diff --git a/ChangeLog b/ChangeLog
index 702b6b6db..440aa914f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,8 @@
 20020721
  - (stevesk) [auth-pam.c] merge cosmetic changes from solar's
    openssh-3.4p1-owl-password-changing.diff
+ - (stevesk) [auth-pam.c] merge rest of solar's PAM patch;
+   PAM_NEW_AUTHTOK_REQD remains in #if 0 for now.
 
 20020720
  - (stevesk) [ssh-keygen.c] bug #231: always init/seed_rng().
@@ -1401,4 +1403,4 @@
  - (stevesk) entropy.c: typo in debug message
  - (djm) ssh-keygen -i needs seeded RNG; report from markus@
 
-$Id: ChangeLog,v 1.2381 2002/07/21 17:26:54 stevesk Exp $
+$Id: ChangeLog,v 1.2382 2002/07/21 17:57:01 stevesk Exp $
diff --git a/auth-pam.c b/auth-pam.c
index f31641c28..22807f1a9 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -29,6 +29,7 @@
 #include "xmalloc.h"
 #include "log.h"
 #include "auth.h"
+#include "auth-options.h"
 #include "auth-pam.h"
 #include "servconf.h"
 #include "canohost.h"
@@ -36,10 +37,14 @@
 
 extern char *__progname;
 
-RCSID("$Id: auth-pam.c,v 1.48 2002/07/21 17:26:54 stevesk Exp $");
+extern int use_privsep;
+
+RCSID("$Id: auth-pam.c,v 1.49 2002/07/21 17:57:01 stevesk Exp $");
 
 #define NEW_AUTHTOK_MSG \
 	"Warning: Your password has expired, please change it now."
+#define NEW_AUTHTOK_MSG_PRIVSEP \
+	"Your password has expired, the session cannot proceed."
 
 static int do_pam_conversation(int num_msg, const struct pam_message **msg,
 	struct pam_response **resp, void *appdata_ptr);
@@ -254,9 +259,14 @@ int do_pam_account(char *username, char *remote_user)
 			break;
 #if 0
 		case PAM_NEW_AUTHTOK_REQD:
-			message_cat(&__pam_msg, NEW_AUTHTOK_MSG);
+			message_cat(&__pam_msg, use_privsep ?
+			    NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG);
 			/* flag that password change is necessary */
 			password_change_required = 1;
+			/* disallow other functionality for now */
+			no_port_forwarding_flag |= 2;
+			no_agent_forwarding_flag |= 2;
+			no_x11_forwarding_flag |= 2;
 			break;
 #endif
 		default:
@@ -335,11 +345,23 @@ void do_pam_chauthtok(void)
 	do_pam_set_conv(&conv);
 
 	if (password_change_required) {
+		if (use_privsep)
+			fatal("Password changing is currently unsupported"
+			    " with privilege separation");
 		pamstate = OTHER;
 		pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
 		if (pam_retval != PAM_SUCCESS)
 			fatal("PAM pam_chauthtok failed[%d]: %.200s",
 			    pam_retval, PAM_STRERROR(__pamh, pam_retval));
+#if 0
+		/* XXX: This would need to be done in the parent process,
+		 * but there's currently no way to pass such request. */
+		no_port_forwarding_flag &= ~2;
+		no_agent_forwarding_flag &= ~2;
+		no_x11_forwarding_flag &= ~2;
+		if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
+			channel_permit_all_opens();
+#endif
 	}
 }