On Mon, May 27, 2013 at 3:51 PM, Greg Hudson <ghudson at mit.edu> wrote: > More generally, I'm not sure the pam_krb5 module ought to be driving the > decision to use PKINIT. [...] Well, certainly the KDC must decide how some principal is authenticated. But local policy must also be allowed to set a bar. Nico --