EPAK is implemented as a patch to Heimdal Kerberos 0.8.1. It is a Kerberos extension, like PKINIT, but not for a specific type of authentication. Instead it provides a framework for various authentication schemes to be incorporated into Kerberos.
Thesis paper (or here)
EPAK source code
* The EPAK patch is licensed under the 3-clause BSD license.