openssh ignores locked account using public key authentication

Kyle Robinson ky.robinson at
Mon Oct 3 13:58:40 MDT 2005

ssh will still use pam_acct_mgmt() and pam_open_session() even when
doing private key authentication (not PAM), but it must be linked to and "UsePAM yes" must be set in the sshd_config file. 
Without PAM support in sshd, after the key has been validated sshd
will not check anything other than a simple getpwnam() for a valid
shell, homedir , uid and gid before opening a session for the user.

It's also possible that pam_acct_mgmt() and pam_open_session() aren't
checking for locked shadow passwords on Linux but I don't believe this
is the case.

On 10/3/05, Erik R. Jensen <erikrj at> wrote:
> It appears that when using public key authentication with openssh, the
> locked status of an account is ignored. This means I can issue "passwd
> -l", and if the user had setup ssh keys for authentication, they can still
> login. I know there are other ways to further lock an account which I have
> been doing, but I really just want openssh to respect the "!" that gets
> placed in the shadow file when a "passwd -l" is issued. Is there a change
> I can make in /etc/pam.d/sshd to force this check to happen or something I
> am just overlooking?
> I don't have this problem on the AIX and Solaris machines I manage, just
> the Linux boxen. I have done a little digging, but nothing in depth and
> thought I would post to the list to see if it can save me some time.
> Thanks.
> --
> Erik R. Jensen
> /*
> PLUG:, #utah on
> Unsubscribe:
> Don't fear the penguin.
> */

More information about the PLUG mailing list