Kerberos : A Network Authentication system

Written by a network security professional who has worked with Kerberos extensively, this practical guide reveals the experience-based tips that will help you avoid pitfalls and maximize the system's capabilities. The text shows you how to obtain, install, optimize, use, and administer Kerberos, and covers important information for developing Kerberized applications.

You will find thorough explanations of such key topics as:

• Basic cryptography and hash functions
  
• Mutual authentication
  
• Establishing and changing passwords
  
• Manipulating credentials
  
• Installing the Key Distribution Center (KDC)
  
• Optimizing configuration
  
• Creating and administering a Kerberos database
  
• Adding, deleting, and modifying a principal
  
• Setting up cross-realm authentication
  
• Extensible function calls
  
• The GSS-API
  
• The various versions of Kerberos and their operational differences
  

In addition to these topics, Kerberos also discusses the effect of public key cryptography on the Kerberos protocol, its incorporation into Windows NT 5.0, and its use with smart cards and PC cards.

Table of contents

Preface

1 Overview: a Kerberos FAQ

1.1 What Is Kerberos?

1.2 What Is Kerberos Good For?

1.3 What Versions Are Available?

1.4 Where Can I Get Kerberos?

1.5 What On-Line Information Is There?

1.6 How Is Kerberos Used for Security?

2 Kerberos for Users

2.1 Using Kerberos

2.2 Manipulating Credentials

2.3 Changing Your Kerberos Password

2.4 Performing Basic Kerberos Operations

2.5 Using MIT-Kerberized Applications

2.6 Encrypting Your Session

2.7 Forwarding, Tickets

2.8 Specifying the User

2.9 Knowing When Something Isn't Right

2.10 Using the Windows 95/NT Interface

2.11 Using Eudora

3 Kerberos for Administrators

3.1 Knowing What You're Trying to Protect

3.2 Building the Kerberos Distribution

3.3 Installing the KDC

3.3.1 The krb5. conf Configuration File

3.3.2 The kdc. conf Configuration File

3.4 Creating the Kerberos Database

3.5 Setting Up the Administrative Principals

3.6 Starting the KDC and the Admin Server

3.7 Accessing the Database

3.7.1 Adding a New Principal

3.7.2 Deleting a Principal

3.7.3 Modifying a Principal

3.7.4 Changing a Password

3.7.5 Retrieving a Principal's Database Entry

3.7.6 Listing the Database Entries

3.7.7 Compiling a Keytab File

3.7.8 Removing Principals from a Keytab File

3.7.9 Finding Out What Commands Are Available

3.7.10 Quitting

3.8 Setting Up Cross-Realm Authentication

3.9 Administering an Application Server

4 Kerberos for Developers

4.1 Contents of a Kerberized Application

4.2 Example of a Kerberized Application

4.2.1 The Client

4.2.2 Our Example Server

4.2.3 Extensible Function Calls

4.2.4 Error Handling

4.3 Replay Caches

4.4 A Password- Changing Program

4.5 Other Kerberos API Calls

4.6 GSS-API

4.6.1 Understanding How the GSS-API Calls Work

4.6.2 Taking Advantage of GSS-API

5 The Basics of Kerberos

5.1 The Origins of Kerberos

5.2 Principals

5.3 A Primer on Cryptography

5.3.1 Ciphers

5.3.2 One-Way Hashes

5.4 Authentication with Kerberos

5.4.1 The (High-Level) Details

5.4.2 Mutual Authentication

5.4.3 KDC = AS + TGS

5.4.4 Cross-Realm Authentication

5.5 The Kerberos Environment

5.5.1 A Note About Passwords

5.5.2 Local Security

6 Earlier Versions of Kerberos

6.1 Pre-V5 and Commercial Versions

6.1.1 Kerberos VI, V2, V3

6.1.2 Kerberos V4

6.1.3 Bones, E-Bones, and Heimdal

6.1.4 TrustBroker

6.2 V4 and V5 Operational Differences

6.2.1 kinit

6.2.2 klist

6.2.3 kdestroy

6.3 V4 and V5 Anatomical Differences

6.3.1 Byte Ordering

6.3.2 Ticket Lifetimes

6.3.3 Delegation

6.3.4 Password Hashing

6.3.5 Preauthentication

6.3.6 Cryptographic Algorithms

7 New Directions for Kerberos

7.1 Public Key Cryptography

7.1.1 The Basics of Public Key Cryptography

7.1.2 The Strength of Public Key Cryptography

7.1.3 The Need of Public Key Certification

7.1.4 How Public Key Affects the Kerberos Protocol

7.1.5 Use in Cross-Realm Authentication

7.1.6 Public Key Kerberos Today

7.2 Kerberos and Windows 2000

7.3 Smart Cards and Other Portable Devices

7.3.1 Smart Cards and PC Cards

7.3.2 PC Cards and the Kerberos Protocol

A Glossary

B Annotated Bibliography

B.1 Books

B.2 Papers

B.3 Internet Specifications

B.4 On-Line References

Index