great spring board, but as it is outdated and in some ways incomplete, you need to scour the Internet for the complete solution. Still, I honestly don't know how I could have gotten there without this book.

I got started using Kerberos many moons ago, at my university. This is probably how many people got to know about it. While I didn't use it very much, it's there that I learned the basics and experimented a bit with Kerberos. Interest in it took off after Microsoft incorporated Kerberos authentication mechanisms into Windows 2000. Suddenly it wasn't such arcane knowledge. Two open source Kerberos implementations exist, the MIT reference implementation, and the Heimdal Kerberos implementation. Even then, there are two main versions which you can find, Kerberos IV and Kerberos V. Kerberos IV went away for most environments with the passing of the Y2K mark, but some legacy apps need support. So, you still have to deal with it on occasion. In writing Secure Architectures with OpenBSD, I got a lot more intimate with Kerberos, and even set up a decently sized realm in my house. Hence, I got to experience the turmoil of setup and debugging. A book like Kerberos: The Definitive Guide (K:TDG) would have been very welcome. Instead, I slogged my way through it, and got it to work for the most part. K:TDG will help you set up your Kerberos world by introducing you to the complex subject, terminology, and the pieces. Once you learn the basics, you recognize that a simple realm is actually somewhat easy to set up. The author, Jason Garman, uses a mixed Mac OS X, UNIX, and Windows environment, focusing on UNIX most of the time. The bulk of the examples deal with MIT Kerberos 5 version 1.3 (krb5-1.3) but should work for most versions. Some attention is given to the Heimdal implementation (which is integrated with BSD, for example), and for the most part you'll be OK. Windows examples are also pretty copious but always come second. If you're comfortable with UNIX, you'll easily be able to translate these into Windows examples to help bridge the Windows gaps. Chapter 1 is an obligatory Introduction, a short chapter that introduces the key concepts of Kerberos and what the book will cover. A very quick comparison of Kerberos to DCE, SESAME, and earlier versions of Kerberos is given. This chapter serves as a nice selling point for the book, it's the type of thing you'd flip through in the book store to decide if you should buy the book or not. Chapter 2 is a decent overview for the new user of Kerberos to the system and how it works. Kerberos is placed into its role in a AAA infrastructure - authentication, authorization, and accounting - as well as some caveats that are commonly made. You'll learn about core Kerberos features like tickets, realms, principles, instances, ticket granting tickets, and the ticket cache. A decent overview for practical purposes is given, but you will definitely want another resource if you're interested in diving headlong into Kerberos. These pieces come together in Chapter 3, where the actual protocols are described. They're laid out for a non-cryptographer, so go elsewhere if you want to learn the real formal material behind the

I hoped that this book would help answer all my questions about Kerberos. It did. I have worked with Active Directory frequently over the past 5 years. Also, I have a penchant for security and Open Source software. I was eager to know how Kerberos works behind the scenes, especially in complex scenarios such as cross-realm authentication in Active Directory forests. I was not disappointed. Kerberos: The Definitive Guide covers everything from history and concepts through implementation and advanced topics. Everything you need to know about authentication, cryptography and security in order to understand and implement Kerberos is here. Jason Garman does a good job of conveying a wealth of complex subject material in a simple, easy-to-digest way. This book is not a Kerberos "bible" -- it doesn't cover every possible aspect of Kerberos in detail -- but it is more than adequate to be used as an implementation guide, and it makes an excellent reference. I can recommend this to anyone who works with Kerberos.

I purchased this book to assist in integrating Linux authentication with Active Directory. It provided about 90% of the information I needed, the rest came from the web. Offers a concise overview of Kerberos, pretty good coverage of interaction with Active Directory, and some great information on inter-realm trusts that was hard to find via Microsoft. All this talk of AD aside, plenty of high quality information here for the Open Source community.