Comment 12 for bug 972537

I think I've been able to get pam_krb5 to ask for the new password properly by using the "defer_pwchange" option which moves asking for the replacement password from pam_authenticate() to pam_acct_mgmt(). See the man page for pam_krb5. However, the solution isn't perfect based on this note from the man page:

           If this option is set, pam-krb5 uses the fully correct PAM mechanism for
           handling expired accounts instead of failing in pam_authenticate(). Due
           to the security risk of widespread broken applications, be very careful
           about enabling this option. It should normally only be turned on to solve
           a specific problem (such as using Solaris Kerberos libraries that don't
           support prompting for password changes during authentication), and then
           only for specific applications known to call pam_acct_mgmt() and check its
           return status properly.