Using Kerberos Authentication via TLS and PAM

Although Kerberos was designed for single sign-on, many applications do not support Kerberos. Even if the applications support Kerberos, it may require recompiling and configuring by hand, rather than using vendor-provided, supported, binary packages. One solution to this is to use PAM in conjunction with TLS. Many Internet client/server apps can send plaintext authentication through a TLS tunnel. This protects the password and username in transit, and then the server acts as a Kerberos proxy server to check your password with pam_krb5.

POP3 Server using TLS, PAM, and Kerberos:

As a demonstration, I setup a UW-IMAP POP3 server. It is only accessible via TLS on TCP port 995, unenencrypted authentication is not an option. When the POP3 client presents username and password, PAM behaves exactly as it does with a local login. First it checks the local /etc files, then it checks Kerberos. Here is a link on how to setup a Red Hat 9 UW-IMAP POP3 server with TLS:

Quickstart Guide - Red Hat 9 POP3 Server

This assumes that you have already setup a Red Hat 9 system as a DAS Client App Server. By default, the POP3 server will follow the PAM rules in /etc/pam.d/system-auth. You could modify the /etc/pam.d/pop config file and change this, however. For example, you may want to limit POP3 authentication to Kerberos only, and not consult local files at all.

There is no reason that this very same setup shouldn't work for the UW-IMAP IMAP4 server as well. IMAP can also be compiled and configured to support Kerberos authentication via GSS-API. However, many IMAP clients still do not support GSS-API.