On Fri, 2003-10-31 at 13:27, Kurt Lieber wrote:
> Right now, at least on Gentoo, if you lock a user's account with passwd -l
> <username>, that user is still able to access their account if they have
> ssh keys set up.  This is, in my mind, a fairly big security hole.
> Googling, I found an issue related to the Solaris implementation of PAM[1]
> that was fixed in a later version.
> 
> Does anyone know if there is a way to fix this in Gentoo and/or Linux?  (I
> don't have access to any non-Gentoo linux boxen atm, so I can't say for
> sure if this issue exists on other distros)  A tweak to PAM, perhaps?
> 
> --kurt

It's often overlooked but a much easier method for locking a user out is
simply to change their default shell to /bin/false or something like it.
SSH keys or not, they won't be getting access to the box anytime soon
without a default shell.

kevyn