pam_passwdqc seems to have the same bug as rsh, in its conversation messages. The reproducer steps are the same except that you need to have: password required /lib/security/$ISA/pam_passwdqc.so min=disabled,disabled,disabled,8,8 max=22 passphrase=0 match=4 similar=deny retry=5 random=0 in your /etc/pam.d/system-auth +++ This bug was initially created as a clone of Bug #178916 +++ 1. Create a new user, and set the new user's password 2. Run chage to force the user's password to be updated (Maximum Password Age to "1", and Last Password Change to 2 days before today) 3. Install rsh-server 4. chkconfig rlogin on 5. Try to rlogin to this machine as that user $ rlogin -l testuser amd64 connect to address 172.16.10.230: Connection refused Trying krb4 rlogin... connect to address 172.16.10.230: Connection refused trying normal rlogin (/usr/bin/rlogin) Password: You are required to change your password immediately (password aged) Changing password for testuser (current) UNIX password: <snip> -- Additional comment from kzak on 2006-01-25 16:08 EST -- You're probably right. There's private PAM_conversation() implementation in the rlogind and it's without "\n".
pam_passwdqc is a separate package but I don't believe this bug is there either. The reason is that the 'You are required to change your password immediately (password aged)' message is issued by pam_unix and the EOL character must be added by the conversation function which is part of the rlogind.
Actually, it works with: password requisite /lib/security/$ISA/pam_cracklib.so retry=3 in the system-auth file, but not with pam_passwdqc as explained above.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0410.html