sshd allows login for locked using publickey authentication
When authenticating a user by a publickey, sshd grants access to that
account even if its locked by "passwd -l". Seems like sshd is working
the way it is designed. sshd assumes that the key represents a succesful
pam_authenticate and only calls pam_acct_mgmt. Unfortunately
pam_authenticate and not pam_acct_mgmt is doing the locked account
check, so the user is granted access.
Does anybody know a workaround for this? Maybe add an additional
PAM-module in the stack or modify /etc/pam.d/sshd in any way?