I suspect this may not be possible, but just in case anyone has any thoughts...
I have a server that users log into remotely purely to get access to a couple of resources through forwarded ports. The users authenticate using ssh keys that are stored in FreeIPA. This works really well for that purpose: there are no local users set up on the server, no one has shell access, all they can do is forward ports using: ssh -N <config'd name>.
FreeIPA also has a user password that is used for some on-premises resources—with COVID and no one coming into the office anymore, they have no way of changing that password.
Is there a way to allow users to do:
ssh -t <config'd name> "kpasswd <user>@<domain>"
or the equivalent without having a local account/home dir? I don't really want to litter up /home/ just for this one command...