On Fri, 25 May 2018, Daniel Wagner wrote: > Hi Damien, > > On 05/25/2018 02:37 AM, Damien Miller wrote: > > I think it's probably okay to allow the PTY in restricted sessions > > generally. > > > > The global PermitTTY option as well as any authorized_keys options will > > still apply. > > > > Does this solve your problem? > > > > diff --git a/auth.c b/auth.c > > index 63366768..4fc95457 100644 > > --- a/auth.c > > +++ b/auth.c > > @@ -1080,6 +1080,7 @@ auth_restrict_session(struct ssh *ssh) > > > > /* A blank sshauthopt defaults to permitting nothing */ > > restricted = sshauthopt_new(); > > + restricted->permit_pty_flag = 1; > > restricted->restricted = 1; > > > > if (auth_activate_options(ssh, restricted) != 0) > > Yes, this does also work and it looks way better than my hack :) Thanks, I've committed this. It will be in OpenSSH 7.8 and I'll also cherry-pick it for the V_7_7 stable git branch. -d ---- commit fbb4b5fd4f8e0bb89732670a01954e18b69e15ba (HEAD -> master, origin/master, origin/HEAD) Author: djm@xxxxxxxxxxx <djm@xxxxxxxxxxx> Date: Fri May 25 07:11:01 2018 +0000 upstream: Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog. regression in openssh-7.7 reported by Daniel Wagner OpenBSD-Commit-ID: 9fc09c584c6f1964b00595e3abe7f83db4d90d73 _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev