Without giving a solution, I want to mention the following problem:
Not only changing expired passwords when privilege separation is enabled in
combination with PAM is not working (although the current patches seem to
solve this one). Also some PAM session modules do not work the way they are
supposed to. For instance, the pam_lastlog module. This module gets and
updates the last successful login attempt for a specific user
in /var/log/lastlog. When privilege separation mode is enabled, not enough
privileges are available to read and update lastlog (root:root 0640).
Changing the permissions to 0666 (obviously not something you want to do)
makes it work again. When privilege separation is disabled, everything
works OK. One alternative could be to use the PrintLastLog option of
OpenSSH, however see bug 463, also this does not solve the real problem and
might leave us with the same problem with other PAM modules.
Regards,
Rene.