I think since the Kerberos is a third party authentication mechanism,
the working flow should be like this:

/---------->[KDC]
| /--------/
| |
(1) (2)
| |
| V
Client------(3)------>Server
(1) Authentication REQUEST to KDC
(2) KDC_REPLAY
KDC_REPLAY = TICKET, OTHER
OTHER = {client, server, K_session}K_user
TICKET = {client, server, start_time, lifetime, K_session}K_Server
(3) Authentication REQUEST to Server
REQUEST = AUTHENTICATOR, TICKET
AUTHENTICATOR = {user, addr}K_session

For the ssh login via pam_krb5, the 'Client' should be program such as
'ssh' or 'PuTTY', and Server be 'sshd with pam_krb5'.

Then I must get the ticket at first, on Linux, I use 'kinit', and on
Windows is 'kfw'.

But what if I have not get the ticket? I did this and the prompt for
password was presented, after I typed the right password, I login. And
the logs like this:

sh# tail /var/log/messages
Apr 9 04:29:44 docs sshd(pam_unix)[1784]: authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.64 user=rocky
Apr 9 04:29:44 docs sshd[1784]: pam_krb5[1784]: The "hosts"
configuration directive is not supported with your release of
Kerberos. Please check if your release supports an `extra_addresses'
directive instead.
Apr 9 04:29:44 docs sshd[1784]: pam_krb5[1784]: authentication
succeeds for 'rocky' (rocky@SHOPEX.CN)
Apr 9 04:29:44 docs sshd(pam_unix)[1786]: session opened for user
rocky by (uid=0)

sh# tail /var/log/krb5kdc.log
Apr 09 04:29:44 docs.shopex.cn krb5kdc[25811](info): AS_REQ (7 etypes
{18 17 16 23 1 3 2}) 192.168.0.98: ISSUE: authtime 1176107384, etypes
{rep=16 tkt=23 ses=16}, rocky@SHOPEX.CN for krbtgt/SHOPEX.CN@SHOPEX.CN
Apr 09 04:29:44 docs.shopex.cn krb5kdc[25811](info): AS_REQ (7 etypes
{18 17 16 23 1 3 2}) 192.168.0.98: ISSUE: authtime 1176107384, etypes
{rep=16 tkt=23 ses=16}, rocky@SHOPEX.CN for krbtgt/SHOPEX.CN@SHOPEX.CN

So the pam_krb5 still participate the authentication process, and took
effect. Since I didn't get the ticket, and offered my password to
pam_krb5, I think the process is not fit the graph above, isn't it?

I think this process is more like the Apache mod_auth_kerb does, like
this:

/-------->[KDC]
user_client | /-------/
| | |
(user/pass)(0) (1) (2)
| | |
\--------> Apache | V
[mod_auth_kerb]<-------o
| |
o---(3)---o
(1)(2)(3) have same meaning as the previous graph.

Is there any promblem of my understanding? Is pam_krb5 more like
mod_auth_kerb if the client does not offer the TICKET ranther than the
standard third party authentication?

Thanks