For some reason, the Gentoo package maintainer has changed the default pam_ssh module's prompt from "SSH passphrase: " to "Password: ".

While I can see that someone might find this useful on a suboptimally configured PAM authentication stack, the prompt is quite misleading, and should not be made this way by default.

This is particularly problematic because it cannot be reverted to its usual behavior without rebuilding.

It also hinders my intended use of pam_ssh, which is to allow the user to enter his/her SSH passphrase and automatically start ssh-agent, but:
1) only if they have a valid Unix account
2) only if they want to (else they type a blank passphrase to skip it)
3) even if their SSH passphrase is different from their Unix password

To achieve this, the configuration would look like this:
auth required pam_unix.so
auth optional pam_ssh.so

(With either no options to pam_ssh.so or try_first_pass)

This causes the user to see two "Password: " prompts, and it is impossible for the user to tell whether they incorrectly entered the first password incorrectly and so is being asked for a password from a different SSH module or whether they entered the first password correctly and is being asked for an optional extra step.

The whole point of the prompt is for the user to be able to tell which of his/her passwords or passphrases is required and this Gentoo-specific customization breaks this.

I would also note that in no circumstance is the user actually supplying a password to the SSH module: it is only used to authenticate using an SSH private key, which is always encrypted by a "passphrase", never a "password".


Reproducible: Always
Steps to Reproduce:
1.
2.
3.