| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:subject:to:references:from:message-id:date | |
| :mime-version:in-reply-to:content-type; q=dns; s=default; b=RoKT | |
| 9zj6fF0l6JvjXqq4NnbGRRElw/+5fqu5LFhs97qbQXqr1z1q2Fzgv910DcFqGwZf | |
| Wl5Ywvv0nxXsM781gsk5Cirz322bZJXyRC5XZxwNHEM5DHHu/NX4NFNpO+XqoQBS | |
| T7TAXArBCE6h+zLp4GyDH519Vihhqpv+desfWgY= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:subject:to:references:from:message-id:date | |
| :mime-version:in-reply-to:content-type; s=default; bh=JdkJr5AagB | |
| Z9zNX3nyt0D3Ztx1w=; b=hu+ryg8Sr7glkmNikm28VQSiUX3Z9jcQ/VHoFk59SL | |
| DqwKKY3c7dua24TqvBPE8DgEFnB8LCE5sJm6ddT1HZWG/B+YGaZcB5ofynLz3a71 | |
| JbRgsFFckxzO/nyUTVneqcCAM3/vcv+MHzSXKHDnRlAQnHBgrHZVdIxSyDRaKyOJ | |
| M= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Spam-SWARE-Status: | =?ISO-8859-1?Q?No, score=-0.9 required=5.0 tests=BAYES_00,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=no version=3.3.2 spammy=8:t, 8:un, 8:ha, 8:=c3=a4?= |
| X-HELO: | mout.kundenserver.de |
| Subject: | Re: sshd permits logon using disabled user? |
| To: | cygwin AT cygwin DOT com |
| References: | <CANV9t=SSyof86c5Yz3tNhwj4To=eKnrmveQcr59ZmMY-X9_txA AT mail DOT gmail DOT com> <20190124154533 DOT GK2802 AT calimero DOT vinschen DOT de> |
| From: | Stefan Baur <X2Go-ML-1 AT baur-itcs DOT de> |
| Openpgp: | preference=signencrypt |
| Message-ID: | <2b348ac3-63d1-2cd3-430d-2568d650a583@baur-itcs.de> |
| Date: | Thu, 24 Jan 2019 16:51:07 +0100 |
| User-Agent: | Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1 |
| MIME-Version: | 1.0 |
| In-Reply-To: | <20190124154533.GK2802@calimero.vinschen.de> |
| X-IsSubscribed: | yes |
--tbPbYfSMHWKuInDWBVuksRE0RPIPq0O2c
Content-Type: multipart/mixed; boundary="6PG6NOoSN4q53iovAoZZ5ytaBX9O8IZx7";
protected-headers="v1"
From: Stefan Baur <X2Go-ML-1 AT baur-itcs DOT de>
To: cygwin AT cygwin DOT com
Message-ID: <2b348ac3-63d1-2cd3-430d-2568d650a583 AT baur-itcs DOT de>
Subject: Re: sshd permits logon using disabled user?
References: <CANV9t=SSyof86c5Yz3tNhwj4To=eKnrmveQcr59ZmMY-X9_txA AT mail DOT gmail DOT com>
<20190124154533 DOT GK2802 AT calimero DOT vinschen DOT de>
In-Reply-To: <20190124154533 DOT GK2802 AT calimero DOT vinschen DOT de>
--6PG6NOoSN4q53iovAoZZ5ytaBX9O8IZx7
Content-Type: text/plain; charset=utf-8
Content-Language: de-DE
Content-Transfer-Encoding: quoted-printable
Am 24.01.19 um 16:45 schrieb Corinna Vinschen:
>> In the shell, logged on as the disabled user, the 'whoami' command retur=
ns
>> the name of the disabled user.
>>
>> This seems unexpected and not good.
>>
>> Why does sshd allow logon for a disabled user?
> Because the underlying Cygwin function responsible for changing the user
> account only checks if the account exists. It does not check for any of
> the flags in the user DB. Yet.
>=20
> I pushed a patch to disallow changing the user account to a disabled or
> locked out account.
I would like to point out that on Linux, you can disable an account's
password ("password -l username" / "usermod -L username"), and still log
in using an SSH key pair. This is intentional and different to
disabling an account entirely ("usermod -e 1 username" combined with the
above).
So I guess, the question is if there's a way to make Cygwin act similar
to this - maybe if you can tell disabled vs. locked out apart, allow SSH
key pair logins when locked out, but not when disabled?
Kind Regards,
Stefan Baur
--=20
BAUR-ITCS UG (haftungsbeschr=C3=A4nkt)
Gesch=C3=A4ftsf=C3=BChrer: Stefan Baur
Eichen=C3=A4ckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
--6PG6NOoSN4q53iovAoZZ5ytaBX9O8IZx7--
--tbPbYfSMHWKuInDWBVuksRE0RPIPq0O2c
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJcSd7rAAoJEG7d9BjNvlEZ17UH/1iDoRGls0JyV+0IWuXogsY4
hbqHbMiZU/I4XXedw9FsLhmAJifmYXSWiIy5FANlmjMp8K4oFM8KwK4l9WRE8Cjt
T2oWz9bvWPAOEP1YK3fMiRdK+kJ2UMYXHjxqaQO4//pNlvoSCtcQVCK+10S1p0Vr
6DloVsVZjLFf86kPZGVmKRKE35KG3JrFV2gxu3kRUCrIoyLdj43r9rtwRb7F8ANO
jKyj0mxQleryNOAPGe+iIcuNQ7xAvU22N3Riui4q3Fhfka3TDdHYmIizz+BG0oS6
UMLubTkgnTqClrsjbtfp1ECvepebazvDMy4RjXEopAODkKkgoFeb6Yn1NjhfzKc=
=FvjL
-----END PGP SIGNATURE-----
--tbPbYfSMHWKuInDWBVuksRE0RPIPq0O2c--
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |