| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:cc:subject:message-id:reply-to | |
| :references:mime-version:content-type:in-reply-to; q=dns; s= | |
| default; b=VWi0nDy/4PT1OR1Z37QnTQSUaFUYrcbeC+w7g2TUkKnZe1PmvjJei | |
| e5oQTQQJTod7ktEXW5si+1440BTVFqUhYFpEuwbeu/Z3LXb/8ZYxTZQZ+3qBUJbl | |
| fF3svv73c7h+6Dthf3I5KElPPm5ZEQB2PyiH9Epq3KHnMlpniSx5yc= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:cc:subject:message-id:reply-to | |
| :references:mime-version:content-type:in-reply-to; s=default; | |
| bh=V9QO1BdR845wkBOQS7uDRijtnxA=; b=hluIL7hfTkKEwDiY7eEtm9VWHHvP | |
| cPjPkLiv65pwnGVhimC5QjXve4a66XV4jZ2pz1ZmwMgWYsVDvpYAVLsS/p5K7Mqd | |
| zi4hSXrbbI2LEkUew1xWGSbtOs6VcnR0QFkt/jiSZq9BwJct5ssbe2Q9COc5zyj2 | |
| tKCoTdSDMvhD2Hk= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Spam-SWARE-Status: | No, score=-100.9 required=5.0 tests=BAYES_00,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=management |
| X-HELO: | mout.kundenserver.de |
| Date: | Mon, 28 Jan 2019 10:59:47 +0100 |
| From: | Corinna Vinschen <corinna-cygwin AT cygwin DOT com> |
| To: | Bill Stewart <bstewart AT iname DOT com> |
| Cc: | cygwin AT cygwin DOT com |
| Subject: | Re: sshd permits logon using disabled user? |
| Message-ID: | <20190128095947.GN3912@calimero.vinschen.de> |
| Reply-To: | cygwin AT cygwin DOT com |
| Mail-Followup-To: | Bill Stewart <bstewart AT iname DOT com>, cygwin AT cygwin DOT com |
| References: | <1690850474 DOT 834980 DOT 1548391349102 DOT ref AT mail DOT yahoo DOT com> <1690850474 DOT 834980 DOT 1548391349102 AT mail DOT yahoo DOT com> <d6f98cbc-bd2f-1c13-98bb-7ef42c000115 AT baur-itcs DOT de> <CANV9t=RKVWPfiqNMbnSgevTBvm8S1G-oFWK3BEisdgaSGz2OzA AT mail DOT gmail DOT com> <20190125174833 DOT GA1710 AT zebra> <CANV9t=Q2ZRqVD99a+qdVTet1hn_aM6RY5B2Cm1oc0E4Lf9x2ig AT mail DOT gmail DOT com> |
| MIME-Version: | 1.0 |
| In-Reply-To: | <CANV9t=Q2ZRqVD99a+qdVTet1hn_aM6RY5B2Cm1oc0E4Lf9x2ig@mail.gmail.com> |
| User-Agent: | Mutt/1.10.1 (2018-07-13) |
--Li7ckgedzMh1NgdW Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Bill, On Jan 25 11:03, Bill Stewart wrote: > On Fri, Jan 25, 2019 at 10:48 AM Stephen Paul Carrier > <carrier AT berkeley DOT edu> wrote: >=20 > > There are different paths to access and to completely disable the accou= nt > > you need to close all of them. There are many reasons to disable some > > paths without disabling all paths and converting the switch that can > > disable one path to a switch that will disable all paths will break > > some setups and be less flexible. (As Stefan Baur is pointing out > > effectively.) > > > > To disable ssh logins really, instead of changing the way Cygwin works > > for everyone, you could do what UNIX/Linux admins do, something like > > moving the user .ssh folder to .ssh.disabled. >=20 > This is a very problematic view from a Windows system management perspect= ive. >=20 > I respectfully (and strongly) disagree, for at least the following reason= s: >=20 > * Cygwin runs on Windows, and as such should respect Windows security. > It is very unexpected, from a Windows administration perspective, to > have a disabled account and still be able to log onto it. >=20 > * Proper system management/security mitigation is made quite complex > with this requirement. Imagine even a small Windows domain: I have to > scan 20000 machines in my domain to find out if they're running ssh, > troll through the disks to find ssh config files, find out the key > file names, rename them, etc. This is quite a bit harder to do than > just disabling accounts, which in many organizations is handled by an > automated process. Can you please test again with the latest snapshot from https://cygwin.com/snapshots/? The new S4U authentication method used in this snapshot automatically applies the Windows account rules so in my testing the patch I applied originally is not required anymore. Consequentially I disabled it to rely fully on the Windows function's behaviour. Can you test this, too, please, just to be sure? Thanks, Coinna --=20 Corinna Vinschen Cygwin Maintainer --Li7ckgedzMh1NgdW Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlxO0pMACgkQ9TYGna5E T6CfXA/+Iio2MxxyFJphldAMF7LGMQ4tNAxJnfFIffiguX+80PsPE8wehKmXFGTW dPVOjCBEAhhkr0rnCCK8DO87Cz+CUBwLghbJjGpOao6dcFUAt59x9kmUI/dIiYnf MM+UdULoJVh5Sscqrf7cpAKdVHgLNEBNnWOGHE6w9fV4DQ8QSz87/tBPbOWFRhZ/ MBUYsFWG5eaSuWYILcTL6s44IkwK47J19oULbWnhYY2LuitQ8RzmzuKcfK6bi+Gs CubrBpjRvs54RCZ+JdnN36BjoGR42s+hoVgEyJoCD6EkzRfZ2vdIEQs10l4miOXK CdsCDyvf2XoFOP5Ngmz3t6K/I9QBGF1dMxa3z3PTTvVMr4euVRKegJO5bn6E8iJ2 peguH90wTaCF2IVRrFxgadNLM6mIE5Ay6MukE9uo9KcvgwrNxqU0b3PmctSA6PN9 HS+7+B8B4BeyoQ8dJcRHTUWgOhYLyDvXV0elQZi3j3s6qksRnwAk9ARUEgU1BRdE VsVls/mrsPenFZWYBvkhad6iXIWHAhwnC9CIOxXm+gJWSD4140sjbBB1aX6OTcj1 ksFsm7z/Ggk8GAkZEeDw89aGFsu9Tlvh5IQVTM1UcDGpcKHGwplIstxvMlpIIxHg Lhhz74Ch0X+QnohRNz9mugHHe/g3czlRaEdIM2J0yPHt4e77I50= =sYYO -----END PGP SIGNATURE----- --Li7ckgedzMh1NgdW--
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |