[ISN] Book Review - Kerberos: The Definitive Guide

InfoSec News isn at c4i.org
Tue Feb 15 03:07:30 EST 2005


Title: Kerberos: The Definitive Guide  
Author: Jason Garman 
Pages: 272  
Publisher: O'Reilly and Associates 
Rating: 7/10 
Reviewer: Jose Nazario 
ISBN: 0596004036 
Summary: A comprehensive, cross platform guide to Kerberos 
Buy from Amazon: http://www.amazon.com/exec/obidos/ASIN/0596004036/c4iorg

I got started using Kerberos many moons ago, at my university. This is
probably how many people got to know about it. While I didn't use it
very much, it's there that I learned the basics and experimented a bit
with Kerberos. Interest in it took off after Microsoft incorporated
Kerberos authentication mechanisms into Windows 2000. Suddenly it
wasn't such arcane knowledge.

Two open source Kerberos implementations exist, the MIT reference
implementation, and the Heimdal Kerberos implementation. Even then,
there are two main versions which you can find, Kerberos IV and
Kerberos V. Kerberos IV went away for most environments with the
passing of the Y2K mark, but some legacy apps need support. So, you
still have to deal with it on occasion.

In writing Secure Architectures with OpenBSD, I got a lot more
intimate with Kerberos, and even set up a decently sized realm in my
house. Hence, I got to experience the turmoil of setup and debugging.  
A book like Kerberos: The Definitive Guide (K:TDG) would have been
very welcome. Instead, I slogged my way through it, and got it to work
for the most part.

K:TDG will help you set up your Kerberos world by introducing you to
the complex subject, terminology, and the pieces. Once you learn the
basics, you recognize that a simple realm is actually somewhat easy to
set up. The author, Jason Garman, uses a mixed Mac OS X, UNIX, and
Windows environment, focusing on UNIX most of the time. The bulk of
the examples deal with MIT Kerberos 5 version 1.3 (krb5-1.3) but
should work for most versions. Some attention is given to the Heimdal
implementation (which is integrated with BSD, for example), and for
the most part you'll be OK. Windows examples are also pretty copious
but always come second. If you're comfortable with UNIX, you'll easily
be able to translate these into Windows examples to help bridge the
Windows gaps.

Chapter 1 is an obligatory Introduction, a short chapter that
introduces the key concepts of Kerberos and what the book will cover.  
A very quick comparison of Kerberos to DCE, SESAME, and earlier
versions of Kerberos is given. This chapter serves as a nice selling
point for the book, it's the type of thing you'd flip through in the
book store to decide if you should buy the book or not.

Chapter 2 is a decent overview for the new user of Kerberos to the
system and how it works. Kerberos is placed into its role in a AAA
infrastructure - authentication, authorization, and accounting - as
well as some caveats that are commonly made. You'll learn about core
Kerberos features like tickets, realms, principles, instances, ticket
granting tickets, and the ticket cache. A decent overview for
practical purposes is given, but you will definitely want another
resource if you're interested in diving headlong into Kerberos.

These pieces come together in Chapter 3, where the actual protocols
are described. They're laid out for a non-cryptographer, so go
elsewhere if you want to learn the real formal material behind the
system. Understanding the protocols is important to understanding the
service as a whole. For someone new to Kerberos, you'll probably want
to spend a little more time reading this to get oriented in the
Kerberos world. The chapter doesn't mess around too much and delivers
a fair treatment of the material.

Chapter 4 is the meat of the book's material, setting up your
implementation. It all starts with the KDC (key distribution center)  
and realm initialization. Again, the bulk of the treatment is on the
MIT implementation on UNIX, with the Heimdal and then Windows sections
following next. Slave KDCs are also introduced, which is useful for
large environments. An OS X server is missing, but Kerberos clients
for all three (UNIX, Windows and OS X) is given. The role of DNS is
also explained well, a useful touch that's missing in some Kerberos
documents I've used in the past. This chapter will get you started,
and with some of the supplied documentation you should be up and
running in no time.

Chapter 5 is devoted to troubleshooting, an all too familiar task for
a new Kerberos administrator. Common problems, their diagnosis, and
resolution are discussed. I like the presentation of this chapter and
think it will be useful for most real-world situations you'll

Security concerns with Kerberos are covered in Chapter 6, which
discusses concrete and abstract attacks on the Kerberos scheme. Since
all of the security in Kerberos resides in your KDC hosts, obviously
this covers some of the material. However, the clients can exposes
your Kerberos realm to attacks, as well, and how to circumvent these
problems is covered. A decent and practical chapter, and covered on
both UNIX and Windows.

In Chapter 7 a number of Kerberos enabled applications are discussed.  
After all, you can do more than just log on locally with Kerberos, you
can use remote login programs like SSH, remote access scenarios like
printing, and even control X via Kerberos. While not every application
that I would have liked was covered, the treatment was fair and should
get you started with a number of Kerberos enabled tools in your new

A strong selling point of the book is given in Chapter 8, titled
Advanced Topics. Three main topics are discussed. The first is
cross-realm authentication, where you have more than one separate
Kerberos realm on your network but you want to have users switch
between the two without creating accounts in the other. This can get
tricky, and the book does a decent job of introducing it, but it's not
as complete as it could be. The second main topic in this chapter is
Kerberos 4 and 5 interoperability, which is relatively
straightforward. Most Kerberos 5 implementations come with tools to
process Kerberos 4 ticket scenarios to handle legacy applications. And
finally, a really valuable section covers UNIX and Windows Kerberos
interoperability, a hairy issue. Again, incomplete but strong enough
that you should be able to get it working with some elbow grease. This
is probably the most valuable chapter of the book, which does a decent
job at the introductory level, but you'll be left to tie up a few
loose ends on your own.

An obligatory case study is given in Chapter 9, where you can see a
number of configuration samples and even a mixed Windows-UNIX
environment. Not terribly useful when compared to chapters 4 and 8,
but overall worthwhile. It may answer some of your questions, even.  
Chapter 10 wraps up the book with looking at Kerberos futures, which
isn't all that useful, honestly. What gets more useful is the
appendix, which gives an administration reference. Lots of commands
are given for MIT, Heimdal and even for Windows, so you can quickly
jump there to refresh your memory on a topic.

Overall this book is recommended if you need a place to start working
on Kerberos, especially in a mixed environment. The MIT and Heimdal
documents are a fair place to start for a UNIX only Kerberos realm,
but if you find they aren't enough, this is probably the right book
for you. The book's main strength is that it covers Kerberos on the
three main platforms in use (Windows, OS X, and UNIX), although it
could provide a deeper treatment to the mixed environment than it
gives. Still, you should be able to use this as a starting point, and
it's probably the best treatment I've seen so far on Kerberos setup
and administration.

More information about the ISN mailing list