password expiration

[Michael Stone]

How are people handling password expirations in (non-pam) openssh?
I'm currently running a program in the various startup scripts that
reports to the user when their password will expire and runs passwd if
that date is getting close. How are other people dealing with this? 
Is anyone working on integrating password changing into openssh? Is
doing so even desired, since it's fairly trivial to implement outside of
openssh?

On a related note, there was a change some time ago which made
allowed_user reject users whose password has been set to "force change"
with passwd -f (or equivalent). (Specifically, the check for sp_lstchg
was set to >= 0 rather than > 0). The result is that there's no way to
force a user to change his password on next login, because doing so
makes him unable to log in. Is there any reason not to reverse this?
Digging throught the list archives, it looks like the change was
suggested by stevesk at sweden.hp.com, but I don't see any discussion of
why the new behavior is preferred.

-- 
Mike Stone