man 1 passwd and reading the text regarding the -l option specifically says:
Note that this does not disable the account. The user may still be able to login using another authentication token (e.g. an SSH key). To disable the account, administrators should use usermod --expiredate 1 (this set the account´s expire date to Jan 2, 1970). So this is not a bug. Changing status to invalid. ** Changed in: openssh (Ubuntu) Status: New => Invalid -- public key authentication grants access even for locked accounts https://bugs.launchpad.net/bugs/496008 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs