expired passwords/accounts and kerberos

[Rick Goyette]

Here is a situation I have:  I am aging passwords with the intent of
preventing users with expired passwords from using their accounts
without first changing their passwords.  In addition, I am using chage
to expire an account if it remains inactive too long.  This works well
for something like ssh, but does not work for something like a
kerberized rlogin.  SSH will correctly ask a user to change a password,
or tell them their account has expired, but a kerberized rlogin will
just let them in.  Does anyone know a good method of addressing this
problem?  Can PAM enforce this sort of thing?