diff --git a/scripts/ssh/ssh-exec.php b/scripts/ssh/ssh-exec.php
--- a/scripts/ssh/ssh-exec.php
+++ b/scripts/ssh/ssh-exec.php
@@ -146,6 +146,14 @@
           $device_name));
     }
 
+    if ($device->isDisabled()) {
+      throw new Exception(
+        pht(
+          'This request has authenticated as a device ("%s"), but this '.
+          'device is disabled.',
+          $device->getName()));
+    }
+
     // We're authenticated as a device, but we're going to read the user out of
     // the command below.
     $is_cluster_request = true;
diff --git a/src/applications/conduit/controller/PhabricatorConduitAPIController.php b/src/applications/conduit/controller/PhabricatorConduitAPIController.php
--- a/src/applications/conduit/controller/PhabricatorConduitAPIController.php
+++ b/src/applications/conduit/controller/PhabricatorConduitAPIController.php
@@ -238,6 +238,16 @@
       if ($object instanceof PhabricatorUser) {
         $user = $object;
       } else {
+        if ($object->isDisabled()) {
+          return array(
+            'ERR-INVALID-AUTH',
+            pht(
+              'The key which signed this request is associated with a '.
+              'disabled device ("%s").',
+              $object->getName()),
+          );
+        }
+
         if (!$stored_key->getIsTrusted()) {
           return array(
             'ERR-INVALID-AUTH',