pam_krb5 with PKINIT from Heimdal and MIT

Jeffrey Hutzelman jhutz at
Fri Oct 13 13:27:30 EDT 2006

On Friday, October 13, 2006 09:52:02 AM -0500 "Douglas E. Engert" 
<deengert at> wrote:
> The way PAM works today i.e. get a username and password
> then call all the pam routines one at a time with the same password

That's not how PAM works.  It is up to individual PAM modules to request 
that the application prompt the user for a username, password, or other 
data.  The framework provides a mechanism (the PAM_USER and PAM_AUTHTOK 
items) for caching and reusing the previously-entered username and/or 
password when appropriate, but it is up to individual modules to decide 
when to do this.  For many modules, this behavior is controlled by the 
pam_first_pass and pam_try_first options.

-- Jeff

More information about the krbdev mailing list