X-Recipient: archive-cygwin@delorie.com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:cc:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; q=dns; s= default; b=SJMHfQs1rnfqpy1ej/1UiG1pDFLQzzi1l+wjoRVwNcGu1pH//ILp7 FbhvALj1VaNJQP9rHV44M3iEaSW4nw6Omj3fv8LuytAE/BvYDKitumyzdR5Yl6SB aMndkg+GLJn91Q9nh530hvooJi35In9arFmCJUjwI++il5IT6Blmn0= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:cc:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; s=default; bh=AqaF6zbsUhF4xs00YL40dlaMxuQ=; b=R8WG24ONBJwCrWL3rxpjqNKxqJuW fY5YQhALqfYlLVFLOp29QIQQ337EsRr5PP5OxUF+V0yQ80hb0isc6xVegXcT0RCS h5LLzg3iGtzbmiq8/Tb+UI1ZXtZr0Lu1HCTCa167nd/Fuh42GH3umLQTaIE9v2xm LYeVEifKixOmwdk= Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Delivered-To: mailing list cygwin@cygwin.com Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-100.9 required=5.0 tests=BAYES_00,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=locked, HCc:U*cygwin X-HELO: mout.kundenserver.de Date: Thu, 24 Jan 2019 16:45:33 +0100 From: Corinna Vinschen To: Bill Stewart Cc: cygwin@cygwin.com Subject: Re: sshd permits logon using disabled user? Message-ID: <20190124154533.GK2802@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: Bill Stewart , cygwin@cygwin.com References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="U/5EjKfnYgGK6hcj" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) --U/5EjKfnYgGK6hcj Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Jan 24 06:28, Bill Stewart wrote: > I am running Windows 10 (1803) and experimenting with sshd installed as a > Windows service. >=20 > The computer is a domain member. I created a local computer account for > testing. >=20 > I created host keys and a public/private key pair to use to log on the us= er. >=20 > This works, except I notice that if I disable the Windows user account, I > can still log on using ssh using that account. >=20 > In the shell, logged on as the disabled user, the 'whoami' command returns > the name of the disabled user. >=20 > This seems unexpected and not good. >=20 > Why does sshd allow logon for a disabled user? Because the underlying Cygwin function responsible for changing the user account only checks if the account exists. It does not check for any of the flags in the user DB. Yet. I pushed a patch to disallow changing the user account to a disabled or locked out account. I just uploaded new developer snapshots containing this change to https://cygwin.com/snapshots/ Please give them a try. Thanks, Corinna --=20 Corinna Vinschen Cygwin Maintainer --U/5EjKfnYgGK6hcj Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlxJ3Z0ACgkQ9TYGna5E T6ALTQ/+JLutHuN+XSdvDU1riVHcxdM8c0aQapLmSjEkMN/SupMYExQpmQSc6Fic t2SUxIZYEwMKlXcZJquGi8oFDZ2F/2PBdnlC7ziAsuRyWsRL8Ng5C5B+u9GSwkjN nfJJX2q7xv+esUHhwzXYAeBoeZl8MhpZ/Eumc3Y9av5QZ5riDjU6wkXi1y6YFozk QKRDAfUmsgAZTfoGv2/dt6V8jUIOvnLh/d8MfuRZZ3eHYGGoODeMOWYsCfd6SndM 2+kpfhUEnql2PJLi+JxNzHQiNBvhLPI76AWo+N+QBGC4zNlXPJDI8BAcLVFg6mD9 d3WlXfs5uvRDsH6ezws5m4vVyMvKK5GSYZLoDV2BIfQ75eBUxCV4jljG1puXq8IE EeaCUYzebVXRufrkLClhVnUKBc8RVU/RLA9fkZEMB2Xn5Aib2OH+bKdKxiWvLYgY 6zBZ70VQ+16tRsqhMLNRd9HXfR1At8rPYAYjiaJ9/lk0ECRieTnjOG+KO4aD3C6u vsWYIJErZ19SOAWD/yfIPgHqaaOiDojP5mCn4sdvjHZ4h31F12SPRswLMeO2q86+ jRvmzPtLnLGOgqfg1UrqB/fqXYOpa84RwHzByu3yWoa8J0+dX+i2a1lm1QDB8FMX rx2gmfMrxY18nTDHA63buo/n9mh7fUKCyp3UwciUs4C3LIVRu1U= =nGKt -----END PGP SIGNATURE----- --U/5EjKfnYgGK6hcj--