openssh ignores locked account using public key authentication

Michael Halcrow mike at
Wed Oct 5 12:12:50 MDT 2005

On Wed, Oct 05, 2005 at 10:20:13AM -0600, Erik R. Jensen wrote:
> > On 10/4/05, Lonnie Olson <fungus at> wrote:
> >> public key authentication uses PAM to do no more than look up the
> >> home directory of the user.  It actually might not use PAM at all and
> >> just access the file directly.  Locking an account has no effect on
> >> this form of auth.
> From what I have gathered, if UsePAM is set to yes in the
> sshd_config file, and public key authentication is used, callbacks
> will be made only to pam_sm_acct_mgmt and pam_sm_open_session, not
> pam_sm_authenticate. So only modules of the type session and account
> will be called in the pam.d/sshd config.

One solution is to add pam_listfile to the stack for the apps that
provide access to your machine (under each applicable context) and add
usernames to the listfile that is specified as a parameter to the

                         Michael A. Halcrow                          
       Security Software Engineer, IBM Linux Technology Center       
GnuPG Fingerprint: 419C 5B1E 948A FA73 A54C  20F5 DB40 8531 6DCA 8769

"Given the choice between dancing pigs and security, users will pick 
dancing pigs every time."                                            
 - Ed Felten 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: Digital signature
Url : 

More information about the PLUG mailing list