1 files changed, 23 insertions, 0 deletions
diff --git a/sshd.8 b/sshd.8
index 4749fab84..0eeea6666 100644
--- a/sshd.8
+++ b/sshd.8
@@ -114,6 +114,29 @@ authentication combined with RSA host
 authentication, RSA challenge-response authentication, or password
 based authentication.
 .Pp
+Regardless of the authentication type, the account is checked to
+ensure that it is accessible.  An account is not accessible if it is
+locked, listed in
+.Cm DenyUsers
+or its group is listed in
+.Cm DenyGroups
+\&.  The definition of a locked account is system dependant. Some platforms
+have their own account database (eg AIX) and some modify the passwd field (
+.Ql \&*LK\&*
+on Solaris,
+.Ql \&*
+on HP-UX, containing
+.Ql Nologin
+on Tru64 and a leading
+.Ql \&!!
+on Linux).  If there is a requirement to disable password authentication
+for the account while allowing still public-key, then the passwd field
+should be set to something other than these values (eg
+.Ql NP
+or
+.Ql \&*NP\&*
+).
+.Pp
 Rhosts authentication is normally disabled
 because it is fundamentally insecure, but can be enabled in the server
 configuration file if desired.

diff --git a/sshd.8 b/sshd.8 index 4749fab84..0eeea6666 100644 --- a/sshd.8 +++ b/sshd.8
@@ -114,6 +114,29 @@ authentication combined with RSA host
114	authentication, RSA challenge-response authentication, or password	114	authentication, RSA challenge-response authentication, or password
115	based authentication.	115	based authentication.
116	.Pp	116	.Pp
		117	Regardless of the authentication type, the account is checked to
		118	ensure that it is accessible. An account is not accessible if it is
		119	locked, listed in
		120	.Cm DenyUsers
		121	or its group is listed in
		122	.Cm DenyGroups
		123	\&. The definition of a locked account is system dependant. Some platforms
		124	have their own account database (eg AIX) and some modify the passwd field (
		125	.Ql \&LK\&
		126	on Solaris,
		127	.Ql \&*
		128	on HP-UX, containing
		129	.Ql Nologin
		130	on Tru64 and a leading
		131	.Ql \&!!
		132	on Linux). If there is a requirement to disable password authentication
		133	for the account while allowing still public-key, then the passwd field
		134	should be set to something other than these values (eg
		135	.Ql NP
		136	or
		137	.Ql \&NP\&
		138	).
		139	.Pp
117	Rhosts authentication is normally disabled	140	Rhosts authentication is normally disabled
118	because it is fundamentally insecure, but can be enabled in the server	141	because it is fundamentally insecure, but can be enabled in the server
119	configuration file if desired.	142	configuration file if desired.