Due to difficulties in getting PAM (with krb5) password expiry working consistently on multiple platforms, I'd like to see if I could hack something into auth-krb5.c to do so. Here's a backtrace when stopped in auth_krb5_password: #0 auth_krb5_password (authctxt=0x8e148, password=0x90250 "XXXXXXXX") at auth-krb5.c:270 #1 0x274d8 in auth_password (authctxt=0x8e148, password=0x90250 "XXXXXXXX") at auth-passwd.c:140 #2 0x380fc in mm_answer_authpassword (socket=9, m=0xffbeef28) at monitor.c:608 #3 0x376c4 in monitor_read (pmonitor=0x8bec0, ent=0x84150, pent=0xffbeefbc) at monitor.c:371 #4 0x37244 in monitor_child_preauth (pmonitor=0x8bec0) at monitor.c:280 #5 0x1aaac in privsep_preauth () at sshd.c:603 #6 0x1d45c in main (ac=3, av=0xffbefaac) at sshd.c:1497 At first, I simply tried to add the stock Kerberos prompter to krb5_get_init_creds_password: problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds, authctxt->krb5_user, (char *)password, krb5_prompter_posix, NULL, 0, NULL, NULL); however, this returned KRB5_LIBOS_CANTREADPWD due to the fact that fds 0 and 1 are closed and not connected to a socket.