| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:subject:to:references:reply-to:from:message-id | |
| :date:mime-version:in-reply-to:content-type | |
| :content-transfer-encoding; q=dns; s=default; b=soCaYWSQMjnYL1sG | |
| 9F1slvhzkCJ06r03F9T3z8vTiryXZ42H1pzCsJEYc7HPnlWaORT2l+hQnBwFMajv | |
| Cpem1cso0qK7abCN/9+f1A9Jt/n5MdliTggE4QiKUINAg4ODQG8nJYgqUkKFx4mk | |
| 9IF3th9yu1M248ZfBw6Bg3R/1eU= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:subject:to:references:reply-to:from:message-id | |
| :date:mime-version:in-reply-to:content-type | |
| :content-transfer-encoding; s=default; bh=8Oe3woOMznm6/rh1NX2BIw | |
| NPZdI=; b=IZm3ICVYXA8vTMqsfzWS0sA4ygOMbDUMCldqzFszCJrZGNAc5DJ3C/ | |
| lME5ycYa+CVjE9F5wshn1Va++Ykp60F+ZyTwVnyi0vpIGmETeCJzPSAlBobwhjLS | |
| v/sxoSCrcSdD+uqYPbp0Do7H4HccFNBEIix39Q7OzvbL//UHPUXgM= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Spam-SWARE-Status: | No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 spammy=vulnerable, 20000, administration, carrier |
| X-HELO: | mout.gmx.net |
| Subject: | Re: sshd permits logon using disabled user? |
| To: | cygwin AT cygwin DOT com |
| References: | <1690850474 DOT 834980 DOT 1548391349102 DOT ref AT mail DOT yahoo DOT com> <1690850474 DOT 834980 DOT 1548391349102 AT mail DOT yahoo DOT com> <d6f98cbc-bd2f-1c13-98bb-7ef42c000115 AT baur-itcs DOT de> <CANV9t=RKVWPfiqNMbnSgevTBvm8S1G-oFWK3BEisdgaSGz2OzA AT mail DOT gmail DOT com> <20190125174833 DOT GA1710 AT zebra> <CANV9t=Q2ZRqVD99a+qdVTet1hn_aM6RY5B2Cm1oc0E4Lf9x2ig AT mail DOT gmail DOT com> |
| Reply-To: | cygwin AT cygwin DOT com |
| From: | "Sam Edge (Cygwin)" <sam DOT edge DOT cygwin AT gmx DOT com> |
| Openpgp: | preference=signencrypt |
| Message-ID: | <d37a1aeb-913c-c773-b709-e68b54f28365@gmx.com> |
| Date: | Sun, 27 Jan 2019 17:49:17 +0000 |
| User-Agent: | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 |
| MIME-Version: | 1.0 |
| In-Reply-To: | <CANV9t=Q2ZRqVD99a+qdVTet1hn_aM6RY5B2Cm1oc0E4Lf9x2ig@mail.gmail.com> |
On 25/01/2019 18:03, Bill Stewart wrote: > On Fri, Jan 25, 2019 at 10:48 AM Stephen Paul Carrier > <carrier AT berkeley DOT edu> wrote: > >> There are different paths to access and to completely disable the account >> you need to close all of them. There are many reasons to disable some >> paths without disabling all paths and converting the switch that can >> disable one path to a switch that will disable all paths will break >> some setups and be less flexible. (As Stefan Baur is pointing out >> effectively.) >> >> To disable ssh logins really, instead of changing the way Cygwin works >> for everyone, you could do what UNIX/Linux admins do, something like >> moving the user .ssh folder to .ssh.disabled. > This is a very problematic view from a Windows system management perspective. > > I respectfully (and strongly) disagree, for at least the following reasons: > > * Cygwin runs on Windows, and as such should respect Windows security. > It is very unexpected, from a Windows administration perspective, to > have a disabled account and still be able to log onto it. > > * Proper system management/security mitigation is made quite complex > with this requirement. Imagine even a small Windows domain: I have to > scan 20000 machines in my domain to find out if they're running ssh, > troll through the disks to find ssh config files, find out the key > file names, rename them, etc. This is quite a bit harder to do than > just disabling accounts, which in many organizations is handled by an > automated process. > > Regards, > > Bill I totally agree that Cygwin should respect the Windows disabled & locked-out semantics and disallow any form of login where either is set. Trying to shoe-horn the disabled password but enabled pubkey function into one or the other just doesn't feel right. Setting a hugely long random password (maybe via a script that never reveals said password) is a much better solution to achieve a similar effect without breaking Windows security auditing. On the other hand, I am baffled as to why Windows itself allows a token to be created for an account that is disabled or locked out. If Cygwin can do it, other programs could too so you're still vulnerable. -- Sam Edge -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |