Kerberos权威指南 Kerberos The Definitive Guide.pdf

发布时间：2022-06-26 发布人：admin 分类：说明书资料大小：4.66M 资料格式：pdf 举报版权申诉

953c22dd-0771-44b4-b2f7-a2f0714384fd.pdf-第1页.png

第1页 / 共421页

953c22dd-0771-44b4-b2f7-a2f0714384fd.pdf-第2页.png

第2页 / 共421页

953c22dd-0771-44b4-b2f7-a2f0714384fd.pdf-第3页.png

第3页 / 共421页

953c22dd-0771-44b4-b2f7-a2f0714384fd.pdf-第4页.png

第4页 / 共421页

953c22dd-0771-44b4-b2f7-a2f0714384fd.pdf-第5页.png

第5页 / 共421页

953c22dd-0771-44b4-b2f7-a2f0714384fd.pdf-第6页.png

第6页 / 共421页

953c22dd-0771-44b4-b2f7-a2f0714384fd.pdf-第7页.png

第7页 / 共421页

953c22dd-0771-44b4-b2f7-a2f0714384fd.pdf-第8页.png

第8页 / 共421页

Kerberos: The Definitive Guide

SPECIAL OFFER: Upgrade this ebook with O’Reilly

Preface

Organization of This Book

Conventions Used in This Book

Comments and Questions

Thanks...

1. Introduction

Origins

Modern History

The time-sharing model

The client-server model

Project Athena

What Is Kerberos?

Goals

Evolution

Early Kerberos (v1, v2, v3)

Kerberos 4

Kerberos 5

New Directions

Other Products

DCE

Globus Security Infrastructure

SESAME

2. Pieces of the Puzzle

The Three As

Authentication

Authorization

Auditing

Directories

Privacy and Integrity

Encryption

Message Integrity

Kerberos Terminology and Concepts

Realms, Principals, and Instances

Service and host principals

Kerberos 4 principals

Kerberos 5 principals

Keys, Salts, and Passwords

The Key Distribution Center

The Authentication Server

The Ticket Granting Server

Tickets

The ticket (or credential) cache

Putting the Pieces Together

3. Protocols

The Needham-Schroeder Protocol

Kerberos 4

The Authentication Server and the Ticket Granting Server

String-to-Key Transformation

The Key Version Number

Password Changing

Kerberos 5

The World’s Shortest ASN.1 Tutorial

The Authentication Server and the Ticket Granting Server

New Encryption Options

Ticket Options

Kerberos 5-to-4 Ticket Translation

Pre-Authentication

Other Protocol Features and Extensions

String-to-Key Transformation

Password Changing

The Alphabet Soup of Kerberos-Related Protocols

The Generic Security Services API (GSSAPI)

The Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO)

4. Implementation

The Basic Steps

Planning Your Installation

Choose the Platform and Operating System

Choose a KDC Package

MIT

Heimdal

Windows domain controllers

Before You Begin

KDC Installation

MIT

Building the distribution

Creating your realm

Starting the servers

A quick test

Adding slave KDCs

Heimdal

Building the distribution

Creating your realm

Starting the servers

A quick test

Adding slave KDCs

Windows Domain Controller

Creating your realm

DNS and Kerberos

Setting Up KDC Discovery Over DNS

DNS Domain Name-to-Realm Mapping

Client and Application Server Installation

Unix as a Kerberos Client

Mac OS X as a Kerberos Client

Windows as a Kerberos Client

5. Troubleshooting

A Quick Decision Tree

Debugging Tools

Errors and Solutions

Errors Obtaining an Initial Ticket

Unsynchronized Clocks

Incorrect or Missing Kerberos Configuration

Server Hostname Misconfiguration

Encryption Type Mismatches

6. Security

Kerberos Attacks

Other Attacks

Protocol Security Issues

Dictionary and Brute-Force Attacks

Replay Attacks

Man-in-the-Middle Attacks

Security Solutions

Requiring Pre-Authentication

MIT

Heimdal

Windows domain controllers

Enforcing Secure Passwords

Heimdal

MIT

Windows domain controllers

Enforcing Password Lifetimes and History

MIT

Heimdal

Windows domain controllers

Protecting Your KDC

Protecting a Unix KDC

Protecting a Windows Domain Controller

Continual Maintenance

Firewalls, NAT, and Kerberos

Kerberos Network Ports

Kerberos and NAT

Auditing

Enabling Logging

MIT

Heimdal

Windows domain controllers

Understanding the Logs

MIT

Heimdal

Windows domain controllers

7. Applications

What Does Kerberos Support Mean?

Services and Keytabs

Transparent Kerberos Login with PAM

Configuring PAM

Mac OS X and the Login Window

Kerberos and Web-Based Applications

Building the mod_auth_kerb Apache Module

Configuring mod_auth_kerb

The Simple Authentication and Security Layer (SASL)

Building the Distribution

SASL Configuration

Configuring saslauthd

Kerberos-Enabled Server Packages

Electronic Mail (Cyrus IMAP)

Building and configuring the distribution

Testing the authentication

Directory Services (OpenLDAP)

Building, configuring, and testing the distribution

Remote Login (OpenSSH)

Building the distribution

Configuring the distribution

Kerberos-Enabled Client Packages

Kerberized Secure Shell Clients

Reflection X

Using existing credential caches with Reflection X

Electronic Mail

Qualcomm Eudora

Apple Mail.app

More Kerberos-Enabled Packages

8. Advanced Topics

Cross-Realm Authentication

Implementing Cross-Realm Relationships

Using Kerberos 4 Services with Kerberos 5

Windows Issues

Encryption Algorithm Support

Cached Login Credentials

Disabling the cached credentials feature

Windows Active Directory Authorization Field

Windows and Unix Interoperability

Using a Windows Domain Controller as a KDC for Unix Clients

Creating Unix keytabs from a Windows domain controller

Using a Non-Microsoft KDC for Windows Clients

Cross-realm trust

Standalone Windows machine

9. Case Study

The Organization

Planning

Planning the Kerberos Realms

Existing Network Layout

Kerberos KDC Planning

Implementation

Implementing UNIX.SAMPLE.COM

Building and installing the Kerberos KDC software

Realm configuration files

Creating the realm

Setting up slave replication

Installing the Kerberos software on client and application servers

Establishing Cross-Realm Relationships with SAMPLE.COM

Implementing LABS.SAMPLE.COM

Building and installing the Kerberos KDC software

Realm configuration files

Creating the realm

Installing the Kerberos software on client and application servers

Configuring Applications

10. Kerberos Futures

Public Key Extensions

Public Key Cryptography

Combining public key and symmetric key ciphers

Public key cryptography key distribution

Initial Authentication (PKINIT)

Cross-Realm (PKCROSS)

Smart Cards

Smart Cards and the Kerberos Protocol

Better Encryption

Kerberos Referrals

User Principal Canonicalization

Service Principal Canonicalization

Cross-Realm Referrals

Web Services

A. Administration Reference

MIT

Connecting to kadmin

Reference Section

listprincs

Reference Section

getprinc

Reference Section

addprinc

Reference Section

modprinc

Reference Section

cpw

Reference Section

delprinc

Reference Section

ktadd

Ktutil

clear

list

rkt

addent

delent

wkt

Heimdal

Connecting to kadmin

list

get

add

modify

cpw

delete

ext_keytab

Ktutil

list

add

remove

get

Windows Domain Controllers

Adding a principal

Modifying principal attributes

Changing passwords

Deleting principals

Adding keys into keytabs

Configuration File Format

libdefaults

appdefaults

realms

domain_realm

logging

capaths

Index

About the Author

Colophon

SPECIAL OFFER: Upgrade this ebook with O’Reilly

Mike Loukides K e r b e r o s : T h e D e f i n i t i v e G u i d e J a s o n G a r m a n E d i t o r C o p y r i g h t © 2 0 1 0 O ' R e i l l y M e d i a , I n c . D E D I C A T I O N D e d i c a t e d i n l o v i n g m e m o r y t o m y g r a n d f a t h e r , H a r r y S t u m p f f . & m d a s h ; J a s o n G a r m a n

S P E C I A L O F F E R : U p g r a d e t h i s e b o o k w i t h O ’ R e i l l y C l i c k h e r e f o r m o r e i n f o r m a t i o n o n t h i s o f f e r ! P l e a s e n o t e t h a t u p g r a d e o f f e r s a r e n o t a v a i l a b l e f r o m s a m p l e c o n t e n t .

P r e f a c e K e r b e r o s i s a s o p h i s t i c a t e d n e t w o r k a u t h e n t i c a t i o n s y s t e m — o n e t h a t h a s b e e n p u b l i c l y a v a i l a b l e s i n c e 1 9 8 9 a n d p r o v i d e s t h a t e t e r n a l h o l y g r a i l o f n e t w o r k a d m i n i s t r a t o r s , s i n g l e - s i g n - o n . Y e t , i n t h a t i n t e r v e n i n g d e c a d e , d o c u m e n t a t i o n o n K e r b e r o s h a s b e e n n o t a b l y l a c k i n g . W h i l e m a n y l a r g e o r g a n i z a t i o n s a n d a c a d e m i c i n s t i t u t i o n s h a v e e n j o y e d t h e b e n e f i t s o f u s i n g K e r b e r o s i n t h e i r n e t w o r k s , t h e d e p l o y m e n t o f K e r b e r o s i n s m a l l e r n e t w o r k s h a s b e e n s e v e r e l y h a m p e r e d b y a l a c k o f d o c u m e n t a t i o n . I d e c i d e d t o w r i t e t h i s b o o k p r e c i s e l y b e c a u s e o f t h i s l a c k o f u s e f u l d o c u m e n t a t i o n . M y o w n e x p e r i e n c e s w i t h K e r b e r o s a r e t h o s e o f e x t r e m e f r u s t r a t i o n a s I a t t e m p t e d t o d e c i p h e r t h e d o c u m e n t a t i o n . I f o u n d t h a t I h a d t o k e e p c o p i o u s n o t e s t o k e e p e v e r y t h i n g s t r a i g h t . T h o s e n o t e s e v e n t u a l l y b e c a m e t h e o u t l i n e o f t h i s b o o k . T o d a y , M i c r o s o f t , t h r o u g h i t s a d o p t i o n o f t h e l a t e s t K e r b e r o s p r o t o c o l a s t h e p r e f e r r e d a u t h e n t i c a t i o n m e c h a n i s m i n i t s A c t i v e D i r e c t o r y , h a s s i n g l e - h a n d e d l y d r i v e n t h e u s e o f K e r b e r o s i n t o t h e m a j o r i t y o f t h e o p e r a t i n g - s y s t e m m a r k e t t h a t i t c o n t r o l s . T h a n k s t o t h e o p e n n e s s o f K e r b e r o s , o r g a n i z a t i o n s n o w c a n e s t a b l i s h c r o s s - p l a t f o r m , s i n g l e s i g n - o n n e t w o r k e n v i r o n m e n t s , g i v i n g a n e n d - u s e r o n e s e t o f c r e d e n t i a l s t h a t w i l l p r o v i d e h i m a c c e s s t o a l l n e t w o r k r e s o u r c e s , r e g a r d l e s s o f p l a t f o r m o r o p e r a t i n g s y s t e m . Y e t t h e w o r k i n g s a n d b e n e f i t s o f K e r b e r o s r e m a i n a m y s t e r y t o m o s t n e t w o r k a d m i n i s t r a t o r s . T h i s b o o k a i m s t o p u l l a w a y t h e c u r t a i n a n d r e v e a l t h e m a g i c i a n w o r k i n g b e h i n d t h e s c e n e s . T h i s b o o k i s g e a r e d t o w a r d t h e s y s t e m a d m i n i s t r a t o r w h o w a n t s t o e s t a b l i s h a s i n g l e s i g n - o n n e t w o r k u s i n g K e r b e r o s . T h i s b o o k i s a l s o u s e f u l f o r a n y o n e i n t e r e s t e d i n h o w K e r b e r o s p e r f o r m s i t s m a g i c : t h e f i r s t t h r e e c h a p t e r s w i l l b e m o s t h e l p f u l t o t h e s e p e o p l e . O r g a n i z a t i o n o f T h i s B o o k H e r e ’ s a b r e a k d o w n o f h o w t h i s b o o k i s o r g a n i z e d : C h a p t e r 1

P r o v i d e s a g e n t l e i n t r o d u c t i o n t o K e r b e r o s , a n d p r o v i d e s a n o v e r v i e w o f i t s h i s t o r y a n d f e a t u r e s . I t p r o v i d e s a g e n t l e p r o l o g u e b y b r i n g i n g y o u f r o m t h e r e a s o n s f o r t h e d e v e l o p m e n t o f K e r b e r o s a t M I T t h r o u g h t o t h e l a t e s t v e r s i o n s o f t h e p r o t o c o l . C h a p t e r 2 C o n t i n u e s w h e r e C h a p t e r 1 l e f t o f f , p r e s e n t i n g a n i n t r o d u c t i o n t o t h e c o n c e p t s a n d t e r m i n o l o g y t h a t p e r m e a t e t h e u s e a n d a d m i n i s t r a t i o n o f K e r b e r o s . T h e k n o w l e d g e o f t h e s e c o n c e p t s i s e s s e n t i a l t o t h e u n d e r s t a n d i n g o f h o w K e r b e r o s w o r k s a s w e l l a s h o w t o u s e a n d a d m i n i s t e r i t . C h a p t e r 3 S p e a k i n g o f h o w K e r b e r o s w o r k s , C h a p t e r 3 r e v i e w s t h e K e r b e r o s p r o t o c o l v i a a h i s t o r i c a l p e r s p e c t i v e t h a t t a k e s y o u t h r o u g h t h e e v o l u t i o n o f K e r b e r o s f r o m a n a c a d e m i c p a p e r p u b l i s h e d i n 1 9 7 8 t o t h e m o d e r n K e r b e r o s 5 p r o t o c o l u s e d t o d a y . C h a p t e r 3 p r o v i d e s a d e t a i l e d y e t e a s y - t o - f o l l o w d e s c r i p t i o n o f h o w t h e K e r b e r o s p r o t o c o l w o r k s a n d d e s c r i b e s t h e n u m e r o u s e n c r y p t e d m e s s a g e s t h a t a r e s e n t b a c k a n d f o r t h . C h a p t e r 4 T a k e s y o u f r o m t h e r e a l m o f t h e t h e o r e t i c a l a n d c o n c e p t u a l i n t o t h e p r a c t i c a l a s p e c t s i n v o l v e d i n a d m i n i s t e r i n g a K e r b e r o s s y s t e m . H e r e , t h e K e r b e r o s i m p l e m e n t a t i o n s t h a t w i l l b e d i s c u s s e d t h r o u g h o u t t h e b o o k a r e i n t r o d u c e d , a n d t h e b a s i c s o f t h e i n s t a l l a t i o n a n d a d m i n i s t r a t i o n o f a K e r b e r o s a u t h e n t i c a t i o n s y s t e m a r e d e s c r i b e d . C h a p t e r 5 W h e n t h i n g s g o w r o n g w i t h y o u r K e r b e r o s i m p l e m e n t a t i o n , C h a p t e r 5 w i l l c o m e i n h a n d y . C h a p t e r 5 p r o v i d e s a m e t h o d o l o g y f o r d i a g n o s i n g K e r b e r o s - r e l a t e d p r o b l e m s a n d d e m o n s t r a t e s s o m e o f t h e m o r e c o m m o n e r r o r s t h a t c a n o c c u r . C h a p t e r 6 P r o v i d e s a d e t a i l e d l o o k a t t h e p r a c t i c a l s e c u r i t y c o n c e r n s r e l a t e d t o r u n n i n g K e r b e r o s .

C h a p t e r 7 R e v i e w s s o m e c o m m o n s o f t w a r e t h a t c a n b e c o n f i g u r e d t o u s e K e r b e r o s a u t h e n t i c a t i o n . C h a p t e r 8 P r o v i d e s i n f o r m a t i o n a b o u t m o r e a d v a n c e d t o p i c s i n r u n n i n g a K e r b e r o s a u t h e n t i c a t i o n s y s t e m , i n c l u d i n g h o w t o i n t e r o p e r a t e b e t w e e n U n i x a n d W i n d o w s K e r b e r o s i m p l e m e n t a t i o n s . T h i s c h a p t e r a l s o r e v i e w s h o w m u l t i p l e K e r b e r o s r e a l m s c a n c o o p e r a t e a n d s h a r e r e s o u r c e s t h r o u g h c r o s s - r e a l m a u t h e n t i c a t i o n . C h a p t e r 9 P r e s e n t s a s a m p l e c a s e s t u d y t h a t d e m o n s t r a t e s t h e i m p l e m e n t a t i o n t a s k s p r e s e n t e d e a r l i e r i n a p r a c t i c a l e x a m p l e . C h a p t e r 1 0 F i n i s h e s o f f t h e b o o k w i t h a d e s c r i p t i o n o f t h e f u t u r e d i r e c t i o n s K e r b e r o s i s t a k i n g . W e ’ l l e x a m i n e n e w p r o t o c o l e n h a n c e m e n t s t h a t w i l l e n a b l e K e r b e r o s t o t a k e a d v a n t a g e o f n e w s e c u r i t y a n d e n c r y p t i o n t e c h n o l o g i e s . A p p e n d i x A P r o v i d e s a n i n - d e p t h r e f e r e n c e o n t h e v a r i o u s c o m m a n d s a v i a l a b l e t o K e r b e r o s a d m i n i s t r a t o r s .

C o n v e n t i o n s U s e d i n T h i s B o o k T h e f o l l o w i n g c o n v e n t i o n s a r e u s e d i n t h i s b o o k . I t a l i c U s e d f o r f i l e a n d d i r e c t o r y n a m e s a n d f o r U R L s . I t i s a l s o u s e d t o e m p h a s i z e n e w t e r m s a n d c o n c e p t s w h e n t h e y a r e i n t r o d u c e d . C o n s t a n t W i d t h U s e d f o r c o d e e x a m p l e s , c o m m a n d s , o p t i o n s , v a r i a b l e s , a n d p a r a m e t e r s . C o n s t a n t W i d t h I t a l i c I n d i c a t e s a r e p l a c e a b l e t e r m i n c o d e . T I P I n d i c a t e s a t i p , s u g g e s t i o n , o r g e n e r a l n o t e . W A R N I N G I n d i c a t e s a w a r n i n g .

C o m m e n t s a n d Q u e s t i o n s W e h a v e t e s t e d a n d v e r i f i e d a l l o f t h e i n f o r m a t i o n i n t h i s b o o k t o t h e b e s t o f o u r a b i l i t y , b u t y o u m a y f i n d t h a t f e a t u r e s h a v e c h a n g e d , t h a t t y p o s h a v e c r e p t i n , o r t h a t w e h a v e m a d e a m i s t a k e . P l e a s e l e t u s k n o w a b o u t w h a t y o u f i n d , a s w e l l a s y o u r s u g g e s t i o n s f o r f u t u r e e d i t i o n s , b y c o n t a c t i n g : O ’ R e i l l y & A s s o c i a t e s , I n c . 1 0 0 5 G r a v e n s t e i n H i g h w a y N o r t h S e b a s t o p o l , C A 9 5 4 7 2 ( 8 0 0 ) 9 9 8 - 9 9 3 8 ( i n t h e U . S . o r C a n a d a ) ( 7 0 7 ) 8 2 9 - 0 5 1 5 ( i n t e r n a t i o n a l / l o c a l ) ( 7 0 7 ) 8 2 9 - 0 1 0 4 ( f a x ) Y o u c a n a l s o s e n d u s m e s s a g e s e l e c t r o n i c a l l y . T o b e p u t o n t h e m a i l i n g l i s t o r r e q u e s t a c a t a l o g , s e n d e m a i l t o : i n f o @ o r e i l l y . c o m T o a s k t e c h n i c a l q u e s t i o n s o r c o m m e n t o n t h e b o o k , s e n d e m a i l t o : b o o k q u e s t i o n s @ o r e i l l y . c o m W e h a v e a w e b s i t e f o r t h e b o o k , w h e r e w e ’ l l l i s t e x a m p l e s , e r r a t a , a n d a n y p l a n s f o r f u t u r e e d i t i o n s . Y o u c a n a c c e s s t h i s p a g e a t : h t t p : / / w w w . o r e i l l y . c o m / c a t a l o g / k e r b e r o s / F o r m o r e i n f o r m a t i o n a b o u t t h i s b o o k a n d o t h e r s , s e e t h e O ’ R e i l l y w e b s i t e : h t t p : / / w w w . o r e i l l y . c o m

分享到：

赞收藏

资料库

Kerberos权威指南 Kerberos The Definitive Guide.pdf

相关推荐

安全技术

热门标签

最新资料