openssh ignores locked account using public key authentication

Erik R. Jensen erikrj at
Mon Oct 3 13:40:51 MDT 2005

It appears that when using public key authentication with openssh, the
locked status of an account is ignored. This means I can issue "passwd
-l", and if the user had setup ssh keys for authentication, they can still
login. I know there are other ways to further lock an account which I have
been doing, but I really just want openssh to respect the "!" that gets
placed in the shadow file when a "passwd -l" is issued. Is there a change
I can make in /etc/pam.d/sshd to force this check to happen or something I
am just overlooking?

I don't have this problem on the AIX and Solaris machines I manage, just
the Linux boxen. I have done a little digging, but nothing in depth and
thought I would post to the list to see if it can save me some time.

Erik R. Jensen

More information about the PLUG mailing list