Critical SSH Authentication Flaw Bypasses LDAP Account Disabling, Allowing Banned Users Persistent Access

A critical security vulnerability allows users with disabled or banned LDAP accounts to retain full SSH access to artifact repositories indefinitely. The flaw exists because SSH authentication paths fail to check user account status, creating a dangerous bypass of standard access controls. While web and JWT authentication correctly validate account status via the `ldap.is_active()` function, this control is completely absent from the SSH authentication code, leaving a major gap in the security perimeter.

The vulnerability is a Type B flaw, where a necessary security control exists but is not invoked in critical execution paths. Specifically, the functions `begin_auth()` (lines 90-118) and `validate_public_key()` (lines 124-148) within `atr/ssh.py` authenticate users without performing the mandatory `ldap.is_active()` check. This oversight means that once a user's SSH key is authorized, disabling their account in LDAP does not revoke their ability to perform rsync operations or access repositories via SSH, effectively nullifying administrative bans.

This flaw represents a severe access control failure, granting persistent, unauthorized access to a core infrastructure component. The risk is particularly acute for organizations relying on LDAP for centralized user lifecycle management. The recommended remediation is to integrate the missing `ldap.is_active()` checks into both affected SSH authentication functions to align SSH security with other authentication methods and restore intended administrative control.