The order of operations that causes the expired password prompt is as follows:

  • SSH runs the PAM account stage, which verifies that the account exists and is valid. The account stage notices that the password has expired, and lets SSH know.
  • SSH performs key-based authentication. It doesn’t need PAM for this, so it doesn’t run the auth stage. It then sets up the SSH login session and runs the PAM session stage.
  • Next, SSH remembers that PAM told it the password had expired, prints a warning message, and asks PAM to have the user change the password. SSH then disconnects.

All of this is SSH’s doing, and I don’t see any SSH options to configure this behavior. So unless you want to build a custom version of SSH and/or PAM, the only option I see is to prevent PAM from reporting the expired password to SSH. If you do this, it will disable expired password checks over SSH entirely, even if the user is logging in over SSH with a password. Other (non-SSH) methods of login will still check password expiration.

Your current pam.d/sshd file has a account include common-account entry. I presume there’s a common-account file which contains a reference to This is the line that checks for an expired password.

You probably don’t want to touch the common-account file itself, since it’s used for other login methods. Instead, you want to remove the include from your pam.d/sshd file. If there are other functions in common-account besides, you probably want to put them directly into pam.d/sshd.

Finally, remember that this is a modification to the security of your system and you shouldn’t just blindly trust me to give you good advice. Read up on how PAM works if you’re unfamiliar with it. Some starting places might be man 7 PAMman 5 pam.conf, and man 8 pam_unix.

An option was added to (around Feb-2016) called no_pass_expiry (source code change here or man page here). Basically it tells pam_unix to ignore an expired password if something other than pam_unix was used for auth, e.g. if sshd performed the auth.

As a result, if you have a version of that contains that option, you should be able to configure PAM to:

  1. Still warn but don’t require a change to an expired password if an SSH key was used to authenticate via ssh
  2. Require a password change of an expired password if a login/password via was used to authenticate via ssh
  3. Not impact any other auth sequence (e.g. via the login service).

For example, I configured a RHEL 7 server to do the above by simply updating /etc/pam.d/sshd and adding no_pass_expiry to both the account and password types, e.g.


account    required
account    sufficient no_pass_expiry
account    include     password-auth
password   sufficient no_pass_expiry
password   include     password-auth