![[SJF Logo]](../../images/sjflogo.gif)
Like most responsible admins, I've been running around upgrading OpenSSH on all the systems I administer, installing 3.7.1p2 everywhere. In the process I ran into a "surprise": when PAM is disabled, "locked" accounts are now disabled even for pubkey attempts.
On most systems I administer, I don't allow password auth for anybody, the user accounts are locked, and the only way to get in is via pubkey authentication. This change constituted a "surprise".
Commenting out the source to disable this behavior looked easy enough, but I thought it really belonged as a first-class option in the sshd_config file: hence this patch. The new DenyLockedAccounts keyword takes "yes" or "no" values, and in the absence of this option, it defaults to the previous behavior of "yes". I, of course, have set it to "no" on my systems, and it's been working fine for me.
Posted by Steve at October 05, 2003 11:20 AM | TrackBackSeems to be designed that way, and opening up "locked" accounts to login seems to be considered a bug... from the ChangeLog:
- (dtucker) [acconfig.h auth.c configure.ac sshd.8] Bug #422 again: deny any access to locked accounts. ok djm@