Comment 5 for bug 1336663

Note that all that pam-krb5 specifically cares about is KRB5CCNAME, so an alternative approach that may require less refactoring and would work for that PAM module would be to preserve the PAM environment from pam_getenvlist and set those variables in the environment before invoking PAM for unlock. That should not require reusing the same PAM handle.

I don't know if that would be sufficient for other PAM modules, however.