PAM, su, and ksu behavior

[Jason C. Wells]

I would like for the su command to NOT prompt the user for any password 
when the user has a kerberos ticket.  That is su should not prompt for a 
kerberos or unix passwd.  PAM is unable to determine if a terminal is 
encrypted and so the system should not inspire the user to cough up a 
password.

I simply added:

auth        sufficient  pam_ksu.so      no_warn

to the second line in the default /etc/pam.d/su config file.  It worked, 
but I would not expect to be prompted for a password when I already have 
a ticket.  (Secure single sign on is the whole point, right?)

What I desire is the behavior of the MIT ksu command.  If the principal 
is listed in .k5login and has a valid ticket for the requesting 
principle, to be granted the shell as the new UID.

Near as I can tell, the heimdal ksu command that comes with FreeBSD has 
nothing to do with PAM.  Is that true?

Don't assume that I understand PAM.  I have been looking at this for all 
of a couple days.  It seems dead simple.  Maybe I just can't get the 
behavior I want.

Thanks,
Jason C. Wells