An updated pam_krb5 package that fixes a bug is now available for Red Hat Enterprise Linux 5.
The pam_krb5 package allows PAM-aware applications to check user passwords with the help of a Kerberos KDC.
Previously, if a system was configured to perform Kerberos authentication using PKINIT, users who attempted to change their passwords using the "passwd" command or other PAM-aware application, while a smart card was inserted, would be erroneously prompted for the smart card PIN. With this update, the plugin returns an error to any requests for non-password information while attempting to obtain password-changing credentials. As a result, the unnecessary request for the smart card PIN is no longer made to the user in the scenario described.
All users of pam_krb5 are advised to upgrade to this updated package, which fixes this bug.