Introduction to the Kerberos Products and GSS-API

PAM Kerberos

When using PAM Kerberos, users only configure the application server as a KDC client. Users are prompted for a password when they first log into the server from the application client. The user has no credential and their password is sent in clear text to the application server. Following are the authentication steps as shown in Figure 2-2:

1.The user sends a password to a remote system

2.The application server invokes libkrb5.sl through PAM to request for authentication from the KDC

3.KDC replies with an authenticator

4.If the password provided is valid, then the user is authenticated. If the password is incorrect, the user is denied access.

The Kerberos service module for PAM consists of the following four modules:

Authentication module

Account management module

Session management module

Password management module

All modules are supported through the same dynamically loadable library, libpam_krb5. The KRB5 PAM modules are compatible with MIT Kerberos 5 and Microsoft Windows 2000.

The Authentication Module

The Authentication module verifies the identity of a user and sets user-specific credentials. It authenticates the user to KDC with a password. If the password matches, the user is authenticated and a Ticket Granting Ticket (TGT) is granted.

The Authentication Module supports the following options:

use_first_pass

krb_prompt

try_first_pass

renewable=<time>

forwardable

36

Chapter 2