Openssh still logs in while passwd is locked

Kevin Steves kevin at
Sun May 26 04:26:15 EST 2002

On Wed, May 22, 2002 at 01:12:07PM -0700, Darren Moffat wrote:
> >Using OpenSSH 3.1p1 on a Sun Solaris 7 box, I disabled an account using the
> >'passwd -l ...' command to lock the users password. However, the user can
> >still access the system via ssh. Whilst I could do other things such as
> >moving their .ssh directory, removing their account home directory, etc,
> >etc, is there some 'nicer' way to inform ssh that the account is now locked
> >and thus to not allow them to login?
> The module doesn't check for *LK* in pam_acct_mgmt since it
> was assuming that pam_authenticate() had been called already - in those
> cases it would fail.  If however you are using publickey authentication
> rather than going through PAM with a password pam_acct_mgmt is called
> without first going to pam_authenticate().
> This has been fixed in the new pam modules for Solaris 9 where 
> does an explicit check for *LK* so it is now safe
> to call pam_acct_mgmt() if pam_authenticate() wasn't called.

What else is special besides "*LK*" (I'm wondering about "NP")?
How exactly does ``passwd -sa'' determine LK status?  Are there
issues with/without /etc/shadow (I see pwconv(1M) for example)?

More information about the openssh-unix-dev mailing list