Coy Hile writes:

> Is there any good way to make sure that a user will be prompted to change
> his password the next time he authenticates as a given principal.
> My first attempt was via setting the needchange flag on a test principal,
> but then I am unable to authenticate as that princpal in the first place:
> kadmin: modprinc +needchange cah220
> Principal "cah220@COYHILE.COM" modified.
> kadmin: quit
> [22:53:31]supergrover:~ % kinit cah220
> kinit(v5): Password has expired while getting initial credentials
> [22:53:37]supergrover:~ %
> For what it's worth, I'm using an MIT kdc (actually SEAM).

I don't believe kinit supports prompting for password changes, but you can
still use kpasswd when the principal is marked +needchange. A good PAM
module should currently handle this case and prompt the user to change
their password.

Russ Allbery (