diff --git a/lib/libpam/modules/pam_exec/pam_exec.c b/lib/libpam/modules/pam_exec/pam_exec.c
index b8f2e1d8f..c2f22a0a0 100644
--- a/lib/libpam/modules/pam_exec/pam_exec.c
+++ b/lib/libpam/modules/pam_exec/pam_exec.c
@@ -110,7 +110,6 @@ struct pe_opts {
 	int	capture_stdout;
 	int	capture_stderr;
 	int	expose_authtok;
-	int	use_first_pass;
 };
 
 static int
@@ -130,8 +129,10 @@ parse_options(const char *func, int *argc, const char **argv[],
 
 	for (i = 0; i < *argc; ++i) {
 		if (strcmp((*argv)[i], "debug") == 0 ||
-		    strcmp((*argv)[i], "no_warn") == 0) {
-			/* ignore */
+		    strcmp((*argv)[i], "no_warn") == 0 ||
+		    strcmp((*argv)[i], "try_first_pass") == 0 ||
+		    strcmp((*argv)[i], "use_first_pass") == 0) {
+			/* passthrough to library */
 		} else if (strcmp((*argv)[i], "capture_stdout") == 0) {
 			options->capture_stdout = 1;
 		} else if (strcmp((*argv)[i], "capture_stderr") == 0) {
@@ -140,8 +141,6 @@ parse_options(const char *func, int *argc, const char **argv[],
 			options->return_prog_exit_status = 1;
 		} else if (strcmp((*argv)[i], "expose_authtok") == 0) {
 			options->expose_authtok = 1;
-		} else if (strcmp((*argv)[i], "use_first_pass") == 0) {
-			options->use_first_pass = 1;
 		} else {
 			if (strcmp((*argv)[i], "--") == 0) {
 				(*argc)--;
@@ -256,14 +255,7 @@ _pam_exec(pam_handle_t *pamh,
 			openpam_log(PAM_LOG_ERROR, "%s: fcntl(): %m", func);
 			OUT(PAM_SYSTEM_ERR);
 		}
-		if (options->use_first_pass ||
-		    strcmp(func, "pam_sm_setcred") == 0) {
-			/* don't prompt, only expose existing token */
-			rc = pam_get_item(pamh, PAM_AUTHTOK, &item);
-			authtok = item;
-		} else {
-			rc = pam_get_authtok(pamh, PAM_AUTHTOK, &authtok, NULL);
-		}
+		rc = pam_get_authtok(pamh, PAM_AUTHTOK, &authtok, NULL);
 		if (rc == PAM_SUCCESS) {
 			/* We include the trailing null terminator. */
 			authtok_size = strlen(authtok) + 1;