Usability issue when forced to change password when logging in to a system

Iain Morgan imorgan at
Sat Jan 24 05:59:22 AEDT 2015

On Fri, Jan 23, 2015 at 11:52:13 +0100, John Olsson M wrote:
> In the OpenSSH source code it looks like OpenSSH does not cache and
> copy the authentication password back to the PAM stack when password
> change is invoked. Instead OpenSSH gets it again from the tty
> leading to the above usability issue.

As I recall, OpenSSH does not use PAM to implement password changes;
instead, it executes the system's passwd binary. This was done to avoid
a variety of problems. This allows password expiration to work on
platforms that do not have PAM support, and it probably also simplifies
the handling of password expiration when public-key or hostbased
authentication is used.

In short, executing passwd is simpler and much more portable.

Iain Morgan

More information about the openssh-unix-dev mailing list