openssh ignores locked account using public key authentication

Erik R. Jensen erikrj at
Sat Oct 8 01:46:46 MDT 2005

> Looks like you're right.  For some strange reason Linux PAM doesn't
> bother checking for account status in pam_acct_mgmt() where Solaris
> PAM does, for exactly this sort of reason.  I wonder if there is a
> patch to Linux PAM's to make it work correctly for session
> and account managment.

I got a little bored tonight watching TV and sitting on IRC so I wrote a
little PAM module to fix the problem. It will check for locked shadow
passwords during the pam_sm_acct_mgmt callback preventing locked users
from obtaining a login even if they are using public/private key
authentication. I've placed it at the following url with some instructions
in case anyone is interested.

Erik R. Jensen

More information about the PLUG mailing list