Currently, kerberized services do not make use of Pluggable
Authentication Modules (PAM) at all — a kerberized server bypasses
PAM completely. Applications that use PAM can make use of Kerberos for
password checking if the pam_krb5 module (provided
in the pam_krb5 package) is installed. The
pam_krb5 package contains sample configuration
files that will allow services like login and
gdm to authenticate users and obtain initial
credentials using their passwords. If access to network servers is
always done using kerberized services (or services that use GSS-API,
like IMAP), the network can be considered reasonably safe.
Careful system administrators will not add Kerberos password checking to
all network services, because most of the protocols used by these services
do not encrypt the password before sending it over the network —
obviously something to avoid.
