diff --git a/lib/libpam/modules/pam_unix/pam_unix.8 b/lib/libpam/modules/pam_unix/pam_unix.8
index 8d1c8b9be020..60667e69e74d 100644
--- a/lib/libpam/modules/pam_unix/pam_unix.8
+++ b/lib/libpam/modules/pam_unix/pam_unix.8
@@ -34,7 +34,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd October 12, 2006
+.Dd March 27, 2007
 .Dt PAM_UNIX 8
 .Os
 .Sh NAME
@@ -142,8 +142,20 @@ provides a function to perform account management,
 .Fn pam_sm_acct_mgmt .
 The function verifies
 that the authenticated user
-is allowed to login to the local user account
-by checking the password expiry date.
+is allowed to log into the local user account
+by checking the following criteria:
+.Bl -dash -offset indent
+.It
+locked status of the account compatible with
+.Xr pw 8
+.Cm lock ;
+.It
+the password expiry date from
+.Xr passwd 5 ;
+.It
+.Xr login.conf 5
+restrictions on the remote host, login time, and tty.
+.El
 .Pp
 The following options may be passed to the management module:
 .Bl -tag -width ".Cm use_first_pass"
@@ -199,4 +211,5 @@ password database.
 .Xr nsswitch.conf 5 ,
 .Xr passwd 5 ,
 .Xr pam 8 ,
+.Xr pw 8 ,
 .Xr yp 8
diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c
index 26084ec0e6f6..46b5f4729bc6 100644
--- a/lib/libpam/modules/pam_unix/pam_unix.c
+++ b/lib/libpam/modules/pam_unix/pam_unix.c
@@ -70,6 +70,9 @@ __FBSDID("$FreeBSD$");
 #define DEFAULT_WARN		(2L * 7L * 86400L)  /* Two weeks */
 #define	SALTSIZE		32
 
+#define	LOCKED_PREFIX		"*LOCKED*"
+#define	LOCKED_PREFIX_LEN	(sizeof(LOCKED_PREFIX) - 1)
+
 static void makesalt(char []);
 
 static char password_hash[] =		PASSWORD_HASH;
@@ -176,6 +179,9 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
 	    (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0)
 		return (PAM_NEW_AUTHTOK_REQD);
 
+	if (strncmp(pwd->pw_passwd, LOCKED_PREFIX, LOCKED_PREFIX_LEN) == 0)
+		return (PAM_AUTH_ERR);
+
 	lc = login_getpwclass(pwd);
 	if (lc == NULL) {
 		PAM_LOG("Unable to get login class for user %s", user);