>>>>> "Russ" == Russ Allbery writes:

Russ> Coy Hile writes:
>> kadmin: modprinc +needchange cah220
>> Principal "cah220@COYHILE.COM" modified.
>> kadmin: quit
>> [22:53:31]supergrover:~ % kinit cah220
>> kinit(v5): Password has expired while getting initial credentials
>> [22:53:37]supergrover:~ %
>> For what it's worth, I'm using an MIT kdc (actually SEAM).

Russ> I don't believe kinit supports prompting for password changes, but you can
Russ> still use kpasswd when the principal is marked +needchange. A good PAM
Russ> module should currently handle this case and prompt the user to change
Russ> their password.

A modern kinit program that uses the get_init_creds API will prompt
for a password change if the password has expired. I don't know if
the SEAM kinit is one of these, and you didn't mention which kinit
program you're using.