Kerberos: The Definitive Guide
Jason Garman
First I would like to justify my 5 star rating. This book helped me out of a nasty multi-homed host and DNS problem when no other source could. Without this book I would have been troubleshooting this issue for days. I feel the book has paid for itself.
However, I wouldn't consider this "The Definitive Guide." It lacks documentation on the krb5.conf configuration file. I found myself referencing the krb5.conf(5) man page for additional info. Also, the documentation that comes with Heimdal is a very good good source for configuration settings.
Another deficiency is the GSSAPI coverage. I did have some trouble setting up my GSSAPI aware SSH with Kerberos. I found myself digging through the ssh man pages and doing some trial and error. Chapter 7 discusses Kerberos enabled applications. SSH is covered there, but I felt the GSSAPI aspect was lacking. Although the author mentions that GSSAPI is not specific to any authentication method and is somewhat out of place in a Kerberos book, I feel this is where the author could have went the extra mile and claimed the right to the title "The Definitive Guide." There are many Kerberized applications today not mentioned in Chapter 7. It would be nice to see a second edition that covers them.
What this book has that you will not find in any other single source is comprehensive coverage of the history, protocols, and implementation of Kerberos complete with diagrams. From a security standpoint, this will really help you understand what is going on in your network. For example, when setting up my firewall rules and NIDS, I really had a grasp on what traffic was going where and what needed to be blocked/detected.
Chapter 6, Security, is very comprehensive and outlines various root compromises, dictionary and brute-force, replay, and man-in-the-middle attacks. It also details the importance of pre-authentication in Kerberos V as well as best practices to protect your key distribution center (KDC).
My Kerberos network is a 10 host homogeneous OpenBSD network running the Heimdal Kerberos V version 0.7.2. Although this book covers the older Heimdal 0.6, it was still very relevant. It also covers the MIT 1.3 implementation (MIT is currently at version 1.6.3). Although this book was published in 2003, it is still worth its price brand new in 2008.
Ссылка удалена правообладателем
----
The book removed at the request of the copyright holder.