Couple of points: While I don't specifically advocate it, I note that Russ' pam_krb5 and the RedHat pam_krb5 both use configuration info in krb5.conf. I personally would think that's simpler, but probably less "pam-like".
I think you need an example of a smart-card-required configuration with pkinit-only pam_krb5 and fall-back to pam_pkcs11 if the network connection is down. ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu