You are previewing Kerberos: The Definitive Guide.
O'Reilly logo
Kerberos: The Definitive Guide

Book Description

Kerberos, the single sign-on authentication system originally developed at MIT, deserves its name. It's a faithful watchdog that keeps intruders out of your networks. But it has been equally fierce to system administrators, for whom the complexity of Kerberos is legendary. Single sign-on is the holy grail of network administration, and Kerberos is the only game in town. Microsoft, by integrating Kerberos into Active Directory in Windows 2000 and 2003, has extended the reach of Kerberos to all networks large or small. Kerberos makes your network more secure and more convenient for users by providing a single authentication system that works across the entire network. One username; one password; one login is all you need. Fortunately, help for administrators is on the way. Kerberos: The Definitive Guide shows you how to implement Kerberos for secure authentication. In addition to covering the basic principles behind cryptographic authentication, it covers everything from basic installation to advanced topics like cross-realm authentication, defending against attacks on Kerberos, and troubleshooting. In addition to covering Microsoft's Active Directory implementation, Kerberos: The Definitive Guide covers both major implementations of Kerberos for Unix and Linux: MIT and Heimdal. It shows you how to set up Mac OS X as a Kerberos client. The book also covers both versions of the Kerberos protocol that are still in use: Kerberos 4 (now obsolete) and Kerberos 5, paying special attention to the integration between the different protocols, and between Unix and Windows implementations. If you've been avoiding Kerberos because it's confusing and poorly documented, it's time to get on board! This book shows you how to put Kerberos authentication to work on your Windows and Unix systems.

Table of Contents

  1. Kerberos: The Definitive Guide
    1. SPECIAL OFFER: Upgrade this ebook with O’Reilly
    2. Preface
      1. Organization of This Book
      2. Conventions Used in This Book
      3. Comments and Questions
      4. Thanks...
    3. 1. Introduction
      1. Origins
        1. Modern History
          1. The time-sharing model
          2. The client-server model
          3. Project Athena
      2. What Is Kerberos?
      3. Goals
      4. Evolution
        1. Early Kerberos (v1, v2, v3)
        2. Kerberos 4
        3. Kerberos 5
        4. New Directions
      5. Other Products
        1. DCE
        2. Globus Security Infrastructure
        3. SESAME
    4. 2. Pieces of the Puzzle
      1. The Three As
        1. Authentication
        2. Authorization
        3. Auditing
      2. Directories
      3. Privacy and Integrity
        1. Encryption
        2. Message Integrity
      4. Kerberos Terminology and Concepts
        1. Realms, Principals, and Instances
          1. Service and host principals
          2. Kerberos 4 principals
          3. Kerberos 5 principals
        2. Keys, Salts, and Passwords
        3. The Key Distribution Center
          1. The Authentication Server
          2. The Ticket Granting Server
        4. Tickets
          1. The ticket (or credential) cache
      5. Putting the Pieces Together
    5. 3. Protocols
      1. The Needham-Schroeder Protocol
      2. Kerberos 4
        1. The Authentication Server and the Ticket Granting Server
        2. String-to-Key Transformation
        3. The Key Version Number
        4. Password Changing
      3. Kerberos 5
        1. The World’s Shortest ASN.1 Tutorial
        2. The Authentication Server and the Ticket Granting Server
        3. New Encryption Options
        4. Ticket Options
        5. Kerberos 5-to-4 Ticket Translation
        6. Pre-Authentication
        7. Other Protocol Features and Extensions
        8. String-to-Key Transformation
        9. Password Changing
      4. The Alphabet Soup of Kerberos-Related Protocols
        1. The Generic Security Services API (GSSAPI)
        2. The Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO)
    6. 4. Implementation
      1. The Basic Steps
      2. Planning Your Installation
        1. Choose the Platform and Operating System
        2. Choose a KDC Package
          1. MIT
          2. Heimdal
          3. Windows domain controllers
      3. Before You Begin
      4. KDC Installation
        1. MIT
          1. Building the distribution
          2. Creating your realm
          3. Starting the servers
          4. A quick test
          5. Adding slave KDCs
        2. Heimdal
          1. Building the distribution
          2. Creating your realm
          3. Starting the servers
          4. A quick test
          5. Adding slave KDCs
        3. Windows Domain Controller
          1. Creating your realm
      5. DNS and Kerberos
        1. Setting Up KDC Discovery Over DNS
        2. DNS Domain Name-to-Realm Mapping
      6. Client and Application Server Installation
        1. Unix as a Kerberos Client
        2. Mac OS X as a Kerberos Client
        3. Windows as a Kerberos Client
    7. 5. Troubleshooting
      1. A Quick Decision Tree
      2. Debugging Tools
      3. Errors and Solutions
        1. Errors Obtaining an Initial Ticket
        2. Unsynchronized Clocks
        3. Incorrect or Missing Kerberos Configuration
        4. Server Hostname Misconfiguration
        5. Encryption Type Mismatches
    8. 6. Security
      1. Kerberos Attacks
        1. Other Attacks
      2. Protocol Security Issues
        1. Dictionary and Brute-Force Attacks
        2. Replay Attacks
        3. Man-in-the-Middle Attacks
      3. Security Solutions
        1. Requiring Pre-Authentication
          1. MIT
          2. Heimdal
          3. Windows domain controllers
        2. Enforcing Secure Passwords
          1. Heimdal
          2. MIT
          3. Windows domain controllers
        3. Enforcing Password Lifetimes and History
          1. MIT
          2. Heimdal
          3. Windows domain controllers
      4. Protecting Your KDC
        1. Protecting a Unix KDC
        2. Protecting a Windows Domain Controller
        3. Continual Maintenance
      5. Firewalls, NAT, and Kerberos
        1. Kerberos Network Ports
        2. Kerberos and NAT
      6. Auditing
        1. Enabling Logging
          1. MIT
          2. Heimdal
          3. Windows domain controllers
        2. Understanding the Logs
          1. MIT
          2. Heimdal
          3. Windows domain controllers
    9. 7. Applications
      1. What Does Kerberos Support Mean?
      2. Services and Keytabs
      3. Transparent Kerberos Login with PAM
        1. Configuring PAM
      4. Mac OS X and the Login Window
      5. Kerberos and Web-Based Applications
        1. Building the mod_auth_kerb Apache Module
        2. Configuring mod_auth_kerb
      6. The Simple Authentication and Security Layer (SASL)
        1. Building the Distribution
        2. SASL Configuration
        3. Configuring saslauthd
      7. Kerberos-Enabled Server Packages
        1. Electronic Mail (Cyrus IMAP)
          1. Building and configuring the distribution
          2. Testing the authentication
        2. Directory Services (OpenLDAP)
          1. Building, configuring, and testing the distribution
        3. Remote Login (OpenSSH)
          1. Building the distribution
          2. Configuring the distribution
      8. Kerberos-Enabled Client Packages
        1. Kerberized Secure Shell Clients
        2. Reflection X
          1. Using existing credential caches with Reflection X
        3. Electronic Mail
          1. Qualcomm Eudora
          2. Apple Mail.app
      9. More Kerberos-Enabled Packages
    10. 8. Advanced Topics
      1. Cross-Realm Authentication
        1. Implementing Cross-Realm Relationships
      2. Using Kerberos 4 Services with Kerberos 5
      3. Windows Issues
        1. Encryption Algorithm Support
        2. Cached Login Credentials
          1. Disabling the cached credentials feature
        3. Windows Active Directory Authorization Field
      4. Windows and Unix Interoperability
        1. Using a Windows Domain Controller as a KDC for Unix Clients
          1. Creating Unix keytabs from a Windows domain controller
        2. Using a Non-Microsoft KDC for Windows Clients
          1. Cross-realm trust
          2. Standalone Windows machine
    11. 9. Case Study
      1. The Organization
      2. Planning
        1. Planning the Kerberos Realms
        2. Existing Network Layout
        3. Kerberos KDC Planning
      3. Implementation
        1. Implementing UNIX.SAMPLE.COM
          1. Building and installing the Kerberos KDC software
          2. Realm configuration files
          3. Creating the realm
          4. Setting up slave replication
          5. Installing the Kerberos software on client and application servers
        2. Establishing Cross-Realm Relationships with SAMPLE.COM
        3. Implementing LABS.SAMPLE.COM
          1. Building and installing the Kerberos KDC software
          2. Realm configuration files
          3. Creating the realm
          4. Installing the Kerberos software on client and application servers
        4. Configuring Applications
    12. 10. Kerberos Futures
      1. Public Key Extensions
        1. Public Key Cryptography
          1. Combining public key and symmetric key ciphers
          2. Public key cryptography key distribution
        2. Initial Authentication (PKINIT)
        3. Cross-Realm (PKCROSS)
      2. Smart Cards
        1. Smart Cards and the Kerberos Protocol
      3. Better Encryption
      4. Kerberos Referrals
        1. User Principal Canonicalization
        2. Service Principal Canonicalization
        3. Cross-Realm Referrals
      5. Web Services
    13. A. Administration Reference
      1. MIT
        1. Connecting to kadmin
        2. Reference Section
          1. listprincs
        3. Reference Section
          1. getprinc
        4. Reference Section
          1. addprinc
        5. Reference Section
          1. modprinc
        6. Reference Section
          1. cpw
        7. Reference Section
          1. delprinc
        8. Reference Section
          1. ktadd
        9. Ktutil
          1. clear
          2. list
          3. rkt
          4. addent
          5. delent
          6. wkt
        10. Heimdal
          1. Connecting to kadmin
            1. list
            2. get
            3. add
            4. modify
            5. cpw
            6. delete
            7. ext_keytab
        11. Ktutil
          1. list
          2. add
          3. remove
          4. get
        12. Windows Domain Controllers
          1. Adding a principal
          2. Modifying principal attributes
          3. Changing passwords
          4. Deleting principals
          5. Adding keys into keytabs
      2. Configuration File Format
        1. libdefaults
        2. appdefaults
        3. realms
        4. domain_realm
        5. logging
        6. capaths
    14. Index
    15. About the Author
    16. Colophon
    17. SPECIAL OFFER: Upgrade this ebook with O’Reilly