delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2019/01/24/23:42:45

X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
:list-unsubscribe:list-subscribe:list-archive:list-post
:list-help:sender:date:from:reply-to:reply-to:to:message-id
:subject:mime-version:content-type:content-transfer-encoding
:references; q=dns; s=default; b=TTCTQRImfjLS5QAwN2AV5SzlEmQr/dY
735ME6KNKFrabdpzJkCgWX8s1CrLgMLQlD5RqgWjQ4PiSxSBOkrMLZM1Eub6PtSD
LVqpdaVoSIUkYHExC4tKbtX7GAeCAdAyZm+jC71cxAWqqW+prUbc2YBNzAo68M9c
DT5cT1LM54Sc=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
:list-unsubscribe:list-subscribe:list-archive:list-post
:list-help:sender:date:from:reply-to:reply-to:to:message-id
:subject:mime-version:content-type:content-transfer-encoding
:references; s=default; bh=Cx4lzaGq2Z99krn3mf/CpR40hj0=; b=LK4lQ
vtz+zdcAtEPfMjF1dKE3bux9Ik5q29/HwI89b+GeEQloqk5hdPQqBSDJc+Q/9+Ca
m3dXdiWCAP94DHd9e6Vi50MfVznX/DxS2wxQpFnICMX6T0A/8R3XrOBCIqIoGBXh
+bpvy1p/eWc+fpyESDJDyBEmQLTElLoC5rbwjU=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 spammy=H*UA:YahooMailBasic, H*x:YahooMailBasic, H*x:1.1.13027, H*UA:1.1.13027
X-HELO: sonic308-4.consmr.mail.bf2.yahoo.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1548391351; bh=Nd/CE4q9ZfjJSwkE5E7XTChmO18OpsdB5YlGuDlkiNQ=; h=Date:From:Reply-To:To:Subject:References:From:Subject; b=le6xo+AEFBWlSAWKDcF05yce/l4YjEq6uKVFkSxP+CrlDaz308YqgyMmho+fmzptlc22Tb/m8H6G7gh6Lak5JYQ/HyrXXvUR602UWmBOrg9t6qmHpTmws0w6jkwgjcMFdxsRdzrlUg5bw+D8cpU7BndgyCtl9RNnkZtETR3ssYIIsqt/lA2jK/q0pPq82R8yVaBTI1aqsXUT5lBlwT/dnIKASWXIEvQkQWqdJnWUh9+AEdnp+wESPS/etavpp+XLeMJ3VijttmtPPxGR4NA0KgcADSAbI3GX8N3kB4mC3ujnLeakP/RzrOsQzwg2AubypxIgpP/QeDULI3Gme+F6HQ==
Date: Fri, 25 Jan 2019 04:42:29 +0000 (UTC)
From: "matthew patton via cygwin" <cygwin AT cygwin DOT com>
Reply-To: matthew patton <pattonme AT yahoo DOT com>
Reply-To: matthew patton <pattonme AT yahoo DOT com>
To: <cygwin AT cygwin DOT com>
Message-ID: <1690850474.834980.1548391349102@mail.yahoo.com>
Subject: Re: sshd permits logon using disabled user?
MIME-Version: 1.0
References: <1690850474 DOT 834980 DOT 1548391349102 DOT ref AT mail DOT yahoo DOT com>
X-IsSubscribed: yes 

 > I think refusing an account manually and deliberately disabled by an
 > admin makes lots of sense.

Why is this even a discussion? You *ALWAYS* refuse a login to an account that is disabled, locked out, or has an expired password or failed any of the other criteria that might be in effect (day/time restrictions, source IP restrictions, etc.)

Is someone suggesting that the Windows authentication API is actually returning a success code despite any of these conditions?

Furthermore you also *NEVER* hint to the user why the login was denied. It's rule #1 of security engineering.
Denied is denied. Explanations or hints are verboten.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019