Hi, I upgraded for one of our products the SSH server to the portal OpenSSH 7.7p1 release. While testing I observed a change in the behavior for expired passwords. The commit 7c8568576071 ("upstream: switch over to the new authorized_keys options API and") dropped the 'allowed pty' option when the password has expired. By adding this hack here, I got it back to the old behavior: --- a/auth-passwd.c +++ b/auth-passwd.c @@ -62,6 +62,7 @@ extern ServerOptions options; extern login_cap_t *lc; #endif +extern struct sshauthopt *auth_opts; #define DAY (24L * 60 * 60) /* 1 day in seconds */ #define TWO_WEEKS (2L * 7 * DAY) /* 2 weeks in seconds */ @@ -122,8 +123,11 @@ auth_password(struct ssh *ssh, const char *password) } #endif result = sys_auth_passwd(ssh, password); - if (authctxt->force_pwchange) + if (authctxt->force_pwchange) { auth_restrict_session(ssh); + /* Allow password change via pty */ + auth_opts->permit_pty_flag = 1; + } return (result && ok); } Is this an intentional change (auth_restrict_session) or is just an oversight to enable the PTY back to allow password changes remotely? Maybe I should also explain why the change is a problem for us. We have a product which is configured and controlled via SSH. Although, each device gets an individual password by the factory, we still would like to force the customer to set the password new one the initial connection attempt. 'passwd -e' was our approach so far to expire the password for the account. Thanks, Daniel _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev