sshd and password expiration

KOCH.Martin Martin.KOCH at
Fri Dec 22 19:21:43 AEDT 2023

I am facing the following situation on my Linux:
- i have my own user database for the users who log in via a web interface
- privileged users are allowed to log on to the device via ssh (pam is in use)
- these users are redirected (via nss module) to a linux user who cannot log in directly to the system
so far this is working fine.

But now I also want the user to change the password if it has expired. Therefore my PAM module returns the error code PAM_NEW_AUTHTOK_REQD in the pam_sm_acct_mgmt function. The user is then prompted to change the password. Unfortunately, the function of my pam module that I configured in /etc/pam.d/sshd is not used for the password change, but the one that was configured in /etc/pam.d/passwd.
In the source code I then saw that the passwd binary is called directly, which explains the behavior. Furthermore I saw in the source that in special cases pam_chauthtok is called.
As an experiment I made the nns redirection to the root user and set PermitRootLogin to yes in the sshd_config. Then the pam module which was configured in /etc/pam.d/sshd is called to change the password, as I would have expected in the case of the non-root user.

So I wonder why pam_chauthtok is only called in special cases (!use_privsep)?
My understanding is that this is wrong because the password statements in the sshd pam configuration have no effect.

Thanks, Martin

More information about the openssh-unix-dev mailing list