17.4. Kerberos and PAM
Currently, kerberized services do not make use of Pluggable
Authentication Modules (PAM) — kerberized servers bypass PAM
completely. However, applications that use PAM can make use of Kerberos
for authentication if the pam_krb5 module (provided
in the pam_krb5 package) is installed. The
pam_krb5 package contains sample configuration
files that allow services like login and
gdm to authenticate users and obtain initial
credentials using their passwords. If access to network servers is
always performed using kerberized services or services that use GSS-API,
such as IMAP, the network can be considered reasonably safe.
Administrators should be careful to not allow users to authenticate to
most network services using Kerberos passwords. Many protocols used by
these services do not encrypt the password before sending it over the
network, destroying the benefits of the Kerberos system. For example,
users should not be allowed to authenticate using their Kerberos
passwords over Telnet.
The next section describes how to set up a basic Kerberos server.