Hello,
Try to fix a security issue I discovered that allows users with expired passwords to authenticate anyway and be allowed access. Where might I fix this on RHEL 6? It's obviously set somewhere to ignore the authentication failure and expired token. Same user results below.

Expired Password:
sshd[14776]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<ip address> user=<username>
sshd[14776]: pam_sss(sshd:auth): received for user <username>: 12 (Authentication token is no longer valid; new one required)
sshd[14776]: Accepted password for <username> from <ip address> port <port number> ssh2
sshd[14776]: pam_unix(sshd:session): session opened for user <username> by (uid=0)

Non-expired Password:
sshd[22018]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=<ip address> user=<username>
sshd[22018]: Accepted password for <username> from <ip address> port <port number> ssh2
sec001 sshd[22018]: pam_unix(sshd:session): session opened for user <username> by (uid=0)

Usually when a user password expires and it tries to authenticate over sshd it is asked to enter the existing password and then it prompt the user to change the password. If that is not the case it would be good to have a look at /etc/pam.d/system-auth-ac and /etc/pam.d/password-auth.

Do you have any system where it is working as per design I mean when sshing prompting to change the password if user password is expired? If yes, it will be a good idea to compare the files from a working system with a non-working system.

If possible, paste the output of the above mentioned files in this thread.