| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:subject:to:references:from:message-id:date | |
| :mime-version:in-reply-to:content-type | |
| :content-transfer-encoding; q=dns; s=default; b=sLgSR3b5FZvpEsJb | |
| NdspUbl0Z226Kn2SPjbKIX/7vqonlwlWjcECyukaIimkj6Ph5piqqeqHsL+JNiIh | |
| C0PLtUCHYLtkArli1BapkNL5A0YxVKW3Jv+zCwmQXmBGSJrJWRgSE3iEyiCY1ejA | |
| PUnhxpbMhx0eswm7MShLf1tXrIM= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:subject:to:references:from:message-id:date | |
| :mime-version:in-reply-to:content-type | |
| :content-transfer-encoding; s=default; bh=4rKEnxVI0Zpca9mo0VFh1c | |
| +GFPk=; b=Zm91J+rMNHMjwND8dLMOIfopcunaHYAcSOSbHYoD86+PVn2VJmKWCo | |
| xbfEMeNmCXyblHyrZTtemOkx1GS0CMsmuncxEneP4TitJlf1lLeLThd5d36//8hN | |
| c5ZiFW68Oco3xgcfOpGGn8X7QylvbnEz0kHzrcoFFBui1T6wRIvRk= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Spam-SWARE-Status: | =?ISO-8859-1?Q?No, score=1.8 required=5.0 tests=BAYES_50,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=no version=3.3.2 spammy=8:un, 8:t, 8:ha, 8:=c3=a4?= |
| X-HELO: | mout.kundenserver.de |
| Subject: | Re: sshd permits logon using disabled user? |
| To: | cygwin AT cygwin DOT com |
| References: | <1690850474 DOT 834980 DOT 1548391349102 DOT ref AT mail DOT yahoo DOT com> <1690850474 DOT 834980 DOT 1548391349102 AT mail DOT yahoo DOT com> |
| From: | Stefan Baur <X2Go-ML-1 AT baur-itcs DOT de> |
| Openpgp: | preference=signencrypt |
| Message-ID: | <d6f98cbc-bd2f-1c13-98bb-7ef42c000115@baur-itcs.de> |
| Date: | Fri, 25 Jan 2019 11:36:32 +0100 |
| User-Agent: | Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1 |
| MIME-Version: | 1.0 |
| In-Reply-To: | <1690850474.834980.1548391349102@mail.yahoo.com> |
| X-IsSubscribed: | yes |
Am 25.01.19 um 05:42 schrieb matthew patton via cygwin: > Why is this even a discussion? You *ALWAYS* refuse a login to an account that is disabled, locked out, or has an expired password or failed any of the other criteria that might be in effect (day/time restrictions, source IP restrictions, etc.) Not on Linux (and possibly other Unices). There, it's perfectly valid to disable an account's password login (both locally and remote), but to at the same time allow ssh key file based logins for the same account. Since cygwin aims to be Linux-/POSIX-compatible to a certain degree, it is indeed worthy of discussion - even if the final decision might be to just block logins completely, even with an ssh key pair. Before Corinna pushed her fix, it was possible to log in via SSH key, even when the account was locked out/disabled. Someone might have been using that "feature" on cygwin, knowing it from Linux, where it is indeed a feature/design choice. If this fix hits stable, the same people might be wondering why their ssh logins fail all of a sudden. This could be a scenario for scripted uploads via rsync/scp/sftp, for example, where people are using ssh keys locked down to certain commands. You just don't want that user account to be able to log in with only a password, ever - because the only reason that would happen would be an account compromise. And because of that, having a "there is no valid password for this account, you can try as hard as you like" setting makes more sense than just setting a long and complex password that hopefully no one ever guesses/bruteforces/sidechannel-hacks/... Kind Regards, Stefan Baur -- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243 -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |