Kerberos And Pam - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

to an attacker for only a short period of time. After the TGT has been issued, the user does not have to
re-enter their password until the TGT expires or until they log out and log in again.
Whenever the user needs access to a network service, the client software uses the TGT to request
a new ticket for that specific service from the TGS. The service ticket is then used to authenticate the
user to that service transparently.
Warning
The Kerberos system can be compromised if a user on the network authenticates against
a non-Kerberos aware service by transmitting a password in plain text. The use of non-
Kerberos aware services is highly discouraged. Such services include Telnet and FTP.
The use of other encrypted protocols, such as SSH or SSL-secured services, however, is
preferred, although not ideal.
This is only a broad overview of how Kerberos authentication works. Refer to
"Additional Resources"
Note
Kerberos depends on the following network services to function correctly.
• Approximate clock synchronization between the machines on the network.
A clock synchronization program should be set up for the network, such as ntpd. Refer
to /usr/share/doc/ntp-<version-number>/index.html for details on setting
up Network Time Protocol servers (where <version-number> is the version number
of the ntp package installed on your system).
• Domain Name Service (DNS).
You should ensure that the DNS entries and hosts on the network are all properly
configured. Refer to the Kerberos V5 System Administrator's Guide in /usr/share/
doc/krb5-server-<version-number> for more information (where <version-
number> is the version number of the krb5-server package installed on your
system).

43.6.4. Kerberos and PAM

Kerberos-aware services do not currently make use of Pluggable Authentication Modules (PAM)
— these services bypass PAM completely. However, applications that use PAM can make use of
Kerberos for authentication if the pam_krb5 module (provided in the pam_krb5 package) is installed.
The pam_krb5 package contains sample configuration files that allow services such as login and
gdm to authenticate users as well as obtain initial credentials using their passwords. If access to
network servers is always performed using Kerberos-aware services or services that use GSS-API,
such as IMAP, the network can be considered reasonably safe.
Tip
Administrators should be careful not to allow users to authenticate to most network
services using Kerberos passwords. Many protocols used by these services do not
encrypt the password before sending it over the network, destroying the benefits of the
for links to more in-depth information.
Kerberos and PAM
Section 43.6.10,
671