Note that every user of the demo account will be able to decrypt every other users' communications, unless SPAKE preauth is used (and even then an MITM attack is likely possible).

I believe this use case is currently possible in three suboptimal ways, the first of which is probably easiest:

1. Set a long min_life on the principal.

2. Provide a password quality plugin module which always fails the quality check for this principal.

3. Disable the "self" kadm5_auth module, and instead provide a new module which enables self-service for every principal but this one.