diff --git a/src/acct.c b/src/acct.c

index 0dce4f9..f87001b 100644

--- a/src/acct.c

+++ b/src/acct.c

@@ -83,7 +83,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,

 	}

 	/* Read our options. */

-	options = _pam_krb5_options_init(pamh, argc, argv, ctx);

+	options = _pam_krb5_options_init(pamh, argc, argv, ctx,

+					 _pam_krb5_option_role_general);

 	if (options == NULL) {

 		warn("error parsing options (shouldn't happen)");

 		_pam_krb5_free_ctx(ctx);

diff --git a/src/auth.c b/src/auth.c

index c0257cf..eb93dc1 100644

--- a/src/auth.c

+++ b/src/auth.c

@@ -100,7 +100,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,

 		_pam_krb5_free_ctx(ctx);

 		return PAM_SERVICE_ERR;

 	}

-	options = _pam_krb5_options_init(pamh, argc, argv, ctx);

+	options = _pam_krb5_options_init(pamh, argc, argv, ctx,

+					 _pam_krb5_option_role_general);

 	if (options == NULL) {

 		warn("error parsing options (shouldn't happen)");

 		v5_free_get_init_creds_opt(ctx, gic_options);

diff --git a/src/options.c b/src/options.c

index 05539dc..60f5438 100644

--- a/src/options.c

+++ b/src/options.c

@@ -321,7 +321,8 @@ free_l(char **l)

 struct _pam_krb5_options *

 _pam_krb5_options_init(pam_handle_t *pamh, int argc,

 		       PAM_KRB5_MAYBE_CONST char **argv,

-		       krb5_context ctx)

+		       krb5_context ctx,

+		       enum _pam_krb5_option_role role)

 {

 	struct _pam_krb5_options *options;

 	int try_first_pass, use_first_pass, initial_prompt, subsequent_prompt;

@@ -622,7 +623,7 @@ _pam_krb5_options_init(pam_handle_t *pamh, int argc,

 	/* private option */

 	options->use_first_pass = 1;

 	options->use_second_pass = 1;

-	options->use_third_pass = 1;

+	options->use_third_pass = (role != _pam_krb5_option_role_chauthtok);

 	options->permit_password_callback = 0;

 	use_first_pass = option_b(argc, argv,

 				  ctx, options->realm,

diff --git a/src/options.h b/src/options.h

index 42ab7ee..c01376f 100644

--- a/src/options.h

+++ b/src/options.h

@@ -106,10 +106,16 @@ struct _pam_krb5_options {

 	int n_mappings;

 };

+enum _pam_krb5_option_role {

+	_pam_krb5_option_role_general,

+	_pam_krb5_option_role_chauthtok,

+};

+

 struct _pam_krb5_options *_pam_krb5_options_init(pam_handle_t *pamh,

 						 int argc,

 						 PAM_KRB5_MAYBE_CONST char **argv,

-						 krb5_context ctx);

+						 krb5_context ctx,

+						 enum _pam_krb5_option_role role);

 void _pam_krb5_options_free(pam_handle_t *pamh,

 			    krb5_context ctx,

 			    struct _pam_krb5_options *options);

diff --git a/src/pam_krb5.5.in b/src/pam_krb5.5.in

index ef07b96..144d446 100644

--- a/src/pam_krb5.5.in

+++ b/src/pam_krb5.5.in

@@ -220,7 +220,8 @@ controls whether or not pam_krb5.so will allow the Kerberos library to ask

 the user for a password or other information, if the previously-entered

 password is somehow insufficient for authenticating the user.  This is

 commonly needed to allow a user to log in when that user's password has

-expired.  The default is \fBtrue\fR.

+expired.  The default is \fBfalse\fR during password changes, and

+\fBtrue\fR otherwise.

 If the calling application does not properly support PAM conversations

 (possibly due to limitations of a network protocol which it is serving),

diff --git a/src/pam_krb5_cchelper.c b/src/pam_krb5_cchelper.c

index faea620..98e4f73 100644

--- a/src/pam_krb5_cchelper.c

+++ b/src/pam_krb5_cchelper.c

@@ -201,9 +201,16 @@ main(int argc, const char **argv)

 	/* We'll need a writable string for use as the template. */

 	ccname = xstrdup(argv[2]);

-	if ((ccname == NULL) || (strchr(ccname, ':') == NULL)) {

+	if (ccname == NULL) {

 		return 4;

 	}

+	if (strchr(ccname, ':') == NULL) {

+		p = malloc(strlen(ccname) + 6);

+		if (p != NULL) {

+			snprintf(p, strlen(ccname) + 6, "FILE:%s", ccname);

+			ccname = p;

+		}

+	}

 	workccname = NULL;

 	/* Parse the UID, if given. */

diff --git a/src/pam_newpag.c b/src/pam_newpag.c

index ff03b20..374cd3c 100644

--- a/src/pam_newpag.c

+++ b/src/pam_newpag.c

@@ -76,7 +76,8 @@ maybe_setpag(const char *fn, pam_handle_t *pamh, int flags,

 	}

 	/* Read our options. */

-	options = _pam_krb5_options_init(pamh, argc, argv, ctx);

+	options = _pam_krb5_options_init(pamh, argc, argv, ctx,

+					 _pam_krb5_option_role_general);

 	if (options == NULL) {

 		warn("error parsing options (shouldn't happen)");

 		_pam_krb5_free_ctx(ctx);

diff --git a/src/password.c b/src/password.c

index 75b7817..11c9719 100644

--- a/src/password.c

+++ b/src/password.c

@@ -103,7 +103,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,

 		_pam_krb5_free_ctx(ctx);

 		return PAM_SERVICE_ERR;

 	}

-	options = _pam_krb5_options_init(pamh, argc, argv, ctx);

+	options = _pam_krb5_options_init(pamh, argc, argv, ctx,

+					 _pam_krb5_option_role_chauthtok);

 	if (options == NULL) {

 		warn("error parsing options (shouldn't happen)");

 		v5_free_get_init_creds_opt(ctx, gic_options);

diff --git a/src/session.c b/src/session.c

index 2c2ef2e..206d44b 100644

--- a/src/session.c

+++ b/src/session.c

@@ -91,7 +91,8 @@ _pam_krb5_open_session(pam_handle_t *pamh, int flags,

 	}

 	/* Read our options. */

-	options = _pam_krb5_options_init(pamh, argc, argv, ctx);

+	options = _pam_krb5_options_init(pamh, argc, argv, ctx,

+					 _pam_krb5_option_role_general);

 	if (options == NULL) {

 		warn("error parsing options (shouldn't happen)");

 		_pam_krb5_free_ctx(ctx);

@@ -288,7 +289,8 @@ _pam_krb5_close_session(pam_handle_t *pamh, int flags,

 	}

 	/* Read our options. */

-	options = _pam_krb5_options_init(pamh, argc, argv, ctx);

+	options = _pam_krb5_options_init(pamh, argc, argv, ctx,

+					 _pam_krb5_option_role_general);

 	if (options == NULL) {

 		_pam_krb5_free_ctx(ctx);

 		return PAM_SERVICE_ERR;

diff --git a/src/sly.c b/src/sly.c

index 97835c9..bb398eb 100644

--- a/src/sly.c

+++ b/src/sly.c

@@ -147,7 +147,8 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t *pamh, int flags, const char *why,

 	}

 	/* Read our options. */

-	options = _pam_krb5_options_init(pamh, argc, argv, ctx);

+	options = _pam_krb5_options_init(pamh, argc, argv, ctx,

+					 _pam_krb5_option_role_general);

 	if (options == NULL) {

 		warn("error parsing options (shouldn't happen)");

 		_pam_krb5_free_ctx(ctx);