On Wed, Mar 15, 2006 at 01:46:02PM -0800, samuel gipe wrote:
> When sshing into a machine with an expired password, the user is forced
> to change the password immediately. When updating the expired password
> the user is not advised if the proposed new password is in openldap's
> ppolicy password history. The update is denied but the user is not advised
> why, even though openldap generates a reason/message and pam_ldap passes that
> message to sshd (observed via strace).


What SSH software and version are you using? If it's OpenSSH, there was
a bug regarding passing of PAM messages back to the client that would
probably explain your problem. That bug was fixed in (from memory) 4.1p1.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.