openssh ignores locked account using public key authentication

Erik R. Jensen erikrj at
Sat Oct 8 12:11:43 MDT 2005

> Just curious but does this apply only to users who were allowed SSH in
> the first place or to everyone?

The PAM module applies to all users and whatever process you configure it
for. So, if you add the module to /etc/pam.d/sshd as suggested in the
README, it will be used to keep out any user with a locked shadow password
whether they are using password or public/private key authentication. It
is meant to work with the other modules that already exist such as to protect your system since it doesn't perform any of the
other callback functions except for pam_sm_acct_mgmt. It doesn't mean you
can't use it in another pam configuration file for another service. The
module is OpenSSH agnostic.

> I ask this because my server logs have showed a large number of
> connects/rejects for people with usernames eerily similar to
> daemon/process names, such as apache,nobody,admin,user etc.

The short of it is, unless you've setup public/private key pairs for these
users (bad idea) for use with OpenSSH, the module is already
keeping these login attempts out assumming they have not been assigned a
password or a weak password which is usually the case.

> I would be a little spooked to remove a system process completely from
> the system if this were the case.

By default these accounts cannot be logged into. Unless you gave them
passwords, I wouldn't worry about it. You can verify by looking at your
/etc/shadow file. They should have a '*' or a '!' in the password field.

Erik R. Jensen

More information about the PLUG mailing list