> >> I will make another pitch at this, put pam_authtok_get first, and if >> the password entered is "PKI", "PKINIT", "smart card" or some other >> key phrase (blank?), then pam_krb5 will try PKINIT. You only need one >> pam_krb5 on the stack too, and if the pam_authtok_get changes, you >> don't have to change pam_krb5. > > What if there is another required module below pam_krb5 that requires a > password? > >
I really strongly dislike the idea of having a special password that causes it to behave differently. It just smells like a bad hack. -Wyllys
