X-Recipient: archive-cygwin@delorie.com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-type; q=dns; s=default; b=WHQiRzP 9eSTmZxlIXdFEaMYpD98Si5o57uCNvkCbl5d0QbjZyCvMU4iTlemx/LmZfNjko3A Sna83UP8ARKHmSkosnlEuGHdfwUVnYwPFVHdpsZIzNzKUU9XaSjjXwQ73RzxU6Jn 4EJqJPBMaU93dNp4rqBDaeWGn9NQonKlJuLM= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-type; s=default; bh=zQ0QRFwd8mpuZ CcabXk9pNjiiIY=; b=UCb5MFyHxKS5nhpAWyLGiswd7669abdZUY041jlL/MQLN J+p3ZYOZgfoGfyyD4z3TDc8G/3Z4ZQPLC434NBOijtsZp2A1wJTLSdlOiUanScpz FKhiysINYIkx9T49blesYCOG6yUC+WNtZF7s1ulkoD1QSmlu7Qp0E+2kQTC7xk= Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Delivered-To: mailing list cygwin@cygwin.com Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 spammy=H*c:alternative, guy, she X-HELO: mout.gmx.com X-UI-Sender-Class: 214d933f-fd2f-45c7-a636-f5d79ae31a79 MIME-Version: 1.0 References: <20190124154533.GK2802@calimero.vinschen.de> In-Reply-To: <20190124154533.GK2802@calimero.vinschen.de> From: Bill Stewart Date: Thu, 24 Jan 2019 10:52:27 -0700 Message-ID: Subject: Re: sshd permits logon using disabled user? To: cygwin@cygwin.com Content-Type: text/plain; charset="UTF-8" X-IsSubscribed: yes Corinna Vinschen wrote: > This description sounds extremly artificial to me. We should work under the > assumption that the admin is the good guy. Usually a user locks itself out, > or is locked out by a malicious login attempt. The admin can only define > rules for locking out, other than that she can only remove the "account > locked" flag. This is correct. From a Windows perspective, "disabled" (UF_ACCOUNTDISABLE) means "account cannot be used to log on," and "locked out" (UF_LOCKOUT) means "there were too many bad password attempts, so the account is locked and cannot be used to log on at this time." The administrator can specify whether the UF_LOCKOUT duration is indefinite (this is usually not recommended, because this can be used for DoS) or not. Only an administrator (or a user with appropriate permissions) can set or clear UF_ACCOUNTDISABLE. It is used to prevent _any_ use of the account. UF_LOCKOUT is _only_ set by bad password attempts (the number of bad attempts is set by policy) and is not really intended to be used for any other purpose. UF_LOCKOUT can be cleared by an administrator (or user with appropriate permissions), or the system can clear it automatically after some duration (specified by policy), or it can be indefinite (although, as previously noted, this is not usually recommended). If you want to have an account that does not require a password, there is a separate flag for that - PASSWD_NOTREQD - although setting this may be prohibited by policy. So basically Corinna's idea is correct: If UF_ACCOUNTDISABLE or UF_LOCKOUT are set, the account should not allow logon. Regards, Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple