DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=jyf5ExIj2SuwDAEs3ujtc7eLUNCP4rqjN6dplEaiipz6TVDQtRlp+
	SDuqDFbG4rirs0RPamof0DgcRW71AF8o7bpMMA5W1I6qb5zgh6hDuSgo/vMrwxgd
	8UpEB/jBg0uyq4CZVtbqz0RTsdNovTeqV7rEGVksOlgVKpO3P04Il8=
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Date: Thu, 24 Jan 2019 17:36:12 +0100
From: Corinna Vinschen <corinna-cygwin@cygwin.com>
To: cygwin@cygwin.com
Subject: Re: sshd permits logon using disabled user?
Message-ID: <20190124163612.GM2802@calimero.vinschen.de>
Reply-To: cygwin@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
References: <CANV9t=SSyof86c5Yz3tNhwj4To=eKnrmveQcr59ZmMY-X9_txA@mail.gmail.com> <20190124154533.GK2802@calimero.vinschen.de> <2b348ac3-63d1-2cd3-430d-2568d650a583@baur-itcs.de> <20190124155918.GL2802@calimero.vinschen.de> <51ded8a7-ffc0-c1b0-8bb6-8d2f5870ec68@baur-itcs.de>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;	protocol="application/pgp-signature"; boundary="bAwSoJxbKYwy34Oe"
Content-Disposition: inline
In-Reply-To: <51ded8a7-ffc0-c1b0-8bb6-8d2f5870ec68@baur-itcs.de>
User-Agent: Mutt/1.10.1 (2018-07-13)

--bAwSoJxbKYwy34Oe
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Jan 24 17:16, Stefan Baur wrote:
> Am 24.01.19 um 16:59 schrieb Corinna Vinschen:
> > I think refusing an account manually and deliberately disabled by an
> > admin makes lots of sense.
> >=20
> > I'm not so sure about locked out accounts.  THis might need some
> > discussion.
>=20
> It's been a while since I did Windows administration, so I can't really
> make a recommendation here ... BUT:
>=20
> If an admin can lock out an account (separately from disabling it
> entirely), say, by setting an initial password, checking the "user must
> change password on first login", and also checking "user is not allowed
> to change password" simultaneously (if that's possible), or, say, by
> just setting a random password without telling it to anyone ever,
> followed by firing so many login attempts at the account that it gets
> locked out, then telling them apart and treating locked out accounts
> differently would make sense, IMO.

This description sounds extremly artificial to me.  We should work under
the assumption that the admin is the good guy.  Usually a user locks
itself out, or is locked out by a malicious login attempt.  The admin
can only define rules for locking out, other than that she can only
remove the "account locked" flag.


Corinna

--=20
Corinna Vinschen
Cygwin Maintainer

--bAwSoJxbKYwy34Oe
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlxJ6XwACgkQ9TYGna5E
T6DUgxAAnWvVkSsoiN/jzQtjhfstKdz9YJ9kV3Bkob5ojALRHpYM2qQsg1DeTUyg
rMN/uwGt1i3ZqMKs4yWe1p8ZeHfy2DMkS0M4qyrFNyPVBuq5chwWkgkMhGkOJgYu
v4WE8lizT6zewAcid6gFas2hYNjH8fh9xwlQzSEPURNt3YYkvosyMw9LdZZbvmHM
UH3gHpEWomB31DcbZYk7nq+8Z07innJPGGKRqfbOqGCO40Eg/1zrZJ3iZWkZdmc8
21cdAolM27oxC1jcMJiWXr5EeDNm/WZKGlsR4kBkIq75Xb+KEbEZvMDqlaIFINE0
zvUVJmYUnoW3WMnZTyLHTUDnb6ANJNGDBYOMA0YrseiztQHpM0QwVfHVPXZZ8ga1
Lt3L7qzCywOa5JP5Qej1i2A8x/LMIAZW8GN8Txx1cikNgrXD3HhdyqlHtonLdK6K
V9i5tWvX1hS2AaMKU5bbzRkegbqvb0XDeRapU1l4oPSoonyqrQ1F5PI8XfXRwTOX
uNrhH2t4oao0xloVl+dxLx8SwuvPtjZiDihDGq8OxaP/6ShM7OyvltimIWAnp+U9
GcubWT292tbXiUYnQVxQ1qEsvF11uVcI+tr+HG2l0usR73qFi/F2SeJih905oI9h
9NeEQBO6hMaObZxmTq5i/yXW9pPnzW0dsb2QgtyVtWbFYXXxWlI=
=8Aj5
-----END PGP SIGNATURE-----

--bAwSoJxbKYwy34Oe--