| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:subject:message-id:reply-to | |
| :references:mime-version:content-type:in-reply-to; q=dns; s= | |
| default; b=X12dZgcLKClAq1P6Pjb+uKyVhMc0KNq8BjlQanAS3l5tvqazZAtvT | |
| 95Coq4WR1V29pa2roNrxgsQzlElotPzGYkKHnqBlH5qAUe9pH8KsJfApuw+9DZ2t | |
| BPp4syc/B3IWZ3TBi0iOnegMEy+Z4cKBadbvEWbiOxe63AhueByx/0= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:subject:message-id:reply-to | |
| :references:mime-version:content-type:in-reply-to; s=default; | |
| bh=NN4Q37N/zkt3UL9JAtbYihkB/50=; b=D5DNbAUB/ai8/Mm918S7AgnPpJSn | |
| 5hm/G9rge2ereJlEU+YcVoQJX1/BSSeoIKJgWDrsjiOijeaEKVO7fg15PR9ym+e0 | |
| fE677d7gnNXyJOpvJiBNETyZ8TAFT+pUGWWSIcSHVSqO+4rYjjqoj4NnPPaI7Bfs | |
| MRyrSuvIJGeAcLU= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Spam-SWARE-Status: | No, score=-100.9 required=5.0 tests=BAYES_00,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=login, logins, act |
| X-HELO: | mout.kundenserver.de |
| Date: | Thu, 24 Jan 2019 16:59:18 +0100 |
| From: | Corinna Vinschen <corinna-cygwin AT cygwin DOT com> |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: sshd permits logon using disabled user? |
| Message-ID: | <20190124155918.GL2802@calimero.vinschen.de> |
| Reply-To: | cygwin AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| References: | <CANV9t=SSyof86c5Yz3tNhwj4To=eKnrmveQcr59ZmMY-X9_txA AT mail DOT gmail DOT com> <20190124154533 DOT GK2802 AT calimero DOT vinschen DOT de> <2b348ac3-63d1-2cd3-430d-2568d650a583 AT baur-itcs DOT de> |
| MIME-Version: | 1.0 |
| In-Reply-To: | <2b348ac3-63d1-2cd3-430d-2568d650a583@baur-itcs.de> |
| User-Agent: | Mutt/1.10.1 (2018-07-13) |
--zsAhXfiBV62A5hVr
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Jan 24 16:51, Stefan Baur wrote:
> Am 24.01.19 um 16:45 schrieb Corinna Vinschen:
> >> In the shell, logged on as the disabled user, the 'whoami' command ret=
urns
> >> the name of the disabled user.
> >>
> >> This seems unexpected and not good.
> >>
> >> Why does sshd allow logon for a disabled user?
> > Because the underlying Cygwin function responsible for changing the user
> > account only checks if the account exists. It does not check for any of
> > the flags in the user DB. Yet.
> >=20
> > I pushed a patch to disallow changing the user account to a disabled or
> > locked out account.
>=20
> I would like to point out that on Linux, you can disable an account's
> password ("password -l username" / "usermod -L username"), and still log
> in using an SSH key pair. This is intentional and different to
> disabling an account entirely ("usermod -e 1 username" combined with the
> above).
>=20
> So I guess, the question is if there's a way to make Cygwin act similar
> to this - maybe if you can tell disabled vs. locked out apart, allow SSH
> key pair logins when locked out, but not when disabled?
Being disabled and being locked out are two different flags, so this
can be recognized from each other. A disabled account is a an account
which is explicitely disabled in the user DB. A locked out account in
Windows is to my understanding an account which has unsuccessfully tried
to login multiple times so the account is locked for security reasons,
until an admin unlocks it.
Right now, with the patch I just pushed, both types, explicitely disabled
or locked out" are refused.
I think refusing an account manually and deliberately disabled by an
admin makes lots of sense.
I'm not so sure about locked out accounts. THis might need some
discussion.
Corinna
--=20
Corinna Vinschen
Cygwin Maintainer
--zsAhXfiBV62A5hVr
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlxJ4NYACgkQ9TYGna5E
T6Dlsw/+KDqC4rCNBRBfOrpTY1DrjNXzyfAdGADal+op5Mh4Tdm8q1diRGMODA+C
7dFS8Gle7UBSUFbovyRKCUWGPYt7IErJrhn/5vLKDFassk3JXVKBxj86F69N0QzK
XLN3g/eQznwpX4WIS2Ra5/2bBypbdh4WYiNwom0FWnSeY/G2FK+2l0mKh3RzDVFj
jJJ5xhhTO/V+9BNzdjPLqubg5c0RtzDO2SY66mfj5JgK3rNF8aGhVnC4xotUjeYt
VN5u5hUgLEVlyqK37MwazsZHn/nRoW8X7PFOWvIe194VjG/JQq9YuXJOzNYOf/eb
MGvqWsOjD7Uoyg+1t4t3PhNeFZXBQ7igR4s0tU8I30srzd1HBZtQeTLrVAScMeqB
TjkUSdymiznOt49XizlHzg0IqzMiDOUCmkE9o4G+39zt8aaxvNf0Fr8hQmMiUsrW
VuygmGOieWfME0Jef/RSF4PIu+M92YPMen7AHOz40LOfDrNCH/P08AZHAFIpaU3k
k+yzqnyY8SoDvfhxb+yPWmwQrbPoXSwyf9WF3xYUml2ZLgNi9BMPI04mwxhBaWb8
M4/kF30aLJuU5ZQ33hlhXQJGMGkwI9uG17Q9Fm0ZT7y4oxcBBArfy/B1oKBzVFdU
CE05CcygsBm9UlYKuVAIE//3fk/gKtaRiKtfZ+uQ9B7QuboEdH8=
=Q/ly
-----END PGP SIGNATURE-----
--zsAhXfiBV62A5hVr--
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |