Kerberos, the single sign-on authentication system originally developed at MIT, deserves its name. It's a faithful watchdog that keeps intruders out of your networks. But it has been equally fierce to system administrators, for whom the complexity of Kerberos is legendary.

Single sign-on is the holy grail of network administration, and Kerberos is the only game in town. Microsoft, by integrating Kerberos into Active Directory in Windows 2000 and 2003, has extended the reach of Kerberos to all networks large or small. Kerberos makes your network more secure and more convenient for users by providing a single authentication system that works across the entire network. One username; one password; one login is all you need.

Fortunately, help for administrators is on the way. Kerberos: The Definitive Guide shows you how to implement Kerberos for secure authentication. In addition to covering the basic principles behind cryptographic authentication, it covers everything from basic installation to advanced topics like cross-realm authentication, defending against attacks on Kerberos, and troubleshooting.

In addition to covering Microsoft's Active Directory implementation, Kerberos: The Definitive Guide covers both major implementations of Kerberos for Unix and Linux: MIT and Heimdal. It shows you how to set up Mac OS X as a Kerberos client. The book also covers both versions of the Kerberos protocol that are still in use: Kerberos 4 (now obsolete) and Kerberos 5, paying special attention to the integration between the different protocols, and between Unix and Windows implementations.

If you've been avoiding Kerberos because it's confusing and poorly documented, it's time to get on board! This book shows you how to put Kerberos authentication to work on your Windows and Unix systems.

Table of Contents

Preface 

1. Introduction

      Origins 

      What Is Kerberos? 

      Goals 

      Evolution 

      Other Products 

2. Pieces of the Puzzle

      The Three As 

      Directories 

      Privacy and Integrity 

      Kerberos Terminology and Concepts 

      Putting the Pieces Together 

3. Protocols

      The Needham-Schroeder Protocol 

      Kerberos 4 

      Kerberos 5 

      The Alphabet Soup of Kerberos-Related Protocols 

4. Implementation

      The Basic Steps 

      Planning Your Installation 

      Before You Begin 

      KDC Installation 

      DNS and Kerberos 

      Client and Application Server Installation 

5. Troubleshooting

      A Quick Decision Tree 

      Debugging Tools 

      Errors and Solutions 

6. Security

      Kerberos Attacks 

      Protocol Security Issues 

      Security Solutions 

      Protecting Your KDC 

      Firewalls, NAT, and Kerberos 

      Auditing 

7. Applications

      What Does Kerberos Support Mean? 

      Services and Keytabs 

      Transparent Kerberos Login with PAM 

      Mac OS X and the Login Window 

      Kerberos and Web-Based Applications 

      The Simple Authentication and Security Layer (SASL) 

      Kerberos-Enabled Server Packages 

      Kerberos-Enabled Client Packages 

      More Kerberos-Enabled Packages 

8. Advanced Topics

      Cross-Realm Authentication 

      Using Kerberos 4 Services with Kerberos 5 

      Windows Issues 

      Windows and Unix Interoperability 

9. Case Study

      The Organization 

      Planning 

      Implementation 

10. Kerberos Futures

      Public Key Extensions 

      Smart Cards 

      Better Encryption 

      Kerberos Referrals 

      Web Services 

Appendix: Administration Reference 

Index