(no subject)

[Rick Goyette]

Found this in the pam_unix info:

        Based on the following shadow elements: expire; last_change;
        max_change; min_change; warn_change, this module performs the
        task of establishing the status of the user's account and
        password. In the case of the latter, it may offer advice to the
        user on changing their password or, through the
        PAM_AUTHTOKEN_REQD return, delay giving service to the user
        until they have established a new password. The entries listed
        above are documented in the GNU Libc info documents. Should the
        user's record not contain one or more of these entries, the
        corresponding shadow check is not performed.
        
which sounds like what I want to do:  restrict login based on shadow
info.  But I am not sure how to apply this.  Any advice?  I use the
shadow key word in systeh-auth already:

password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow

but not for auth.  
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok