Hello! we manage all passwords (kerberos ) in our institute with an extra tool. The expired passwords have also to be renewed with this tool. So i remove the password section completly form the pam config but I still get the following lines when I login via ssh with an expired password. >> WARNING: Your password has expired. You must change your password now and login again! Changing password for user expuser. passwd: Permission denied Connection to testnode closed. << I look for an pam config which handle the expired status like an disabled account or an wrong password without the message "Changing password for user expuser. passwd: Permission denied" lines Regards! Sven OS: Rhel-clone 6.5 (scientific Linux) Package Version: pam-1.1.1-17.el6.x86_64 pam_krb5-2.3.11-9.el6.x86_64 krb5-workstation-1.10.3-10.el6_4.6.x86_64 krb5-libs-1.10.3-10.el6_4.6.x86_64 openafs-krb5-1.6.5.1-147.sl6.x86_64 In the pam log I see: pam_krb5[18333]: account checks fail for 'expuser': password has expired pam_krb5[18333]: pam_acct_mgmt returning 12 (Authentication token is no longer valid; new one required) Accepted password for expuser from 131.w.x.y port 49334 ssh2 pam_krb5[18333]: default/local realm 'TEST.NET' pam_krb5[18333]: configured realm 'TEST.NET' pam_krb5[18333]: flag: debug pam_krb5[18333]: flags: forwardable not proxiable pam_krb5[18333]: flag: no ignore_afs pam_krb5[18333]: flag: no null_afs pam_krb5[18333]: flag: tokens pam_krb5[18333]: flag: no cred_session pam_krb5[18333]: flag: user_check pam_krb5[18333]: flag: no krb4_convert pam_krb5[18333]: flag: krb4_convert_524 pam_krb5[18333]: flag: krb4_use_as_req pam_krb5[18333]: will try previously set password first pam_krb5[18333]: will ask for a password if that fails pam_krb5[18333]: will let libkrb5 ask questions pam_krb5[18333]: flag: use_shmem pam_krb5[18333]: flag: external pam_krb5[18333]: flag: no multiple_ccaches pam_krb5[18333]: flag: warn pam_krb5[18333]: ticket lifetime: 86400s (1d,0h,0m,0s) pam_krb5[18333]: renewable lifetime: 172800s (2d,0h,0m,0s) pam_krb5[18333]: minimum uid: 0 pam_krb5[18333]: banner: Kerberos 5 pam_krb5[18333]: ccache dir: /xyz pam_krb5[18333]: ccname template: FILE:%d/krb5cc_%U_XXXXXX pam_krb5[18333]: keytab: FILE:/etc/krb5.keytab pam_krb5[18333]: token strategy: v4,524,2b,rxk5 pam_krb5[18333]: afs cell: test.net pam_krb5[18333]: no v5 creds for user 'expuser', skipping session setup pam_krb5[18333]: pam_sm_open_session returning 0 (Success) pam_unix(sshd:session): session opened for user expuser by (uid=0) Received disconnect from 131.w.x.y: 11: disconnected by user ... pam_krb5[18333]: no v5 creds for user 'expuser', skipping session cleanup pam_krb5[18333]: pam_sm_close_session returning 0 (Success) pam_unix(sshd:session): session closed for user expuser pam config: auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so account required pam_access.so debug account required pam_unix.so broken_shadow debug account sufficient pam_localuser.so debug account sufficient pam_succeed_if.so uid < 500 quiet debug account [default=bad success=ok user_unknown=ignore] pam_krb5.so debug account required pam_permit.so debug #password requisite pam_cracklib.so try_first_pass retry=3 type= #password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok #password sufficient pam_krb5.so use_authtok #password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so debug session optional pam_krb5.so debug _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list