I think I've been able to get pam_krb5 to ask for the new password properly by using the "defer_pwchange" option which moves asking for the replacement password from pam_authenticate() to pam_acct_mgmt(). See the man page for pam_krb5. However, the solution isn't perfect based on this note from the man page:
If this option is set, pam-krb5 uses the fully correct PAM mechanism for
handling expired accounts instead of failing in pam_authenticate(). Due
to the security risk of widespread broken applications, be very careful
about enabling this option. It should normally only be turned on to solve
a specific problem (such as using Solaris Kerberos libraries that don't
support prompting for password changes during authentication), and then
only for specific applications known to call pam_acct_mgmt() and check its
return status properly.
I think I've been able to get pam_krb5 to ask for the new password properly by using the "defer_pwchange" option which moves asking for the replacement password from pam_authenticate() to pam_acct_mgmt(). See the man page for pam_krb5. However, the solution isn't perfect based on this note from the man page:
If this option is set, pam-krb5 uses the fully correct PAM mechanism for
handling expired accounts instead of failing in pam_authenticate(). Due
to the security risk of widespread broken applications, be very careful
about enabling this option. It should normally only be turned on to solve
a specific problem (such as using Solaris Kerberos libraries that don't
support prompting for password changes during authentication), and then
only for specific applications known to call pam_acct_mgmt() and check its
return status properly.