X-Recipient: archive-cygwin@delorie.com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:subject:to:references:from:message-id:date :mime-version:in-reply-to:content-type :content-transfer-encoding; q=dns; s=default; b=sLgSR3b5FZvpEsJb NdspUbl0Z226Kn2SPjbKIX/7vqonlwlWjcECyukaIimkj6Ph5piqqeqHsL+JNiIh C0PLtUCHYLtkArli1BapkNL5A0YxVKW3Jv+zCwmQXmBGSJrJWRgSE3iEyiCY1ejA PUnhxpbMhx0eswm7MShLf1tXrIM= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:subject:to:references:from:message-id:date :mime-version:in-reply-to:content-type :content-transfer-encoding; s=default; bh=4rKEnxVI0Zpca9mo0VFh1c +GFPk=; b=Zm91J+rMNHMjwND8dLMOIfopcunaHYAcSOSbHYoD86+PVn2VJmKWCo xbfEMeNmCXyblHyrZTtemOkx1GS0CMsmuncxEneP4TitJlf1lLeLThd5d36//8hN c5ZiFW68Oco3xgcfOpGGn8X7QylvbnEz0kHzrcoFFBui1T6wRIvRk= Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Delivered-To: mailing list cygwin@cygwin.com Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: =?ISO-8859-1?Q?No, score=1.8 required=5.0 tests=BAYES_50,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=no version=3.3.2 spammy=8:un, 8:t, 8:ha, 8:=c3=a4?= X-HELO: mout.kundenserver.de Subject: Re: sshd permits logon using disabled user? To: cygwin@cygwin.com References: <1690850474.834980.1548391349102.ref@mail.yahoo.com> <1690850474.834980.1548391349102@mail.yahoo.com> From: Stefan Baur Openpgp: preference=signencrypt Message-ID: Date: Fri, 25 Jan 2019 11:36:32 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1 MIME-Version: 1.0 In-Reply-To: <1690850474.834980.1548391349102@mail.yahoo.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-IsSubscribed: yes Am 25.01.19 um 05:42 schrieb matthew patton via cygwin: > Why is this even a discussion? You *ALWAYS* refuse a login to an account that is disabled, locked out, or has an expired password or failed any of the other criteria that might be in effect (day/time restrictions, source IP restrictions, etc.) Not on Linux (and possibly other Unices). There, it's perfectly valid to disable an account's password login (both locally and remote), but to at the same time allow ssh key file based logins for the same account. Since cygwin aims to be Linux-/POSIX-compatible to a certain degree, it is indeed worthy of discussion - even if the final decision might be to just block logins completely, even with an ssh key pair. Before Corinna pushed her fix, it was possible to log in via SSH key, even when the account was locked out/disabled. Someone might have been using that "feature" on cygwin, knowing it from Linux, where it is indeed a feature/design choice. If this fix hits stable, the same people might be wondering why their ssh logins fail all of a sudden. This could be a scenario for scripted uploads via rsync/scp/sftp, for example, where people are using ssh keys locked down to certain commands. You just don't want that user account to be able to log in with only a password, ever - because the only reason that would happen would be an account compromise. And because of that, having a "there is no valid password for this account, you can try as hard as you like" setting makes more sense than just setting a long and complex password that hopefully no one ever guesses/bruteforces/sidechannel-hacks/... Kind Regards, Stefan Baur -- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243 -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple