diff -up ./plugins/sudoers/auth/pam.c.krb5ccname ./plugins/sudoers/auth/pam.c
--- ./plugins/sudoers/auth/pam.c.krb5ccname	2019-10-28 13:27:38.000000000 +0100
+++ ./plugins/sudoers/auth/pam.c	2021-12-06 11:14:15.580226222 +0100
@@ -119,10 +119,10 @@ conv_filter_init(void)
 
 	/*
 	 * Messages from PAM account management when trusted mode is enabled:
-	 *  1 Last   successful login for %s: %s  
-	 *  2 Last   successful login for %s: %s on %s 
-	 *  3 Last unsuccessful login for %s: %s      
-	 *  4 Last unsuccessful login for %s: %s on %s 
+	 *  1 Last   successful login for %s: %s
+	 *  2 Last   successful login for %s: %s on %s
+	 *  3 Last unsuccessful login for %s: %s
+	 *  4 Last unsuccessful login for %s: %s on %s
 	 */
 	if ((catd = catopen("pam_comsec", NL_CAT_LOCALE)) != -1) {
 	    maxfilters += 4;
@@ -290,6 +290,7 @@ sudo_pam_init_quiet(struct passwd *pw, s
 int
 sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback)
 {
+    const char *envccname;
     const char *s;
     int *pam_status = (int *) auth->data;
     debug_decl(sudo_pam_verify, SUDOERS_DEBUG_AUTH)
@@ -298,8 +299,27 @@ sudo_pam_verify(struct passwd *pw, char
     getpass_error = false;	/* set by converse if user presses ^C */
     conv_callback = callback;	/* passed to conversation function */
 
+	/* Set KRB5CCNAME from the user environment if not set to propagate this
+	 * information to PAM modules that may use it to authentication. */
+	envccname = sudo_getenv("KRB5CCNAME");
+	if (envccname == NULL && user_ccname != NULL) {
+		if (sudo_setenv("KRB5CCNAME", user_ccname, true) != 0) {
+			sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
+			"unable to set KRB5CCNAME");
+			debug_return_int(AUTH_FAILURE);
+		}
+	}
+
     /* PAM_SILENT prevents the authentication service from generating output. */
     *pam_status = pam_authenticate(pamh, PAM_SILENT);
+
+	/* Restore KRB5CCNAME to its original value. */
+	if (envccname == NULL && sudo_unsetenv("KRB5CCNAME") != 0) {
+		sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
+		"unable to restore KRB5CCNAME");
+		debug_return_int(AUTH_FAILURE);
+	}
+
     if (getpass_error) {
 	/* error or ^C from tgetpass() */
 	debug_return_int(AUTH_INTR);