On Fri, Jan 23, 2015 at 11:52:13 +0100, John Olsson M wrote: > In the OpenSSH source code it looks like OpenSSH does not cache and > copy the authentication password back to the PAM stack when password > change is invoked. Instead OpenSSH gets it again from the tty > leading to the above usability issue. > As I recall, OpenSSH does not use PAM to implement password changes; instead, it executes the system's passwd binary. This was done to avoid a variety of problems. This allows password expiration to work on platforms that do not have PAM support, and it probably also simplifies the handling of password expiration when public-key or hostbased authentication is used. In short, executing passwd is simpler and much more portable. -- Iain Morgan _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev