Kerberos / PAM Usage ?

[Tim Alsop]

Hi,
 
I am looking for advice and feedback from the Kerberos community in relation to UNIX, PAM and Kerberos. If you can provide me with some feedback based on your views and experiences it would be very much appreciated.
 
It is clear that PAM is becoming a common way to provide pluggable authentication services on UNIX or Linux operating systems. I am particularly interested in PAM for authorisation and wanted to hear from you about this. If you can help me, please provide feedback on the points listed below :
 
1. Do you, or the company you represent use Kerberos, or are you considering using Kerberos with PAM for authorisation, authentication, or both authentication and authorisation.
 
Note: Currently PAM with Kerberos can be used for authentication so that login to the operating system directly at console, or via telnet can be handled consistently. The use of PAM for authorisation would involve checking .k5login files in home directories and/or using an aname database on each system, or perhaps some other form of mechanism.
 
2. If you are using, or considering using PAM for authorisation I would like to hear if you using it with .k5login files, or checking authorisation via an LDAP lookup, or some other method. Can you provide details of your usage, or intended usage of PAM for authorisation ?
 
3. Do you have any GSS-API enabled applications, or any Kerberos enabled applications that accept a security context to determine the users principal name and then use PAM for authorisation, or do you have any applications that you would like have enabled in this way ?
 
Many thanks in advance for your help,
 
Tim Alsop