When without configure PAM, <1>USER1 use klog to login AFS, (tty1) <2>switch to another terminal(tty2), login as root , and su USER1, and this terminal got a tokens as tty1 without any password with PAM configure, it would not be that. Thank You