Just had a look at adding support for PAM_NEW_AUTHTOK_REQ in dropbear like so:
--- a/svr-authpam.c
+++ b/svr-authpam.c
- if ((rc = pam_acct_mgmt(pamHandlep, 0)) != PAM_SUCCESS) {
+ rc = pam_acct_mgmt(pamHandlep, 0);
+ if (rc == PAM_NEW_AUTHTOK_REQD) {
+ rc = pam_chauthtok(pamHandlep, PAM_CHANGE_EXPIRED_AUTHTOK);
+ }
+ if (rc != PAM_SUCCESS) {This is of course not enough and I wonder if upstream dropbear would be interested in adding support for PAM_NEW_AUTHTOK_REQ? Jocke
