I think it is a pretty valid use case, though I don't like the proposed
implementation. In essence it is implementing one-time-passwords instead
of multi-use passwords and both of those are reasonable concepts. Having
to implement one-time passwords using multi-use passwords + iptables is
a really bad, over complicated hack, particularly considering how trivial
this is todo in QEMU.
In terms of impl though, rather than having separate a 'expire_password'
command, I think it would be preferrable to have alternative syntax for
setting initial credentials
change vnc passwd (for multi-use passwords)
change vnc otp (for single-use passwords)
Or, extend the existing 'change vnc passwd' command to allow optional
flags as a 4th argument.
change vnc passwd otp