I think we need to limit password expiration checks for radius case, indeed, when --user-auth is only 'radius', we have no means to check or change a password, especially for radius-based OTP codes.

I think if RADIUS server is capable to report password expiration for the user, we need to propagate it properly but changing password should be left for the RADIUS provider itself.

The problem with RADIUS protocol is that the password/PIN change AFAIR is done via Access-Challenge response from the server to the RADIUS client. That response would contain a message attribute - the prompt that needs to be shown to the user. User should read the prompt and reply to it with some input. RADIUS server and client usually do not know how to interpret it - only the real authentication server configured behind the RADIUS server knows what this reply is about based on the state of the session. I do not think there is an easy way to detect allow change of the password/PIN all the way through. For RADIUS case it should be single transaction operation - no multistage authentication possible.

AFAIR by OTP design if RADIUS is configured for a user his local Kerberos password is shadowed i.e. ignored and never used or checked in the authentication sequence. So the client should never get any password change prompt in the first place. If this is not the case it is a bug.

I don't believe we have any plan to handle password-changes over RADIUS.

However, the bug here seems to be something different: namely kdb is reporting that the (FreeIPA) password is expired when only RADIUS is configured. This is a real bug.

http://www.redhat.com/archives/freeipa-devel/2014-May/msg00014.html

master:

• 58f8ebf kdb: Don't provide password expiration when using only RADIUS