Hello Tomasz, Can you have a look at this patch?
It performs an pam_chauthok when pam_acct_mgmt returns an PAM_CHANGE_EXPIRED_AUTHOK. BTW, in adduser.c: s/spoll/spool/ Kind Regrads -- Nekral
Index: src/su.c =================================================================== RCS file: /cvsroot/shadow/src/su.c,v retrieving revision 1.41 diff -u -r1.41 su.c --- src/su.c 4 Aug 2005 19:13:43 -0000 1.41 +++ src/su.c 5 Aug 2005 22:55:18 -0000 @@ -519,6 +519,16 @@ if (amroot) { fprintf (stderr, _("%s: %s\n(Ignored)\n"), Prog, pam_strerror (pamh, ret)); + } if (ret == PAM_NEW_AUTHTOK_REQD) { + ret = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK); + if (ret != PAM_SUCCESS) { + SYSLOG ((LOG_ERR, "pam_chauthtok: %s", + pam_strerror (pamh, ret))); + fprintf (stderr, _("%s: %s\n"), Prog, + pam_strerror (pamh, ret)); + pam_end (pamh, ret); + su_failure (tty); + } } else { SYSLOG ((LOG_ERR, "pam_acct_mgmt: %s", pam_strerror (pamh, ret)));