Since Katello use oauth exclusively we would recommend to turn off user/pass authentication completely. An option for that would improve security. For now we are randomizing admin password. When implemented, please raise new BZ to swtich this option on in the Katello installer, thank you.
I don't think this falls under the jurisdiction of Pulp to provide as a feature. By default, our user certificates last a week. So for the common usage (OAuth isn't really documented or pushed as an actual feature) it doesn't really make sense to ever disable user/pass authentication. That's not to say it's not possible, but I think it's a post-install step that's up to the user to configure. It involves changing the httpd configuration to deny basic auth to Pulp. So a workaround exists, but it's done as post-install configuration by the user (or, in this case, as part of the Katello installation). Keep in mind it's not something we've tested.
This is still desired by the katello team (per jsherrill).
Moved to https://pulp.plan.io/issues/164