When I run sshd -d and connect using an expired login, this is what I get:
debug: Server will not fork when running in debugging mode.
Connection from 192.168.12.2 port 901
debug: Client protocol version 1.5; client software version OpenSSH-2.1
debug: Local version string SSH-1.99-OpenSSH-2.1
debug: Sent 768 bit public key and 1024 bit host key.
debug: Encryption type: 3des
debug: Received session key; encryption turned on.
debug: Installing crc compensation attack detector.
debug: Starting up PAM with username "chip"
debug: Attempting authentication for chip.
Failed rsa for chip from 192.168.12.2 port 901
debug: Adding PAM message: Your password has expired and you have 4 grace
login(s).
debug: PAM Password authentication accepted for user "chip"
Accepted password for chip from 192.168.12.2 port 901
debug: PAM setting rhost to "fleck.princetonecom.com"
May 26 12:39:38 piglet.princetonecom.com sshd[8029]: PAM_NDS : Password expired.
PAM rejected by account configuration: Get new authentication token
Faking authloop for illegal user chip from 192.168.12.2 port 901
pam_acct_mgmt is returning PAM_NEW_AUTHTOK_REQD. Is there BSD licensed
code out there already to deal with asking users to change an expired
password?
> We just started using NDS for Solaris to authenticate users on our SOlaris
> 2.6 boxes. Works great with OpenSSH except for one thing. When a
user's
> password is expired, sshd won't allow them access, while telnetd
reports
> the number of grace logins left, and asks to change the user's
password.
> Seems to be an interaction with the PAM account module, but I'm not
> familiar enough with any of the code/APIs to say much more. Any ideas on
> getting this implemented?