diff -ur openssh-1.2.1pre24.orig/auth-pam.c openssh-1.2.1pre24/auth-pam.c
--- openssh-1.2.1pre24.orig/auth-pam.c	Thu Dec 30 05:11:25 1999
+++ openssh-1.2.1pre24/auth-pam.c	Tue Jan  4 19:07:56 2000
@@ -15,6 +15,8 @@
 
 RCSID("$Id$");
 
+extern char *forced_command;
+
 /* Callbacks */
 static int pamconv(int num_msg, const struct pam_message **msg,
 	  struct pam_response **resp, void *appdata_ptr);
@@ -137,6 +139,9 @@
 	if (pam_retval == PAM_SUCCESS) {
 		debug("PAM Password authentication accepted for user \"%.100s\"", pw->pw_name);
 		return 1;
+	} else if (pam_retval == PAM_NEW_AUTHTOK_REQD) {
+		debug("PAM (expired)Password authentication accepted for user \"%.100s\"", pw->pw_name);
+		return 1;
 	} else {
 		debug("PAM Password authentication for \"%.100s\" failed: %s", 
 			pw->pw_name, PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
@@ -165,9 +170,15 @@
 	}
 
 	pam_retval = pam_acct_mgmt((pam_handle_t *)pamh, 0);
-	if (pam_retval != PAM_SUCCESS) {
-		log("PAM rejected by account configuration: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
-		return(0);
+	if(pam_retval == PAM_NEW_AUTHTOK_REQD) {
+		forced_command = xmalloc(strlen("/usr/bin/passwd -N ssh") + 1);
+		strcpy(forced_command, "/usr/bin/passwd -N ssh");
+/*		pam_retval = pam_chauthtok((pam_handle_t *)pamh, PAM_CHANGE_EXPIRED_AUTHTOK); */
+	} else {
+		if (pam_retval != PAM_SUCCESS) {
+			log("PAM rejected by account configuration: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+			return(0);
+		}
 	}
 	
 	return(1);
@@ -186,7 +197,7 @@
 	}
 
 	pam_retval = pam_open_session((pam_handle_t *)pamh, 0);
-	if (pam_retval != PAM_SUCCESS)
+	if ((pam_retval != PAM_SUCCESS) && (pam_retval != PAM_NEW_AUTHTOK_REQD))
 		fatal("PAM session setup failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
 }
 
@@ -197,7 +208,7 @@
  
 	debug("PAM establishing creds");
 	pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_ESTABLISH_CRED);
-	if (pam_retval != PAM_SUCCESS)
+	if ((pam_retval != PAM_SUCCESS) && (pam_retval != PAM_NEW_AUTHTOK_REQD))
 		fatal("PAM setcred failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
 }