From : Steve Friedl <steve at unixwiz.net>
 ... no known relation to Markus Friedl :-)

 For: OpenSSH-3.7.1p2

 The "locked account" behavior has hit quite a few people by surprise
 (including me): most non-root accounts I create have locked passwords
 and permit only pubkey authentication. 3.7.1p2 was a "surprise"

 This patch adds a "DenyLockedAccounts" option to the sshd_config file,
 with a default of "yes" (the current behavior). If this is set to no,
 the old behavior of allowing locked accounts to use pubkey will be used.
 This won't have any effect on password authentication: a locked account
 won't ever have a successful password match.

 The patch also updates the sshd_config man page and the sample config
 file.

 I've tested the behavior with all three conditions:

	explicit "DenyLockedAccounts yes"
	explicit "DenyLockedAccounts no"
	default, un-optioned behavior

 and it's worked just fine on several systems without incident.

 To apply:

 # cd openssh-3.7.1p2

 # patch -p0 --backup < /tmp/openssh-denylocked-patch.txt

--- auth.c.orig	2003-10-04 21:56:27.000000000 +0000
+++ auth.c	2003-10-04 22:26:23.000000000 +0000
@@ -131,7 +131,7 @@
 #endif
 
 	/* check for locked account */ 
-	if (!options.use_pam && passwd && *passwd) {
+	if (!options.use_pam && passwd && *passwd && options.deny_locked_accounts) {
 		int locked = 0;
 
 #ifdef LOCKED_PASSWD_STRING
--- servconf.c.orig	2003-10-04 22:01:15.000000000 +0000
+++ servconf.c	2003-10-05 17:49:32.000000000 +0000
@@ -100,6 +100,7 @@
 	options->client_alive_count_max = -1;
 	options->authorized_keys_file = NULL;
 	options->authorized_keys_file2 = NULL;
+	options->deny_locked_accounts = -1;
 
 	/* Needs to be accessable in many places */
 	use_privsep = -1;
@@ -225,6 +226,9 @@
 	if (options->authorized_keys_file == NULL)
 		options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
 
+	if (options->deny_locked_accounts == -1)
+		options->deny_locked_accounts = 1;
+
 	/* Turn privilege separation on by default */
 	if (use_privsep == -1)
 		use_privsep = 1;
@@ -264,6 +268,7 @@
 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
 	sGssAuthentication, sGssCleanupCreds,
 	sUsePrivilegeSeparation,
+	sDenyLockedAccounts,
 	sDeprecated, sUnsupported
 } ServerOpCodes;
 
@@ -355,6 +360,7 @@
 	{ "authorizedkeysfile", sAuthorizedKeysFile },
 	{ "authorizedkeysfile2", sAuthorizedKeysFile2 },
 	{ "useprivilegeseparation", sUsePrivilegeSeparation},
+	{ "denylockedaccounts", sDenyLockedAccounts },
 	{ NULL, sBadOption }
 };
 
@@ -731,6 +737,10 @@
 		intptr = &options->allow_tcp_forwarding;
 		goto parse_flag;
 
+	case sDenyLockedAccounts:
+		intptr = &options->deny_locked_accounts;
+		goto parse_flag;
+
 	case sUsePrivilegeSeparation:
 		intptr = &use_privsep;
 		goto parse_flag;
--- servconf.h.orig	2003-10-04 21:58:52.000000000 +0000
+++ servconf.h	2003-10-04 21:59:06.000000000 +0000
@@ -123,6 +123,7 @@
 	char   *authorized_keys_file;	/* File containing public keys */
 	char   *authorized_keys_file2;
 	int	use_pam;		/* Enable auth via PAM */
+	int	deny_locked_accounts;
 }       ServerOptions;
 
 void	 initialize_server_options(ServerOptions *);
--- sshd_config.5.orig	2003-10-04 22:10:14.000000000 +0000
+++ sshd_config.5	2003-10-05 17:48:51.000000000 +0000
@@ -194,6 +194,12 @@
 Only group names are valid; a numerical group ID is not recognized.
 By default, login is allowed for all groups.
 .Pp
+.It Cm DenyLockedAccounts
+Specifies whether accounts that are "locked" are denied access no matter
+what authentication method is used. This only takes effect for non-PAM
+authentication, and it serves to deny even public-key access to an account
+that has a locked password. The default is to deny locked users.
+.Pp
 .It Cm DenyUsers
 This keyword can be followed by a list of user name patterns, separated
 by spaces.
--- sshd_config.orig	2003-10-04 22:15:38.000000000 +0000
+++ sshd_config	2003-10-04 22:23:02.000000000 +0000
@@ -92,5 +92,11 @@
 # no default banner path
 #Banner /some/path
 
+# By default, accounts that are "locked" are denied regardless of
+# authentication method. This disables that behavior, which may be
+# appropriate for systems that *only* used locked accounts and never
+# permit PasswordAuthnetication.
+#DenyLockedAccounts no
+
 # override default of no subsystems
 Subsystem	sftp	/usr/libexec/sftp-server