Description

When Gogs is build and configured for PAM authentification it skips checking authorization completely. Therefore expired accounts and accounts with expired passwords can still login.

Proof of Concept

You can expire an account with chage -E0 <username> and still login.

Impact

Since disabling an account in PAM still allows to login via ssh-keys, it’s common to set accounts to expire if you want to deny access. So accounts whom have been privilege revoked are still able to login.