I looked into this briefly, and I think I've spotted the problem.
In the `shadow` package, version 4.1.5.1, the `debian/patches/495_stdout-encrypted-password` patch does not cause the call to `do_pam_passwd_non_interractive()` to be avoided when the -S option has been given, indicating `use_stdout = TRUE`.
I am not familiar with this code at all, but I looked into `do_pam_passwd_non_interractive()` (`shadow` package file `libmisc/pam_pass_non_interractive.c`) and it only seems to be doing PAM updating stuff that shouldn't be happening when -S has been specified.
I looked into this briefly, and I think I've spotted the problem.
In the `shadow` package, version 4.1.5.1, the `debian/ patches/ 495_stdout- encrypted- password` patch does not cause the call to `do_pam_ passwd_ non_interractiv e()` to be avoided when the -S option has been given, indicating `use_stdout = TRUE`.
I am not familiar with this code at all, but I looked into `do_pam_ passwd_ non_interractiv e()` (`shadow` package file `libmisc/ pam_pass_ non_interractiv e.c`) and it only seems to be doing PAM updating stuff that shouldn't be happening when -S has been specified.