openssh ignores locked account using public key authentication

Kyle Robinson ky.robinson at
Mon Oct 3 14:02:10 MDT 2005

Back in the day /bin/false was often used to indicate a user had FTP
access, but not shell access.  As long as the systems aren't running
ftp servers /bin/false is a nice workaround unless you're also trying
to do automatic account lockouts per x number of failed login request.

On 10/3/05, Andrew McNabb <amcnabb at> wrote:
> On Mon, Oct 03, 2005 at 01:40:51PM -0600, Erik R. Jensen wrote:
> > It appears that when using public key authentication with openssh, the
> > locked status of an account is ignored. This means I can issue "passwd
> > -l", and if the user had setup ssh keys for authentication, they can still
> > login. I know there are other ways to further lock an account which I have
> > been doing, but I really just want openssh to respect the "!" that gets
> > placed in the shadow file when a "passwd -l" is issued. Is there a change
> > I can make in /etc/pam.d/sshd to force this check to happen or something I
> > am just overlooking?
> >
> One of the traditional way to lock an account is to set the shell to
> /bin/false.  Theoretically there might still be some problem with that,
> too, but I can't think of anything.
> --
> Andrew McNabb
> PGP Fingerprint: 8A17 B57C 6879 1863 DE55  8012 AB4D 6098 8826 6868
> /*
> PLUG:, #utah on
> Unsubscribe:
> Don't fear the penguin.
> */

More information about the PLUG mailing list