openssh ignores locked account using public key authentication

Andrew McNabb amcnabb at
Mon Oct 3 13:42:42 MDT 2005

On Mon, Oct 03, 2005 at 01:40:51PM -0600, Erik R. Jensen wrote:
> It appears that when using public key authentication with openssh, the
> locked status of an account is ignored. This means I can issue "passwd
> -l", and if the user had setup ssh keys for authentication, they can still
> login. I know there are other ways to further lock an account which I have
> been doing, but I really just want openssh to respect the "!" that gets
> placed in the shadow file when a "passwd -l" is issued. Is there a change
> I can make in /etc/pam.d/sshd to force this check to happen or something I
> am just overlooking?

One of the traditional way to lock an account is to set the shell to
/bin/false.  Theoretically there might still be some problem with that,
too, but I can't think of anything.

Andrew McNabb
PGP Fingerprint: 8A17 B57C 6879 1863 DE55  8012 AB4D 6098 8826 6868
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : 

More information about the PLUG mailing list