Hi Tim, > From the man page: > > --disabled-login > Do not run passwd to set the password. The user won't be able > to use her account until the password is set. > > --disabled-password > Like --disabled-login, but logins are still possible (for > example using SSH RSA keys) but not using password > authentication. > > --disabled-login inserts a ! in the password field of /etc/shadow, > --disabled-password inserts a * in the password field. > > Testing on Debian 10, either way it's possible to log in with SSH using > a keypair. So I'm guessing this gets overridden by PAM setup. Does > anyone have a better insight into this.
It may be PAM. sshd(8) here says it checks for a ‘locked’ account to prohibit access by checking shadow(5) for a leading ‘!’ so --disabled-login should do. shadow(5) also mentions the meaning of ‘*’. You could try usermod(8) to set the shadow expiry date for the account. See what it is beforehand and then either set it to a date in the past or just 1. Not 0 though. See if that stops sshd. Also, pam_unix(8) has ‘no_pass_expiry’ and mentions SSH; might be worth checking what PAM you have configured. -- Cheers, Ralph. -- Next meeting: BEC, Bournemouth, Tuesday, 2020-02-04 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk/ New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
