The specific g-c-c option seems simply doing the following password expiry change via accountsservice: $ /usr/bin/chage -d 0 -- $username See the example snippet at: > https://github.com/GNOME/gnome-control-center/blob/4cad3ca408125c15a0ddd952c31a86fbef51822c/panels/user-accounts/um-password-dialog.c#L210 > https://cgit.freedesktop.org/accountsservice/tree/src/user.c#n1797 While it might be on purpose we did not pass "nullok_secure" to the pam_unix module: > $ grep pam_unix /etc/pam.d/common-auth > $ auth required pam_unix.so try_first_pass Thus changing this line in common-auth should make the g-c-c option work, otherwise pam fails to authorize the no password login: auth required pam_unix.so try_first_pass nullok_secure