On Fri, Jan 23, 2015 at 10:59 AM, Iain Morgan <imorgan@xxxxxxxxxxxx> wrote: > > As I recall, OpenSSH does not use PAM to implement password changes; > Actually it does (via pam_chauthtok() but only when you are using keyboard-interactive and it has a reliable way to talk to to the user. > instead, it executes the system's passwd binary. It does that when you are not using PAM, or when you are using PAM with "password" authentication (it can't call pam_chauthtok() in the latter case because by the time it can talk to the user via a tty, it has long since dropped the privilege required to actually change the password. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev