man 1 passwd and reading the text regarding the -l option specifically says:
Note that this does not disable the account. The user may still be able to login using another authentication token (e.g. an SSH key). To disable the account, administrators should use usermod --expiredate 1 (this set the account´s expire date to Jan 2, 1970). So this is not a bug. Changing status to invalid. ** Changed in: openssh (Ubuntu) Status: New => Invalid -- public key authentication grants access even for locked accounts https://bugs.launchpad.net/bugs/496008 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs