Download PDF version - Unix Support

Section 8.6:Additional Resources
8.5 Kerberos and PAM
Currently, kerberized services do not make use of Pluggable Authentication Modules (PAM) at all — a
kerberized server bypasses PAM completely. Applications that use PAM can make use of Kerberos for
password checking if the pam_krb5 module (provided in the pam_krb5 package) is installed. The
pam_krb5 package contains sample configuration files that will allow services like login and gdm
to authenticate users and obtain initial credentials using their passwords. If access to network servers
is always done using kerberized services (or services that use GSS-API, like IMAP), the network can
be considered reasonably safe.
Careful system administrators will not add Kerberos password checking to all network services, because most of the protocols used by these services do not encrypt the password before sending it over
the network — obviously something to avoid.
8.6 Additional Resources
Kerberos can be a challenge for new users to understand, implement and configure. For more examples
and instructions on using Kerberos, refer to the following sources of information:
8.6.1 Installed Documentation
•
/usr/share/doc/krb5-server-<version-number> — The Kerberos V5 Installation
Guide and the Kerberos V5 System Administrator’s Guide, in PostScript and HTML formats, are
installed by the krb5-server RPM.
•
/usr/share/doc/krb5-workstation-<version-number> — The Kerberos V5
UNIX User’s Guide, in PostScript and HTML formats, is installed by the krb5-workstation
RPM.
8.6.2 Useful Websites
•
http://web.mit.edu/kerberos/www — The Kerberos home page on MIT’s website.
•
http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html — The Kerberos Frequently Asked
Questions (FAQ).
•
ftp://athena-dist.mit.edu/pub/kerberos/doc/usenix.PS — Link to a PostScript version of Kerberos:
An Authentication Service for Open Network Systems by Jennifer G. Steiner, Clifford Neuman, and
Jeffrey I. Schiller. This document is the original paper describing Kerberos.
•
http://web.mit.edu/kerberos/www/dialogue.html — Designing an Authentication System: a Dialogue in Four Scenes originally by Bill Bryant in 1988, modified by Theodore Ts’o in 1997. This
document is a conversation between two developers who are thinking through the creation of a
143