Password change required but no TTY available

Damien Miller djm at
Fri May 25 10:37:17 AEST 2018

On Thu, 24 May 2018, Daniel Wagner wrote:

> Hi,
> I upgraded for one of our products the SSH server to the portal OpenSSH
> 7.7p1 release. While testing I observed a change in the behavior for
> expired passwords.
> The commit 7c8568576071 ("upstream: switch over to the new
> authorized_keys options API and") dropped the 'allowed pty' option when
> the password has expired. By adding this hack here, I got it
> back to the old behavior:

I think it's probably okay to allow the PTY in restricted sessions

The global PermitTTY option as well as any authorized_keys options will
still apply.

Does this solve your problem?

diff --git a/auth.c b/auth.c
index 63366768..4fc95457 100644
--- a/auth.c
+++ b/auth.c
@@ -1080,6 +1080,7 @@ auth_restrict_session(struct ssh *ssh)
 	/* A blank sshauthopt defaults to permitting nothing */
 	restricted = sshauthopt_new();
+	restricted->permit_pty_flag = 1;
 	restricted->restricted = 1;
 	if (auth_activate_options(ssh, restricted) != 0)

More information about the openssh-unix-dev mailing list