[Bug 3920] New: Password authentication fails when password contains '!' via interactive TTY input

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Feb 12 18:53:01 AEDT 2026 

https://bugzilla.mindrot.org/show_bug.cgi?id=3920

            Bug ID: 3920
           Summary: Password authentication fails when password contains
                    '!' via interactive TTY input
           Product: Portable OpenSSH
           Version: 10.1p1
          Hardware: 68k
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: kappa.inouter at gmail.com

# Bug Report: Password authentication fails when password contains '!'
character via interactive TTY input

## Summary

Password authentication fails when the user's password contains one or
more `!` (exclamation mark) characters and the password is entered via
interactive TTY (manual typing, expect, SSH_ASKPASS). However,
`sshpass` — which injects the password through a different mechanism —
succeeds with the exact same password. Passwords without `!` work
correctly via all methods.

## Affected Versions

- OpenSSH_10.0p1 (Alpine Linux 3.22)
- OpenSSH_10.0p2 (Debian 13 Trixie)
- OpenSSH_10.2p1 (Alpine Linux 3.23)

## Environment

- **Server OS tested**: Alpine Linux 3.22/3.23, Debian 13
- **Client OS tested**: macOS (OpenSSH_10.0p2), Alpine Linux (loopback)
- **PAM**: Tested both with PAM (Debian) and without PAM (Alpine)

## Steps to Reproduce

```bash
# 1. Create a user with '!' in password
useradd -m testuser
echo 'testuser:1004in!!' | chpasswd

# 2. Verify password is correct via su
echo '1004in!!' | su -c 'echo OK' testuser
# Result: OK

# 3. Test with sshpass (succeeds)
sshpass -p '1004in!!' ssh -o PubkeyAuthentication=no testuser at 127.0.0.1
'echo OK'
# Result: OK

# 4. Test with expect (fails)
expect -c '
spawn ssh -o PubkeyAuthentication=no -o
PreferredAuthentications=password testuser at 127.0.0.1
expect "password:"
send "1004in!!\r"
expect {
    "Permission denied" { puts "FAILED"; exit 1 }
    "\\$" { puts "SUCCESS"; exit 0 }
}'
# Result: FAILED

# 5. Test interactive manual typing (fails)
ssh -o PubkeyAuthentication=no testuser at 127.0.0.1
# Type: 1004in!!
# Result: Permission denied

# 6. For comparison, set password without '!'
echo 'testuser:1004inbest' | chpasswd

# 7. Test with expect (succeeds)
expect -c '
spawn ssh -o PubkeyAuthentication=no -o
PreferredAuthentications=password testuser at 127.0.0.1
expect "password:"
send "1004inbest\r"
expect {
    "Permission denied" { puts "FAILED"; exit 1 }
    "\\$" { puts "SUCCESS"; exit 0 }
}'
# Result: SUCCESS
```

## Test Results Matrix

| Password     | sshpass | Interactive/TTY | expect | su (local) |
|--------------|---------|-----------------|--------|------------|
| `1004in!!`   | PASS    | **FAIL**        | **FAIL** | PASS     |
| `test!pass`  | PASS    | **FAIL**        | **FAIL** | PASS     |
| `1004in@@`   | PASS    | PASS            | PASS   | PASS       |
| `inbest1004` | PASS    | PASS            | PASS   | PASS       |

Only passwords containing `!` are affected. Other special characters
(`@`, `#`, `$`, etc.) work correctly.

## Server-Side Debug Logs

With `LogLevel DEBUG3`, the server shows `result 0` (auth failure) for
TTY-based input but `result 1` (auth success) for sshpass, with the
same password:

**sshpass (success):**
```
debug1: userauth-request for user testuser service ssh-connection
method password
debug3: mm_answer_authpassword: sending result 1
Accepted password for testuser from 127.0.0.1 port 35850 ssh2
```

**expect/interactive (failure):**
```
debug1: userauth-request for user testuser service ssh-connection
method password
debug3: mm_answer_authpassword: sending result 0
Failed password for testuser from 127.0.0.1 port 38862 ssh2
```

Both use the `password` authentication method — the difference is only
in how the client provides the password to the SSH client process.

## Analysis

- The password hash in `/etc/shadow` is correct (verified via `su` and
`sshpass`)
- The `LOCKED_PASSWD_PREFIX "!"` check in `platform_locked_account()`
is not the cause — it checks the shadow hash prefix, not the password
content
- The issue appears to be in how the password is read from the TTY and
transmitted to the server
- `sshpass` works because it creates its own pseudo-TTY and pipes the
password differently than interactive input
- This bug was introduced in or after OpenSSH 10.0 (the `sshd-auth`
process separation may be related)

## Expected Behavior

Passwords containing `!` should authenticate successfully regardless of
input method.

## Actual Behavior

Passwords containing `!` fail authentication when entered via
interactive TTY, expect, or SSH_ASKPASS, but succeed via `sshpass`.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list