openssh ignores locked account using public key authentication

Erik R. Jensen erikrj at
Wed Oct 5 10:20:13 MDT 2005

> On 10/4/05, Lonnie Olson <fungus at> wrote:
>> public key authentication uses PAM to do no more than look up the
>> home directory of the user.  It actually might not use PAM at all and
>> just access the file directly.  Locking an account has no effect on
>> this form of auth.

>From what I have gathered, if UsePAM is set to yes in the sshd_config
file, and public key authentication is used, callbacks will be made only
to pam_sm_acct_mgmt and pam_sm_open_session, not pam_sm_authenticate. So
only modules of the type session and account will be called in the
pam.d/sshd config.

The problem, I believe, stems from the fact that none of the modules
listed for account and session types check for a locked password in
/etc/shadow. The pam_unix module which does the checking, checks in it's
_unix_verify_password function in unix_chkpwd.c (line 360). This is not
called for the pam_sm_acct_mgmt or pam_sm_open_session functions in that
module since there is no password to verify.

So, if I want to only have to run one command "passwd -l" to truly lock
any account and not deal with setting shells to false or managing some
kind of access list, I will either have to modify the pam_unix module, or
code my own to perform verification on the shadow file during
pam_sm_acct_mgmt or pam_sm_open_session. I believe something similar to
this may be what happens on Solaris and AIX, but need to verify.

Anyone agree or disagree with this?

> Locking an account can actually effect publickey authentication as
> long as UsePAM is set to yes in the sshd_config and the linux PAM
> function pam_acct_mgmt() is working as it should be (as the Solaris
> PAM function does).  In this scenario sshd will authenticate the user
> with publickey and will then call the pam_acct_mgmt and
> pam_open_session functions that should fail based on the locked
> account (this is how it works on Solaris).  If UsePAM is set to no
> these functions wouldn't be called and a locked account would be
> allowed by publickey.

This is not the case. I have had UsePAM enabled as well as the previous
settings you mentioned (trimmed from this email) and the problem still
persists. I again believe that there just needs to be some kind of check
in a required module when the pam_acct_mgmt function is called.

> The best thing anyone can do for SSH security is disable every
> non-essential and duplicate authentication method.  A typical
> configuration I'll use is (auth section only):

I totally agree, but it does not appear to fix this issue related to
public key authentication in regards to locked accounts.

Erik R. Jensen

More information about the PLUG mailing list