Cannot change initial SSH password of device

[Joachim-Otahal]

The device in question is an UPS. Upon initial ssh connection it comes up with

You must change your password now and login again!
Changing password for local\admin
Old password:

Now with an actual ssh session I can enter "admin", since this is the default password, hit "enter" and then I can or could set the new password.

However with Posh-SSH 3.2.4, on Server 2022 Powershell 5.1 in Powershel_ISE, it does not work. Since it is needed over a large number of devices Posh-SSH is my first choice here since it worked well on a different project. However I always get "Incorrect password"

The actual commands are:

$SshSession = New-SSHSession -ComputerName $SSHTarget -Credential $Credential -AcceptKey -Verbose -ErrorAction Stop
$SSHStream = New-SSHShellStream -SSHSession $SshSession
Start-Sleep 2
$SSHStream.Read()

The console answers with:

Credentials are expired
Min password length: 8
Max password length: 32
Min uppercase characters: 1
Min lowercase characters: 1
Min digits: 1
Min special characters: 1
Valid special characters: `~!@#$%^&*()_-+={}[]|:;\"<>,.'?/
Last login: Mon Aug 11 11:41:32 2025 from 169.254.5.76
WARNING: Your password has expired.
You must change your password now and login again!
passwd: no record of local\admin in /etc/shadow, using /etc/passwd
Changing password for local\admin
Old password: 

I then use:
$SSHStream.WriteLine("admin")
And the result is:

$SSHStream.read()
Incorrect password
passwd: password for local\admin is unchanged

Variation I tried:

$SSHStream.Write("admin`n")

, same result.
I also tried $SshSession.Session.ConnectionInfo.Encoding = [System.Text.Encoding]::ASCII and $SSHStream.Session.ConnectionInfo.Encoding = [System.Text.Encoding]::ASCII before even reading the opened stream.
Checking the encoding before and after shows it is applied:

PS:>$SshSession.Session.ConnectionInfo.Encoding

BodyName          : utf-8
EncodingName      : Unicode (UTF-8)
HeaderName        : utf-8
WebName           : utf-8
WindowsCodePage   : 1200
IsBrowserDisplay  : True
IsBrowserSave     : True
IsMailNewsDisplay : True
IsMailNewsSave    : True
IsSingleByte      : False
EncoderFallback   : System.Text.EncoderReplacementFallback
DecoderFallback   : System.Text.DecoderReplacementFallback
IsReadOnly        : True
CodePage          : 65001

PS:>$SshSession.Session.ConnectionInfo.Encoding = [System.Text.Encoding]::ASCII

PS:>$SshSession.Session.ConnectionInfo.Encoding

IsSingleByte      : True
BodyName          : us-ascii
EncodingName      : US-ASCII
HeaderName        : us-ascii
WebName           : us-ascii
WindowsCodePage   : 1252
IsBrowserDisplay  : False
IsBrowserSave     : False
IsMailNewsDisplay : True
IsMailNewsSave    : True
EncoderFallback   : System.Text.EncoderReplacementFallback
DecoderFallback   : System.Text.DecoderReplacementFallback
IsReadOnly        : True
CodePage          : 20127

PS:>$SSHStream.Session.ConnectionInfo.Encoding

BodyName          : utf-8
EncodingName      : Unicode (UTF-8)
HeaderName        : utf-8
WebName           : utf-8
WindowsCodePage   : 1200
IsBrowserDisplay  : True
IsBrowserSave     : True
IsMailNewsDisplay : True
IsMailNewsSave    : True
IsSingleByte      : False
EncoderFallback   : System.Text.EncoderReplacementFallback
DecoderFallback   : System.Text.DecoderReplacementFallback
IsReadOnly        : True
CodePage          : 65001

PS:>$SSHStream.Session.ConnectionInfo.Encoding = [System.Text.Encoding]::ASCII

PS:>$SSHStream.Session.ConnectionInfo.Encoding

IsSingleByte      : True
BodyName          : us-ascii
EncodingName      : US-ASCII
HeaderName        : us-ascii
WebName           : us-ascii
WindowsCodePage   : 1252
IsBrowserDisplay  : False
IsBrowserSave     : False
IsMailNewsDisplay : True
IsMailNewsSave    : True
EncoderFallback   : System.Text.EncoderReplacementFallback
DecoderFallback   : System.Text.DecoderReplacementFallback
IsReadOnly        : True
CodePage          : 20127

After all my attempts I tried several time with a normal ssh client, and the old password is still "admin", which I can enter.
Now am I doing something terribly wrong or is this a Posh-SSH thing?

[Joachim-Otahal]

Using .WrtieByte() does not work too, no matter whether the bytestream has 10 = lf or 13 = cr as last character. It is like there is nothing sent.
$ByteArray | foreach {$SSHStream.WriteByte($_)}
Invoke-SSHStreamExpectAction does not too because it refuses to run without a "-Command", but there is no "command" to send since we don't have a "shell" yet, only the prompt to change the password i.e., only to -Expect "(ld password)|(urrent password)"

Does anybody have a alternative windows toolkit to get this initial password change request on? I.e. make ssh connection, and if we have regex "(ld password)|(urrent password)", then send old pw, return, new pw return, new pw return?
I am at my wits end here but a project pressing, it is like Posh-SSH cannot handle the situation where I don't have an actual shell yet, only the enforce password prompt.

[Joachim-Otahal]

To put this into perspective: Putty.exe -ssh admin@ip -pw pass does not work too and gives me an error message, possibly for the same reason. Putty the normal putty.exe -ssh admin@ip gives me this, force PW change before a "shell" is available.
Any idea how to catch that situation with Posh-SSH?

[MVKozlov]

I can only assume that the password question is not sent via the standard stream.
You can try using CreateShellStreamNoTerminal
instead of CreateShellStream
(see how it is implemented in the Posh-SSH code in New-SSHShellStream)

[Joachim-Otahal]

I can only assume that the password question is not sent via the standard stream. You can try using CreateShellStreamNoTerminal instead of CreateShellStream (see how it is implemented in the Posh-SSH code in New-SSHShellStream)

I tried to find CreateShellStreamNoTerminal, since it sounds logical due to "before full shell-terminal established", but there is none? I see no such definitions in the $SSHSession.Session.CreateShell* of in [Renci.SshNet.*] . If you mean somewhere within the .cs source tree, this is a few steps beyond my capabilities to decipher and connect how it all is implemented to squeeze out a CreateShellStreamNoTerminal.
Or is that method hidden somewhere else?

[MVKozlov]

Sorry for misleading you, CreateShellStreamNoTerminal awailable only in Renci.SshNet.dll 2025
so it need Posh-SSH patching

[Joachim-Otahal]

Thank you for clearing that up! Now the next question is: When will there be a posh-ssh update which includes this new sshnet release.. @darkoperator any plans? Currently a workaround is active for that initial ssh pw change (KiTTY since it has better command line than putty) and then go on with Posh-SSH. But completely within Posh-SSH would be great.

[MVKozlov]

Just check it

You can try to use module from https://github.com/MVKozlov/Posh-SSH/tree/renci2025
there is a CreateShellStreamNoTerminal function available in $SSHSession.Session

[Joachim-Otahal]

Just check it

You can try to use module from https://github.com/MVKozlov/Posh-SSH/tree/renci2025 there is a CreateShellStreamNoTerminal function available in $SSHSession.Session

Thank you a lot! I will put it into test as soon as I am in that environment again (hopefully this or next week)

[Joachim-Otahal]

Just check it

You can try to use module from https://github.com/MVKozlov/Posh-SSH/tree/renci2025 there is a CreateShellStreamNoTerminal function available in $SSHSession.Session

Sorry, could not try yet, the admin responsible for this in the target environment are still on vacation...

[Joachim-Otahal]

Just check it

You can try to use module from https://github.com/MVKozlov/Posh-SSH/tree/renci2025 there is a CreateShellStreamNoTerminal function available in $SSHSession.Session

Today I finally could get it a go at the customer. But on two Server 2022 it did not load. Version 3.2.4 does load. Seems I have bad luck here :D.

[MVKozlov]

which PS version you try to use ?
On my home computer v7.5.3 is ok
while 5.1 give

Can't load "Microsoft.Bcl.AsyncInterfaces, Version=8.0.0.0

This issue was discussed and resolved somewhere here or in the Renci.SshNet thread, but I can't remember where right now :)

[MVKozlov]

https://www.nuget.org/packages/Microsoft.Bcl.AsyncInterfaces/8.0.0
there you can get netstandart2.0 dll
but for v5.1 next you also need
System.Memory.dll
System.Threading.Tasks.Extensions.dll
and so on
Now at home I can't get it all :)
but I try later from workplace :)

[darkoperator]

Good catch did not knew we had this problem with 5.1. At some point to move to newer cipher will meed to move to a .net 8 and drop PS 5.1 support

[MVKozlov]

@darkoperator, I think this should happen when Renci.SshNet.dll deprecates netstandart 2.0 :)
But for now, it supported.
By the way, in version 2025, it replaced SshNet.Security.Cryptography.dll with BouncyCastle.Cryptography.dll.
I think it's precisely because of the new cipher support.

[MVKozlov]

anybody, please try latest commit.
Seems it resolves 5.1 requirements

btw, It seemed to me that the latest version of the library supports Putty's ppk as keyfile

PrivateKeyFile.cs
PrivateKeyFile.OpenSSH.cs
PrivateKeyFile.PKCS1.cs
PrivateKeyFile.PKCS8.cs
PrivateKeyFile.PuTTY.cs
PrivateKeyFile.SSHCOM.cs