Howdy coders, in openssh-2.5.2p2, auth1.c, do_authentication() you folks do a call to getpwnam(user) If this fails, you NULL out 'pw' Unfortunately, this stops start_pam() from being called at all. I'm not a PAM API expert, but I was under the impression that there are pam API calls you should be making for account verification, in PARALLEL to getpwnam(), rather than being gated by getpwnam() Or instead, maybe you should have start_pam fill out a limited set of (struct passwd) info, if getpwnam failed [and then call allowed_user() AFTER this] I'm trying to use a PAM module to integrate with OpenLDAP. I want to have user account info present on only the LDAP server, not in the regular password info. And ONLY for sshd. So a plain call to getpwnam will fail. Yes, I realize that this will break other UNIX apps expecting getpwnam to work. That's MY problem :-) Your problem is that I think you guys are going against the principles of how PAM was designed: as a replacement for stuff like getpwnam(), and hand-checking of shadow expiration.