request a new ticket for that specific service from the TGS. The service ticket is then used toauthenticate the user to that service transparently.WarningThe Kerberos system can be compromised any time any user on the networkauthenticates against a non-kerberized service by sending a password in plaintext. Use of non-kerberized services is discouraged. Such services includeTelnet and FTP. Use of other encrypted protocols, such as SSH or SSL securedservices, however, is acceptable, though not ideal.This is only a broad overview of how Kerberos authentication works. Those seeking a morein-depth look at Kerberos authentication should refer to Section 7, “Additional Resources”.NoteKerberos depends on certain network services to work correctly. First, Kerberosrequires approximate clock synchronization between the machines on thenetwork. Therefore, a clock synchronization program should be set up for thenetwork, such as ntpd. For more about configuring ntpd, refer to/usr/share/doc/ntp-/index.htm for details on setting upNetwork Time Protocol servers (replace with the versionnumber of the ntp package installed on the system).Also, since certain aspects of Kerberos rely on the Domain Name Service (DNS),be sure that the DNS entries and hosts on the network are all properlyconfigured. Refer to the Kerberos V5 System Administrator's Guide, provided inPostScript and HTML formats in/usr/share/doc/krb5-server- for more information(replace with the version number of the krb5-serverpackage installed on the system).4. Kerberos and PAMCurrently, kerberized services do not make use of Pluggable Authentication Modules (PAM) —kerberized servers bypass PAM completely. However, applications that use PAM can make useof Kerberos for authentication if the pam_krb5 module (provided in the pam_krb5 package) isinstalled. The pam_krb5 package contains sample configuration files that allow services likelogin and gdm to authenticate users as well as obtain initial credentials using their passwords. Ifaccess to network servers is always performed using kerberized services or services that useGSS-API, such as IMAP, the network can be considered reasonably safe.Kerberos and PAM347
