Currently, kerberized services do not make use of Pluggable
Authentication Modules (PAM) — kerberized servers bypass PAM
completely. However, applications that use PAM can make use of
Kerberos for authentication if the pam_krb5 module (provided in the pam_krb5 package) is installed. The pam_krb5 package contains sample configuration
files that allow services like login and
gdm to authenticate users as well as
obtain initial credentials using their passwords. If access to
network servers is always performed using kerberized services or
services that use GSS-API, such as IMAP, the network can be
considered reasonably safe.
Administrators should be careful to not allow users to
authenticate to most network services using Kerberos passwords.
Many protocols used by these services do not encrypt the password
before sending it over the network, destroying the benefits of the
Kerberos system. For example, users should not be allowed to
authenticate using their Kerberos passwords over Telnet.