Why does `passwd -l` (--lock) also prevent ssh key-based login?

Question

I locked a users password with passwd --lock [userName], the man page and this answers tells me, that a locked password doesn't prevent other means of logins (e.g.: ssh key-based).

Quote from man passwd

-l, --lock
Lock the password of the named account. This option disables a password by changing it to a value which matches no possible encrypted value (it adds a ´!´ at the beginning of the password).

Note that this does not disable the account.
The user may still be able to login using another authentication token (e.g. an SSH key).
...

The last quoted sentence, tells me, that it won't affect ssh key-based login, but for my system it does. The user is no longer allowed to login via ssh with his private key.

What conclusion should I draw here:

1. The man page and the linked answers (as all other found online material) is wrong about the ssh-key-exception. And I should open a Bug-Report for the man entry (aka even rtfm is not valid in all cases).
2. The sentence includes a "may", so therefore I read the wrong manual or not the full manual and somewhere it is stated, that in some circumstance ssh honors the locked password flag and prevents locked user from login (aka rtfm is valid and I am to stupid to look into the right places).

As I am fallible, I guess the second conclusion is the right one. If so, could someone please point me the docs/connections/etc that I missed and which would explain the observed behavior?

Answer 1

The openssh daemon/service has picked up that the account is locked and has disabled access. (password field starts with !)

The man page for "sshd" indicates:-

Regardless of the authentication type, the account is checked to ensure that it is accessible. An account is not accessible if it is locked, listed in DenyUsers or its group is listed in DenyGroups . The definition of a locked account is system dependant. Some platforms have their own account database (eg AIX) and some modify the passwd field ( "LK" on Solaris and UnixWare, "*" on HP-UX, containing "Nologin" on Tru64, a leading "LOCKED" on FreeBSD and a leading "!" on most Linuxes). If there is a requirement to disable password authentication for the account while allowing still public-key, then the passwd field should be set to something other than these values (eg "NP" or "NP").