Prevent logins without suspending account

==============

As a web hosting provider, I would like the WHM API user session creation to test the account's shadow hash for signs of locking and fail to provide a token if the account is locked, so that a user is prevented from being able to login to a cPanel account via SSH, directly into cPanel via password, and also by a session token generated via WHM API.

==============

We would like the user session creation to not provide a token on accounts that have been locked by the system in this way. Any alternative method to achieve similar effect would also be good, such as perhaps simply preventing the actual login to an account if the user is locked, regardless of whether a session exists or if the user is otherwise authenticated.

------------------------------------------------------------------

cPanel currently does not appear to respect the system's notion of a locked account; that is, when the password is temporarily "locked" by using the "passwd -l" command, the system adds "!!" to the hash in /etc/shadow. This prevents the user from being able to log in via SSH and directly to cPanel via a password, but it does not prevent a session token from being generated via the WHM API and that session token working to get into cPanel.

We would like WHM API user session creation to test the account's shadow hash for signs of locking and fail to provide a token if the account is locked.

Alternatively, provide some method of preventing logins (a partial suspension?) to cPanel (system and session token). I imagine something along the lines of "/scripts/suspendacct --system", which could do magic to prevent users from authenticating both by password and my session tokens.