openssh ignores locked account using public key authentication

Nicholas Leippe nick at
Mon Oct 3 13:51:44 MDT 2005

On Monday 03 October 2005 01:40 pm, Erik R. Jensen wrote:
> It appears that when using public key authentication with openssh, the
> locked status of an account is ignored. This means I can issue "passwd
> -l", and if the user had setup ssh keys for authentication, they can still
> login. I know there are other ways to further lock an account which I have
> been doing, but I really just want openssh to respect the "!" that gets
> placed in the shadow file when a "passwd -l" is issued. Is there a change
> I can make in /etc/pam.d/sshd to force this check to happen or something I
> am just overlooking?
> I don't have this problem on the AIX and Solaris machines I manage, just
> the Linux boxen. I have done a little digging, but nothing in depth and
> thought I would post to the list to see if it can save me some time.
> Thanks.

If ssh is merely execing a shell, then:

echo "logout" >> /home/$USER/.bash_profile

would probably do the trick.  But, sftp may then still provide a hole around 


Nicholas Leippe
Sales Team Automation, LLC
1335 West 1650 North, Suite C
Springville, UT  84663 +1 801.853.4090

More information about the PLUG mailing list