openssh ignores locked account using public key authentication

Erik R. Jensen erikrj at
Wed Oct 5 13:15:46 MDT 2005

> One solution is to add pam_listfile to the stack for the apps that
> provide access to your machine (under each applicable context) and add
> usernames to the listfile that is specified as a parameter to the
> module.

This is true, but it would essentially be the same thing as manually
editing the Allow* and Deny* entries in sshd_config. It still takes an
extra step to make it happen. Perhaps I am just picky in that I think it
should not take any extra effort to lock an account other than issuing a
"passwd -l". It's definitely something AIX got right (chuser
account_locked=true erjensen), even if everything else is in that OS is a

OT: I appreciate everyone's info. I think discussions like this should
happen more often on the PLUG.

Erik R. Jensen

More information about the PLUG mailing list