here's a patch that invokes kpasswd in the event the KDC fails to authenticate a user's kerberos-5 password b/c it's expired: it attempts to get a ticket for kadmin/changepw and, if that works, dumps the user into kpasswd instead of passwd note that i don't consider myself security-cognizant enough to have thought through all the ramifications of this and whether it might not be opening up holes. nevertheless, i'm submitting it in case it's not completely demented, so you all can figure out whether to implement it and, hopefully, code it up so it doesn't have the bugs my patch undoubtedly does
Created attachment 576 [details] referenced patch
Created attachment 581 [details] updated patch sorry. slight fix to work with MIT krb5 libraries. of course, MIT's kpasswd isn't working when it gets exec-ed (i have the same problem as this guy: http://mailman.mit.edu/pipermail/kerberos/2003-October/003990.html ), but, anyway, . . .
This can be done using PAM kbd-int without server modifications. I don't think we want to implement it again in the server.
Close all resolved bugs after 7.3p1 release