I am using DSEE 6.3 to authenticate and authorize my Solaris 9 and 10 users. Everything works fine except password expiration. I use built-in global password policy for all users. The policy works well. However I could not find the right pam configuration in order to prompt users at ssh login for the expired password. Users can login to the servers even their password is expired. I found login_limit pam module but it seems to be not installed by default on Solaris systems. Any idea how to overcome this issue ?
Sorry, stupid question, but has the sshd_config got "UsePAM" configured ?
If it hasnt, then configure it, restart sshd and try again.
If it is then you should be able to find out which module is allowing access by debugging the "account" section of your pam.conf.
Make a copy of the pam.conf, and then add " debug" to the end of the "account" lines and make sure you enable auth.debug in your syslog.conf. Then when you logon you should see in the syslog messages from each PAM module.