Services

What kind of services are provided by a Kerberized App Server? Network shells, network file transfer, e-mail, web access, version control systems, and more.

Three Models

Kerberos authentication of programs and services can follow three different models:

• Classic Kerberized services - a limited set of traditional Unix program replacements. Examples include RLOGIN, RSH, TELNET, FTP, and RCP.
• Secure Channel + PAM + Kerberos services - any application that needs username/password authentication and can be tunneled over a secure channel (TLS/SSL, SSH, IPSec, etc.) and authenticated via the pam_krb5 module. Examples include SSH, Apache, POP3, IMAP, and NNTP.
• GSS-API - This API allows for multiple network-based authentication schemes that are transparent to the calling program. Examples of GSS-API-enabled applications that use Kerberos authentication include NFSv4, patched versions of SSH2, and some IMAP servers and clients. There are also GSS-API enabled web browsers and web server modules.

In the following sections, the first two models will be explored.