diff --git a/xCAT-server/lib/perl/xCAT/SSHInteract.pm b/xCAT-server/lib/perl/xCAT/SSHInteract.pm
index 717dba38b..90ee50e1f 100644
--- a/xCAT-server/lib/perl/xCAT/SSHInteract.pm
+++ b/xCAT-server/lib/perl/xCAT/SSHInteract.pm
@@ -28,6 +28,7 @@ sub _startssh {
 	close($pty);
 	open STDIN, "<&", $tty_fd;
 	open STDOUT,">&",$tty_fd;
+        open STDERR, ">&", STDOUT;
 	close($tty);
 	my @cmd =  ("ssh","-o","StrictHostKeyChecking=no");
 	if ($args{"-nokeycheck"}) {
@@ -58,7 +59,7 @@ sub new {
 	my $promptex = $args{Prompt};
 	$promptex =~ s!^/!!;
 	$promptex =~ s!/\z!!;
-    my ($prematch,$match) = $self->waitfor(Match => $args{Prompt},Match=>'/password:/i') or die "Login Failed: ",$self->lastline;
+    my ($prematch,$match) = $self->waitfor(Match => $args{Prompt},Match=>'/password:/i',Match=>'/REMOTE HOST IDENTIFICATION HAS CHANGED/') or die "Login Failed:", $self->lastline;
     if ($match =~ /password:/i) {
 	    #$self->waitfor("-match" => '/password:/i', -errmode => "return") or die "Unable to reach host ",$self->lastline;
             $self->print($password);
@@ -74,7 +75,9 @@ sub new {
 		*$self->{_xcatsshinteract}->{_atprompt}=1;
 	    }
     } elsif ($match =~ /$promptex/) {
-	*$self->{_xcatsshinteract}->{_atprompt}=1;
+	    *$self->{_xcatsshinteract}->{_atprompt}=1;
+    } elsif ($match =~ /REMOTE HOST IDENTIFICATION HAS CHANGED/){
+        die "Known_hosts issue";
 	}
 	return bless($self,$class);
 }
diff --git a/xCAT-server/lib/xcat/plugins/blade.pm b/xCAT-server/lib/xcat/plugins/blade.pm
index cd8fc623c..822109fc5 100644
--- a/xCAT-server/lib/xcat/plugins/blade.pm
+++ b/xCAT-server/lib/xcat/plugins/blade.pm
@@ -4014,6 +4014,7 @@ sub clicmds {
   }
   my $curruser = $user;
   my $currpass = $pass;
+  my $promote_pass = $pass; #used for genesis state processing
   my $nokeycheck=0; #default to checking ssh key
   if ($args{defaultcfg}) {
     $curruser="USERID";
@@ -4054,6 +4055,11 @@ sub clicmds {
   };
   my $errmsg=$@;
   if ($errmsg) {
+        if ($errmsg =~ /Known_hosts issue/) {
+            $errmsg = "The entry for $curraddr in known_hosts table is out of date, pls run 'makeknownhosts $curraddr -r' to delete it from known_hosts table.";
+           push @cfgtext, $errmsg;
+           return([1, \@unhandled, $errmsg]);
+        }
 	if ($errmsg =~ /Login Failed/) {
 	    $errmsg = "Failed to login to $mpa";
 	    if ($curraddr ne $mpa) { $errmsg .= " (currently at $curraddr)" }
@@ -4063,13 +4069,16 @@ sub clicmds {
   }
   my $Rc=1;
   if ($t and not $t->atprompt) { #we sshed in, but we may be forced to deal with initial password set
+        if (defined($handled{USERID})) {
+            $promote_pass = $handled{USERID};
+        }
 	my $output = $t->get();
 	if ($output =~ /Enter current password/) {
 		$t->print($currpass);
 		$t->waitfor(-match=>"/password:/i");
-		$t->print($pass);
+		$t->print($promote_pass);
 		$t->waitfor(-match=>"/password:/i");
-		$t->print($pass);
+		$t->print($promote_pass);
 		my $result=$t->getline();
 		chomp($result);
 		$result =~ s/\s*//;
@@ -4078,6 +4087,7 @@ sub clicmds {
 			$result =~ s/\s*//;
 		}
 		if ($result =~ /not compliant/) {
+                        push @cfgtext,"The current account password has expired, please modify it first";
          		return ([1,\@unhandled,"Management module refuses requested password as insufficiently secure, try another password"]);
 		}
 	}
@@ -4125,8 +4135,8 @@ sub clicmds {
     elsif (/^rscanfsp$/)  { $result = rscanfsp($t,$mpa,$handled{$_},$mm); }
     elsif (/^solcfg$/)  { $result = solcfg($t,$handled{$_},$mm); }
     elsif (/^network_reset$/) { $result = network($t,$handled{$_},$mpa,$mm,$node,$nodeid,1); $reset=1; }
-    elsif (/^(USERID)$/) {$result = passwd($t, $mpa, $1, "=".$handled{$_}, $mm);}
-    elsif (/^userpassword$/) {$result = passwd($t, $mpa, $1, $handled{$_}, $mm);}
+    elsif (/^(USERID)$/) {$result = passwd($t, $mpa, $1, "=".$handled{$_}, $promote_pass, $mm);}
+    elsif (/^userpassword$/) {$result = passwd($t, $mpa, $1, $handled{$_}, $promote_pass, $mm);}
     if (!defined($result)) {next;}
     push @data, "$_: @$result";
     $Rc |= shift(@$result);
@@ -4311,6 +4321,7 @@ sub passwd {
   my $mpa = shift;
   my $user = shift;
   my $pass = shift;
+  my $oldpass = shift;
   my $mm = shift;
   if ($pass =~ /^=/) {
 	$pass=~ s/=//;
@@ -4325,18 +4336,21 @@ sub passwd {
   if ($mpatab) {
     #my ($ent)=$mpatab->getNodeSpecAttribs($mpa, {username=>$user},qw(password));
     my ($ent)=$mpatab->getAttribs({mpa=>$mpa, username=>$user},qw(password));
-    my $oldpass = 'PASSW0RD';
-    if (defined($ent->{password})) {$oldpass = $ent->{password}};
-    my $cmd = "users -n $user -op $oldpass -p $pass -T system:$mm";
-    my @data = $t->cmd($cmd);
-    if (!grep(/OK/i, @data)) {
-        return ([1, @data]);
+    #my $oldpass = 'PASSW0RD';
+    #if (defined($ent->{password})) {$oldpass = $ent->{password}};
+    my @data = ();
+    if ($oldpass ne $pass) {
+        my $cmd = "users -n $user -op $oldpass -p $pass -T system:$mm";
+        my @data = $t->cmd($cmd);
+        if (!grep(/OK/i, @data)) {
+            return ([1, @data]);
+        }
     }
     @data = ();
     my $snmp_cmd = "users -n $user -ap sha -pp des -ppw $pass -T system:$mm";
     @data = $t->cmd($snmp_cmd);
     if (!grep(/ok/i, @data)) {
-        $cmd = "users -n $user -op $pass -p $oldpass -T system:$mm";
+        my $cmd = "users -n $user -op $pass -p $oldpass -T system:$mm";
         my @back_pwd = $t->cmd($cmd);
         if (!grep(/OK/i, @back_pwd)) {
             $mpatab->setAttribs({mpa=>$mpa,username=>$user},{password=>$pass});