diff -ur openssh-3.4p1.orig/auth-pam.c openssh-3.4p1/auth-pam.c
--- openssh-3.4p1.orig/auth-pam.c	Wed May  8 06:27:56 2002
+++ openssh-3.4p1/auth-pam.c	Fri Jul  5 23:39:24 2002
@@ -29,6 +29,7 @@
 #include "xmalloc.h"
 #include "log.h"
 #include "auth.h"
+#include "auth-options.h"
 #include "auth-pam.h"
 #include "servconf.h"
 #include "canohost.h"
@@ -36,10 +37,14 @@
 
 extern char *__progname;
 
+extern int use_privsep;
+
 RCSID("$Id$");
 
 #define NEW_AUTHTOK_MSG \
-	"Warning: Your password has expired, please change it now"
+	"Warning: Your password has expired, please change it now."
+#define NEW_AUTHTOK_MSG_PRIVSEP \
+	"Your password has expired, the session cannot proceed."
 
 static int do_pam_conversation(int num_msg, const struct pam_message **msg,
 	struct pam_response **resp, void *appdata_ptr);
@@ -55,7 +60,7 @@
 
 /* states for do_pam_conversation() */
 enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN;
-/* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */
+/* remember whether pam_acct_mgmt() returned PAM_NEW_AUTHTOK_REQD */
 static int password_change_required = 0;
 /* remember whether the last pam_authenticate() succeeded or not */
 static int was_authenticated = 0;
@@ -254,13 +259,16 @@
 		case PAM_SUCCESS:
 			/* This is what we want */
 			break;
-#if 0
 		case PAM_NEW_AUTHTOK_REQD:
-			message_cat(&__pam_msg, NEW_AUTHTOK_MSG);
+			message_cat(&__pam_msg, use_privsep ?
+			    NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG);
 			/* flag that password change is necessary */
 			password_change_required = 1;
+			/* disallow other functionality for now */
+			no_port_forwarding_flag |= 2;
+			no_agent_forwarding_flag |= 2;
+			no_x11_forwarding_flag |= 2;
 			break;
-#endif
 		default:
 			log("PAM rejected by account configuration[%d]: "
 			    "%.200s", pam_retval, PAM_STRERROR(__pamh, 
@@ -328,7 +336,7 @@
  * Have user change authentication token if pam_acct_mgmt() indicated
  * it was expired.  This needs to be called after an interactive
  * session is established and the user's pty is connected to
- * stdin/stout/stderr.
+ * stdin/stdout/stderr.
  */
 void do_pam_chauthtok(void)
 {
@@ -337,11 +345,23 @@
 	do_pam_set_conv(&conv);
 
 	if (password_change_required) {
+		if (use_privsep)
+			fatal("Password changing is currently unsupported"
+			    " with privilege separation");
 		pamstate = OTHER;
 		pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
 		if (pam_retval != PAM_SUCCESS)
 			fatal("PAM pam_chauthtok failed[%d]: %.200s",
 			    pam_retval, PAM_STRERROR(__pamh, pam_retval));
+#if 0
+		/* XXX: This would need to be done in the parent process,
+		 * but there's currently no way to pass such request. */
+		no_port_forwarding_flag &= ~2;
+		no_agent_forwarding_flag &= ~2;
+		no_x11_forwarding_flag &= ~2;
+		if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
+			channel_permit_all_opens();
+#endif
 	}
 }