Kerberos A Network Authentication System

reviewed by Bob Bruen

by Brian Tung. Addison-Wesley 1999.
164 pages. Index. Two appendices (Glossary & Annotated Bibliography) $19.95.
ISBN 0-201-37924-4 LoC TK5105.59.T86

Kerberos is an important authentication software package developed at MIT, now at version 5. It is freely available over the net, but like most free software support does not come with it. If you want to use it you need to learn enough about it to install, use and maintain it - not to be undertaken lightly. The author, Brian Tung has a web page, The Moron's Guide to Kerberos, which has been available for a few years. There is also MIT's web site, several papers and RFCs but there does not appear to be a book on Kerberos, although most books on computer and network security have at least a section describing it. This book fills the void.

The book is short and reads quickly, but there is still lots of information presented. It is a practical book that explains the rationale behind authentication making the distinction between it and authorization and other related security measures, then jumps right into how to use it. There is a brief discussion of the varieties of tickets that a user can get as well as why you need them. It always seems to confuse new users that one needs a ticket just to get the other tickets. There are examples of the important commands such as kinit (initialize user credentials), klist (list credentials) and kdestroy (destroy credentials). Beyond encrypting your telnet session and forwarding tickets, the lucky user is all set.

Microsoft has decided to incorporate Kerberos into its products which will spread Kerberos far and wide. Tung briefly covers the interface to 95/NT. Just as briefly, he also covers the Eudora mail program's use of Kerberos. Microsoft still has some catching up to do with Kerberos to put their implementation on the level as the Unix versions, but at least they have started. He covers Windows 2000 at the very end of the book.

The third chapter is written for admins: how to get Kerberos, unpack it, check the PGP signature, configure, build and install. For the average sysadmin this part is straight forward, although since the publication of the book, the steps have been modified by MIT, but only slightly. The trickier part is setting up the key distribution center (KDC). Tung points out the necessity of securing the machine that will be the home to the KDC with suggestions on to do it. The configuration files, maintaining principals and cross-realm authentication round out the rest of the chapter. The explanations are straightforward, but there is not much presented to help if something fails, but it all worked when I followed the instructions.

The next chapter is about developing applications for Kerberos. It can be ignored unless you are a developer or want to learn more. The chapter is full of code fragments of declarations and function calls with a discussion of each. In addition to the Kerberos API is a short presentation of Generic Security Service API (GSS-API), which can be used by Kerberos, accompanied by code examples. The last several chapters discuss the origins of Kerberos, elementary crypto, more on how authentication works with Kerberos and the differences between version 4 and version 5 - an important topic if you are running version 4.

This is small, inexpensive and helpful book that provides a great starting place for Kerberos with pointers to more information. If you are thinking about Kerberos, read this first, then think some more. Chances are improving that you will have to think about Kerberos sometime in the not too distant future.