grace logins on solaris

Chip Christian chip at
Sat May 27 02:59:56 EST 2000

When I run sshd -d and connect using an expired login, this is what I get:

debug: Server will not fork when running in debugging mode.
Connection from port 901
debug: Client protocol version 1.5; client software version OpenSSH-2.1
debug: Local version string SSH-1.99-OpenSSH-2.1
debug: Sent 768 bit public key and 1024 bit host key.
debug: Encryption type: 3des
debug: Received session key; encryption turned on.
debug: Installing crc compensation attack detector.
debug: Starting up PAM with username "chip"
debug: Attempting authentication for chip.
Failed rsa for chip from port 901
debug: Adding PAM message: Your password has expired and you have 4 grace login(s).
debug: PAM Password authentication accepted for user "chip"
Accepted password for chip from port 901
debug: PAM setting rhost to ""
May 26 12:39:38 sshd[8029]: PAM_NDS : Password expired.
PAM rejected by account configuration: Get new authentication token
Faking authloop for illegal user chip from port 901

pam_acct_mgmt is returning PAM_NEW_AUTHTOK_REQD.  Is there BSD licensed 
code out there already to deal with asking users to change an expired 

> We just started using NDS for Solaris to authenticate users on our SOlaris 
> 2.6 boxes.  Works great with OpenSSH except for one thing.  When a user's 
> password is expired, sshd won't allow them access, while telnetd reports 
> the number of grace logins left, and asks to change the user's password.  
> Seems to be an interaction with the PAM account module, but I'm not 
> familiar enough with any of the code/APIs to say much more.  Any ideas on 
> getting this implemented?

More information about the openssh-unix-dev mailing list