How difficult would it be to PAM-ify chsh?

[Dan Mahoney]

Hey there,

It looks like chsh is pretty heavily tied in with YP/NIS, but nothing else 
(no pam, no libnss support).  Here in our work environment at DayJob, Inc, 
we use Kerberos, which means most of our users have a "*" in their 
master.passwd entries.  Annoyingly, this means that they can't change 
their base info.

So, has anyone come across, perhaps:

1)  a third-party installable dropin that could live in /usr/local/bin to 
do this sort of thing, that knows how to speak pam.

2) Or does someone know how difficult it would be to add the requisite 
hooks to this code to do the checking.  The tool is already setUID, after 
all, it has to be to manipulate the password file.

I could totally turn this into a PR, but I figured I'd ask here first.

-Dan