pkinit with passwords

[Chris]

I've been experimenting with pkinit, and was wondering if there is a
way to also require the normal kerberos password as well as using a
certificate file.   I prefer not to trust the cert alone, but would also
like something more than a password.  I can ask people to password
protect their cert key, and that works, but is unenforceable.

I'd really like to avoid shunting some kind of preauth to yet another
authentication system if possible.  Is it possible to do what I
described, or is there a better way?

Cheers,
Chris