I am facing the following situation on my Linux: - i have my own user database for the users who log in via a web interface - privileged users are allowed to log on to the device via ssh (pam is in use) - these users are redirected (via nss module) to a linux user who cannot log in directly to the system so far this is working fine. But now I also want the user to change the password if it has expired. Therefore my PAM module returns the error code PAM_NEW_AUTHTOK_REQD in the pam_sm_acct_mgmt function. The user is then prompted to change the password. Unfortunately, the function of my pam module that I configured in /etc/pam.d/sshd is not used for the password change, but the one that was configured in /etc/pam.d/passwd. In the source code I then saw that the passwd binary is called directly, which explains the behavior. Furthermore I saw in the source that in special cases pam_chauthtok is called. As an experiment I made the nns redirection to the root user and set PermitRootLogin to yes in the sshd_config. Then the pam module which was configured in /etc/pam.d/sshd is called to change the password, as I would have expected in the case of the non-root user. So I wonder why pam_chauthtok is only called in special cases (!use_privsep)? My understanding is that this is wrong because the password statements in the sshd pam configuration have no effect. Thanks, Martin _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev