O'Reilly's latest book on Kerberos, the Definitive Guide, trys to tackle understanding, using, and implementing Kerberos network based authentication from System Administrator or Developers stand-point.
Although the idea of Kerberos stemmed from an academic paper in 1978, the protocol itself had not garnered much interest at all until the past few years. Since then, Kerberos v5 has nearly become the ubiquitous standard of network authentication. It is currently the preferred method for secure authentication and authorization in both Mac OS X Server and Windows Server 2003.
Needless to say, as I was approaching a project dealing with network authentication, I was interested in Kerberos. Alas, there was very little documentation on the subject. Brian Tung's Kerberos book had been on the market for some time, but the early (and later) reviews were not favorable. Soon after, O'Reilly announced its intention to publish a Kerberos book in August. I immediately reserved a copy and received it soon after its release. O'Reilly has a strong reputation for quality technical literature, and this book is no exception.
My main objectives in reading the book were to:
- Get a firm grasp of what Kerberos is all about and exactly why it's so great.
- Find out what steps would be needed to integrate Kerberos with Mac OS X 10.2 and Mac OS X Server 10.2.
The first three chapters helped accomplish the first goal. Chapter 1, "Introduction", explains the reasoning and need for Kerberos and how it has evolved from that academic paper to what it is today. Chapter 2, "Pieces of the Puzzle", discusses the three A's of Kerberos: authentication, authorization and auditing. It also discusses Kerberos' vocabulary, which immediately helped me better understand the myriad of Web sites detailing how to integrate Kerberos into your network. The third chapter, "Protocols", discusses - you guessed it - the protocols behind the name, how they function together, and why each is necessary.
This book immediately seemed to do two things: it gave me a thorough understanding of the basics of Kerberos (and reviewed it multiple times); it also seemed to take all the important morsels of information I had gleaned from site after site and presented it in a very usable form that made me say, "Oh, well now that makes perfect sense!" again and again. The book also did an excellent job of comparing Kerberos to other available solutions and explaining why Kerberos was ultimately the right choice for most environments. I appreciated that it also discussed when Kerberos might not be the ideal solution, as well as current security liabilities within the protocol.
Now that I know more than I ever wanted to know about Kerberos, I want to know how easy (or difficult) it would be to integrate Kerberos into an OS X-based server/client setup. In this area, I found the book lacking. Although Garman did spend more than adequate time on implementing Kerberos in a Unix environment, documentation specific to OS X was hard to come by. What documentation I did find was limited to enabling Kerberos support for OS X's login window and retrieving mail in a Kerberos environment with Mail.app. There are other cases in which Kerberos could be used in OS X system (to authenticate against a file server, for example), but those were not covered in the book. The book also failed to mention tools from MIT that make Kerberos implementation on the OS X client much easier. MIT's Kerberos application, used to manage Kerberos tickets, is located in the CoreServices folder (/System/Library/CoreServices) and should be used. In addition, MIT offers a "MIT Kerberos Extras" installer on their Web site which allows Kerberos support for Carbon-based programs that use Kerberos, such as Eudora. The address for those downloads is located here.
There were some other minor omissions, such as the fact that OS X uses a different file name and location for its Kerberos configuration file. On OS X the file should be located at /Library/edu.mit.Kerberos. For that and other OS X-specific details, much can be learned from Apple's Knowledge Base Kerberos articles. A word of warning, though: articles on 10.3 and Kerberos are still catching up, and there are changes that warrant updated documentation.
In spite of the lack of OS X documention (and the heavy amount of Windows documentation), the book does deliver what it promises: a definitive guide to Kerberos. I am excited about the fact OS X was considered enough of a presence to be a part of the book, but was disappointed at their lack of documentation for OS X support. Would I recommend picking this book up? Definitely. With this book, along with a few KB articles and a little patience, you too can unleash the power of Kerberos on your network.
Book Details
Title: Kerberos: The Definitive GuideAuthor: Jason Garman
Date Published: August 2003
ISBN: 0596004036
Buy it online: O'Reilly | Amazon.com
Matt Willmore is a founding partner of MacZealots.com. Matt is also a Resident Assistant at Owen Hall and does Mac support at ECN, and is active in PUMUG. He can be reached at .
Reader Comments (2)
DISCLAIMER: The views expressed below are those of their authors and not necessarily endorsed or supported by MacZealots.com. In all cases, the comments provided here are offered as a courtesy and will be moderated. Any content deemed off-topic or offensive will be removed without notice. Posting a comment here boils down to two things: 1.) Think before you type 2.) Respect the thoughts of others. See our commenting guidelines and/or privacy policy for more information.
#1) On December 12, 2003 8:44 PM
I’m afraid I must take issue with Mr. Willmore’s review. {I am in no way associated with O’Reilly, Jason Garman, or in any way benefit from the sales of this book.} I hadn’t bought the book, but only skimmed it recently at a Barnes and Noble. I could have sworn that it did mention the MIT Kerberos Extras, for example, as well as covering Mac OS X at a level that surprised me (given the only recent integration and tiny number of users). I went back to Barnes and Noble just now, and confirmed that this is indeed mentioned, and as a result of this error I have reservations about the accuracy of the rest of Mr. Willmore’s review.
#2) On December 13, 2003 12:24 AM
I stand corrected, Ron. You were right to say that the Kerberos Extras are mentioned in the book, starting on page 83. I still stand by my review, however, as implementing Kerberos in a Mac OS X environment first hand has proven to me that this book’s documentation is not nearly enough to provide for a successful implementation.