Mail Archives: cygwin/2019/01/25/13:03:49

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2019/01/25/13:03:49

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:references:in-reply-to:from:date

:message-id:subject:to:content-type; q=dns; s=default; b=Edbc83V

HqwAxD7SYOijQ4eKITnsh2I88Abo2EQiaK3aFHhaV6HS3B8KM6MpZ8XG+C4ICodM

BNz8IwKvzFFE9dzinB/GFvEx8ehAek7PXYD9eULtiVeZRf7mKmbd8JA49XYzMz7W

ipfufK7WC9vYIU3aRIEPRq3GOSm5AbnJkWWU=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:references:in-reply-to:from:date

:message-id:subject:to:content-type; s=default; bh=IBta/B/Ie8TtI

wTyEk5gFYZJTp8=; b=swnXti4e6X8tVEIkzo7Yt6a4r5pDfUrygpSkhitxZKLce

RnBWoh9Yng4wyIcI8m43AfC1Lvjtk5aCGeLMP+qpATs5cRIUd8A3CFeRoQWW8N30

sCrzEjM2ujr8VjtSRg8YsEWRjkyprrvTh/Ke+ihqxflxu2IuKAAIZPqa1hpgbs=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Spam-SWARE-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 spammy=disagree, 20000, Stephen, management

X-HELO: mout.gmx.com

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mail.com; s=dbd5af2cbaf7; t=1548439413; bh=TS1UvmqBopK55dxQQkqOZ8yxwh3GlrBbMQtnhXt+M50=; h=X-UI-Sender-Class:References:In-Reply-To:From:Date:Subject:To; b=xNKXly3C308lR+jA1DZg6YbqGnt0gm/ZoUi+XK9iFJVGgOBDVTJd058gh1qph+NOA 0r8ZM9KYiQincCLye3dZNFHBvdTSNBG69oV/mfOdM/fBF10Tj/kva1VmxCs3waVr6N vMLRU2t6oEz4DJHR8ZLe5emiaCJAQe4r5x//6krg=

X-UI-Sender-Class: 214d933f-fd2f-45c7-a636-f5d79ae31a79

MIME-Version: 1.0

References: <1690850474 DOT 834980 DOT 1548391349102 DOT ref AT mail DOT yahoo DOT com> <1690850474 DOT 834980 DOT 1548391349102 AT mail DOT yahoo DOT com> <d6f98cbc-bd2f-1c13-98bb-7ef42c000115 AT baur-itcs DOT de> <CANV9t=RKVWPfiqNMbnSgevTBvm8S1G-oFWK3BEisdgaSGz2OzA AT mail DOT gmail DOT com> <20190125174833 DOT GA1710 AT zebra>

In-Reply-To: <20190125174833.GA1710@zebra>

From: Bill Stewart <bstewart AT iname DOT com>

Date: Fri, 25 Jan 2019 11:03:18 -0700

Message-ID: <CANV9t=Q2ZRqVD99a+qdVTet1hn_aM6RY5B2Cm1oc0E4Lf9x2ig@mail.gmail.com>

Subject: Re: sshd permits logon using disabled user?

To: cygwin AT cygwin DOT com

X-IsSubscribed: yes

On Fri, Jan 25, 2019 at 10:48 AM Stephen Paul Carrier
<carrier AT berkeley DOT edu> wrote:

> There are different paths to access and to completely disable the account
> you need to close all of them.  There are many reasons to disable some
> paths without disabling all paths and converting the switch that can
> disable one path to a switch that will disable all paths will break
> some setups and be less flexible.  (As Stefan Baur is pointing out
> effectively.)
>
> To disable ssh logins really, instead of changing the way Cygwin works
> for everyone, you could do what UNIX/Linux admins do, something like
> moving the user .ssh folder to .ssh.disabled.

This is a very problematic view from a Windows system management perspective.

I respectfully (and strongly) disagree, for at least the following reasons:

* Cygwin runs on Windows, and as such should respect Windows security.
It is very unexpected, from a Windows administration perspective, to
have a disabled account and still be able to log onto it.

* Proper system management/security mitigation is made quite complex
with this requirement. Imagine even a small Windows domain: I have to
scan 20000 machines in my domain to find out if they're running ssh,
troll through the disks to find ssh config files, find out the key
file names, rename them, etc. This is quite a bit harder to do than
just disabling accounts, which in many organizations is handled by an
automated process.

Regards,

Bill

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:content-type; q=dns; s=default; b=Edbc83V
	HqwAxD7SYOijQ4eKITnsh2I88Abo2EQiaK3aFHhaV6HS3B8KM6MpZ8XG+C4ICodM
	BNz8IwKvzFFE9dzinB/GFvEx8ehAek7PXYD9eULtiVeZRf7mKmbd8JA49XYzMz7W
	ipfufK7WC9vYIU3aRIEPRq3GOSm5AbnJkWWU=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:content-type; s=default; bh=IBta/B/Ie8TtI
	wTyEk5gFYZJTp8=; b=swnXti4e6X8tVEIkzo7Yt6a4r5pDfUrygpSkhitxZKLce
	RnBWoh9Yng4wyIcI8m43AfC1Lvjtk5aCGeLMP+qpATs5cRIUd8A3CFeRoQWW8N30
	sCrzEjM2ujr8VjtSRg8YsEWRjkyprrvTh/Ke+ihqxflxu2IuKAAIZPqa1hpgbs=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Spam-SWARE-Status:	No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 spammy=disagree, 20000, Stephen, management
X-HELO:	mout.gmx.com
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/simple; d=mail.com; s=dbd5af2cbaf7; t=1548439413; bh=TS1UvmqBopK55dxQQkqOZ8yxwh3GlrBbMQtnhXt+M50=; h=X-UI-Sender-Class:References:In-Reply-To:From:Date:Subject:To; b=xNKXly3C308lR+jA1DZg6YbqGnt0gm/ZoUi+XK9iFJVGgOBDVTJd058gh1qph+NOA 0r8ZM9KYiQincCLye3dZNFHBvdTSNBG69oV/mfOdM/fBF10Tj/kva1VmxCs3waVr6N vMLRU2t6oEz4DJHR8ZLe5emiaCJAQe4r5x//6krg=
X-UI-Sender-Class:	214d933f-fd2f-45c7-a636-f5d79ae31a79
MIME-Version:	1.0
References:	<1690850474 DOT 834980 DOT 1548391349102 DOT ref AT mail DOT yahoo DOT com> <1690850474 DOT 834980 DOT 1548391349102 AT mail DOT yahoo DOT com> <d6f98cbc-bd2f-1c13-98bb-7ef42c000115 AT baur-itcs DOT de> <CANV9t=RKVWPfiqNMbnSgevTBvm8S1G-oFWK3BEisdgaSGz2OzA AT mail DOT gmail DOT com> <20190125174833 DOT GA1710 AT zebra>
In-Reply-To:	<20190125174833.GA1710@zebra>
From:	Bill Stewart <bstewart AT iname DOT com>
Date:	Fri, 25 Jan 2019 11:03:18 -0700
Message-ID:	<CANV9t=Q2ZRqVD99a+qdVTet1hn_aM6RY5B2Cm1oc0E4Lf9x2ig@mail.gmail.com>
Subject:	Re: sshd permits logon using disabled user?
To:	cygwin AT cygwin DOT com
X-IsSubscribed:	yes