Bug#871699: libpam-krb5: Add no_subsequent_prompt option

[kpp]

Package: libpam-krb5
Version: 4.7-4
Severity: normal

Dear Maintainer,
Please add no_subsequent_prompt option to pam_krb5. This option is 
implemented in redhat and very useful.

Example:

auth        required      pam_env.so
auth        [success=ok ignore=2 authinfo_unavail=2 default=die] 
pam_pkcs11.so card_only
auth        [default=ignore]      pam_krb5.so no_initial_prompt 
no_subsequent_prompt
auth        sufficient    pam_permit.so
auth        sufficient    pam_krb5.so
auth        required      pam_deny.so

This pam configuration allows authorization by username/password with 
obtaining kerberos ticket ONLY if smartcard is not inserted.
If smartcard is inserted, authorization is possible ONLY by pkcs11 and 
kerberos ticket is obtained by pam_krb5 using certificate without asking 
PIN again.

I am unable to create the same configuration using pam_krb5 with 
try_pkinit option because of pam_krb5 will ask password if pkinit failed 
due invalid PIN.

-- System Information:
Debian Release: 9.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8), 
LANGUAGE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libpam-krb5 depends on:
ii  krb5-config     2.6
ii  libc6           2.24-11+deb9u1
ii  libkrb5-3       1.15-1
ii  libpam-runtime  1.1.8-3.6
ii  libpam0g        1.1.8-3.6

libpam-krb5 recommends no packages.

libpam-krb5 suggests no packages.

-- no debconf information