openssh ignores locked account using public key authentication

Dreamer smorrey at
Sat Oct 8 01:47:50 MDT 2005

Just curious but does this apply only to users who were allowed SSH in
the first place or to everyone?

I ask this because my server logs have showed a large number of
connects/rejects for people with usernames eerily similar to
daemon/process names, such as apache,nobody,admin,user etc.

I would be a little spooked to remove a system process completely from
the system if this were the case.

On 10/8/05, Erik R. Jensen <erikrj at> wrote:
> > Looks like you're right.  For some strange reason Linux PAM doesn't
> > bother checking for account status in pam_acct_mgmt() where Solaris
> > PAM does, for exactly this sort of reason.  I wonder if there is a
> > patch to Linux PAM's to make it work correctly for session
> > and account managment.
> I got a little bored tonight watching TV and sitting on IRC so I wrote a
> little PAM module to fix the problem. It will check for locked shadow
> passwords during the pam_sm_acct_mgmt callback preventing locked users
> from obtaining a login even if they are using public/private key
> authentication. I've placed it at the following url with some instructions
> in case anyone is interested.
> --
> Erik R. Jensen
> /*
> PLUG:, #utah on
> Unsubscribe:
> Don't fear the penguin.
> */

More information about the PLUG mailing list