Mail Archives: cygwin/2019/01/25/12:48:53

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2019/01/25/12:48:53

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:from:date:to:subject:message-id:references

:mime-version:content-type:in-reply-to; q=dns; s=default; b=p/cl

7CEOTx8323FpTwnNTOjWBz5HyyOr5TdvdmKMwlFx4TWPBmAKnsP3RoWk3LdMIgzO

BhLuFigNjybYwQdz/f7pfS1mjDkNrdWVlmr4b7HPjvxlGl9TXSt/G3n4DA3/IxFc

pRvq1kl4ZYqiH8CwrurkA4B10xn6InxiAFmuU+0=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:from:date:to:subject:message-id:references

:mime-version:content-type:in-reply-to; s=default; bh=dW1fjWCwiD

JsGkRJXQHOfS83Vm8=; b=yEbqw5+QNgA0W+rwqYHR1sOmpRYHHtNcZ92JuQcgO1

/XXePUPAci5inz33floLPc0VVYkUxRHYiFLFydzf9zjGWibCGGFNmIV59u/ErnWZ

mbb+wmhx5wCDCYIWYPp1C7tGpYfj1jWyCOTKcfCrFbmWbZA6Ae0PyHRV9kD1g6QK

w=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Spam-SWARE-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 spammy=California, california, Administrator, H*M:zebra

X-HELO: mail-pl1-f172.google.com

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=berkeley-edu.20150623.gappssmtp.com; s=20150623; h=from:date:to:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=ujQ/44q3FICof7k68yL/TKjcye8Vxhk4RNsMQ/q0QPA=; b=ZgiIQch//lj+PINKodwaTVGeOQ1944+/ST0ujWoDT8W4f5lv7BNEY22Zb3qxalIAs5 FTuXKqLw1fGChaWGsHXtlU+LgHzb/rFHRFTHyJMHe4p7sRs7pgRUjyLWFQTob802i+O4 iY3GkJ16CsZAow404DOYqNAwOuIXUDbDu+yz5I35wSSqkWYQi2vLXN8gRTUG30Daz0i9 xJrovZCHBHpQLHdbogXThGQo/RkYkCjPNDFyhWMB+EQd3Ytl94TNfdTHggz5QWNLZhj1 +w9mnsot2mIyMUyONEu2HJIkvJoFF/jvGPhX4bytUdiqgWz8JSKMNGHw1tjzNtBaJYdl ldxA==

From: Stephen Paul Carrier <carrier AT berkeley DOT edu>

Date: Fri, 25 Jan 2019 09:48:33 -0800

To: cygwin AT cygwin DOT com

Subject: Re: sshd permits logon using disabled user?

Message-ID: <20190125174833.GA1710@zebra>

References: <1690850474 DOT 834980 DOT 1548391349102 DOT ref AT mail DOT yahoo DOT com> <1690850474 DOT 834980 DOT 1548391349102 AT mail DOT yahoo DOT com> <d6f98cbc-bd2f-1c13-98bb-7ef42c000115 AT baur-itcs DOT de> <CANV9t=RKVWPfiqNMbnSgevTBvm8S1G-oFWK3BEisdgaSGz2OzA AT mail DOT gmail DOT com>

MIME-Version: 1.0

In-Reply-To: <CANV9t=RKVWPfiqNMbnSgevTBvm8S1G-oFWK3BEisdgaSGz2OzA@mail.gmail.com>

User-Agent: Mutt/1.9.1 (2017-09-22)

X-IsSubscribed: yes

On Fri, Jan 25, 2019 at 08:34:09AM -0700, Bill Stewart wrote:
> On Fri, Jan 25, 2019 at 3:36 AM Stefan Baur <X2Go-ML-1 AT baur-itcs DOT de> wrote:
> 
> > Not on Linux (and possibly other Unices).  There, it's perfectly valid
> > to disable an account's password login (both locally and remote), but to
> > at the same time allow ssh key file based logins for the same account.
> 
> But disabling _password login_ is an entirely separate issue from
> disabling _the account itself_.
> 
> Before the fix, it was possible to log on to sshd using a disabled (or
> locked) account.
> 
> There should be _no_ scenario where it is possible to log on using a
> disabled/locked account.

There are different paths to access and to completely disable the account
you need to close all of them.  There are many reasons to disable some
paths without disabling all paths and converting the switch that can
disable one path to a switch that will disable all paths will break
some setups and be less flexible.  (As Stefan Baur is pointing out
effectively.)

To disable ssh logins really, instead of changing the way Cygwin works
for everyone, you could do what UNIX/Linux admins do, something like
moving the user .ssh folder to .ssh.disabled.

Stephen Carrier
Systems Administrator 
BEAR (Berkeley Evaluation & Assessment Research) Center
Graduate School of Education
University of California, Berkeley
http://BEARcenter.Berkeley.EDU/
carrier AT Berkeley DOT EDU

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:date:to:subject:message-id:references
	:mime-version:content-type:in-reply-to; q=dns; s=default; b=p/cl
	7CEOTx8323FpTwnNTOjWBz5HyyOr5TdvdmKMwlFx4TWPBmAKnsP3RoWk3LdMIgzO
	BhLuFigNjybYwQdz/f7pfS1mjDkNrdWVlmr4b7HPjvxlGl9TXSt/G3n4DA3/IxFc
	pRvq1kl4ZYqiH8CwrurkA4B10xn6InxiAFmuU+0=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:date:to:subject:message-id:references
	:mime-version:content-type:in-reply-to; s=default; bh=dW1fjWCwiD
	JsGkRJXQHOfS83Vm8=; b=yEbqw5+QNgA0W+rwqYHR1sOmpRYHHtNcZ92JuQcgO1
	/XXePUPAci5inz33floLPc0VVYkUxRHYiFLFydzf9zjGWibCGGFNmIV59u/ErnWZ
	mbb+wmhx5wCDCYIWYPp1C7tGpYfj1jWyCOTKcfCrFbmWbZA6Ae0PyHRV9kD1g6QK
	w=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Spam-SWARE-Status:	No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 spammy=California, california, Administrator, H*M:zebra
X-HELO:	mail-pl1-f172.google.com
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=berkeley-edu.20150623.gappssmtp.com; s=20150623; h=from:date:to:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=ujQ/44q3FICof7k68yL/TKjcye8Vxhk4RNsMQ/q0QPA=; b=ZgiIQch//lj+PINKodwaTVGeOQ1944+/ST0ujWoDT8W4f5lv7BNEY22Zb3qxalIAs5 FTuXKqLw1fGChaWGsHXtlU+LgHzb/rFHRFTHyJMHe4p7sRs7pgRUjyLWFQTob802i+O4 iY3GkJ16CsZAow404DOYqNAwOuIXUDbDu+yz5I35wSSqkWYQi2vLXN8gRTUG30Daz0i9 xJrovZCHBHpQLHdbogXThGQo/RkYkCjPNDFyhWMB+EQd3Ytl94TNfdTHggz5QWNLZhj1 +w9mnsot2mIyMUyONEu2HJIkvJoFF/jvGPhX4bytUdiqgWz8JSKMNGHw1tjzNtBaJYdl ldxA==
From:	Stephen Paul Carrier <carrier AT berkeley DOT edu>
Date:	Fri, 25 Jan 2019 09:48:33 -0800
To:	cygwin AT cygwin DOT com
Subject:	Re: sshd permits logon using disabled user?
Message-ID:	<20190125174833.GA1710@zebra>
References:	<1690850474 DOT 834980 DOT 1548391349102 DOT ref AT mail DOT yahoo DOT com> <1690850474 DOT 834980 DOT 1548391349102 AT mail DOT yahoo DOT com> <d6f98cbc-bd2f-1c13-98bb-7ef42c000115 AT baur-itcs DOT de> <CANV9t=RKVWPfiqNMbnSgevTBvm8S1G-oFWK3BEisdgaSGz2OzA AT mail DOT gmail DOT com>
MIME-Version:	1.0
In-Reply-To:	<CANV9t=RKVWPfiqNMbnSgevTBvm8S1G-oFWK3BEisdgaSGz2OzA@mail.gmail.com>
User-Agent:	Mutt/1.9.1 (2017-09-22)
X-IsSubscribed:	yes