X-Recipient: archive-cygwin@delorie.com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:date:to:subject:message-id:references :mime-version:content-type:in-reply-to; q=dns; s=default; b=p/cl 7CEOTx8323FpTwnNTOjWBz5HyyOr5TdvdmKMwlFx4TWPBmAKnsP3RoWk3LdMIgzO BhLuFigNjybYwQdz/f7pfS1mjDkNrdWVlmr4b7HPjvxlGl9TXSt/G3n4DA3/IxFc pRvq1kl4ZYqiH8CwrurkA4B10xn6InxiAFmuU+0= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:date:to:subject:message-id:references :mime-version:content-type:in-reply-to; s=default; bh=dW1fjWCwiD JsGkRJXQHOfS83Vm8=; b=yEbqw5+QNgA0W+rwqYHR1sOmpRYHHtNcZ92JuQcgO1 /XXePUPAci5inz33floLPc0VVYkUxRHYiFLFydzf9zjGWibCGGFNmIV59u/ErnWZ mbb+wmhx5wCDCYIWYPp1C7tGpYfj1jWyCOTKcfCrFbmWbZA6Ae0PyHRV9kD1g6QK w= Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Delivered-To: mailing list cygwin@cygwin.com Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 spammy=California, california, Administrator, H*M:zebra X-HELO: mail-pl1-f172.google.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=berkeley-edu.20150623.gappssmtp.com; s=20150623; h=from:date:to:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=ujQ/44q3FICof7k68yL/TKjcye8Vxhk4RNsMQ/q0QPA=; b=ZgiIQch//lj+PINKodwaTVGeOQ1944+/ST0ujWoDT8W4f5lv7BNEY22Zb3qxalIAs5 FTuXKqLw1fGChaWGsHXtlU+LgHzb/rFHRFTHyJMHe4p7sRs7pgRUjyLWFQTob802i+O4 iY3GkJ16CsZAow404DOYqNAwOuIXUDbDu+yz5I35wSSqkWYQi2vLXN8gRTUG30Daz0i9 xJrovZCHBHpQLHdbogXThGQo/RkYkCjPNDFyhWMB+EQd3Ytl94TNfdTHggz5QWNLZhj1 +w9mnsot2mIyMUyONEu2HJIkvJoFF/jvGPhX4bytUdiqgWz8JSKMNGHw1tjzNtBaJYdl ldxA== From: Stephen Paul Carrier Date: Fri, 25 Jan 2019 09:48:33 -0800 To: cygwin@cygwin.com Subject: Re: sshd permits logon using disabled user? Message-ID: <20190125174833.GA1710@zebra> References: <1690850474.834980.1548391349102.ref@mail.yahoo.com> <1690850474.834980.1548391349102@mail.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.1 (2017-09-22) X-IsSubscribed: yes On Fri, Jan 25, 2019 at 08:34:09AM -0700, Bill Stewart wrote: > On Fri, Jan 25, 2019 at 3:36 AM Stefan Baur wrote: > > > Not on Linux (and possibly other Unices). There, it's perfectly valid > > to disable an account's password login (both locally and remote), but to > > at the same time allow ssh key file based logins for the same account. > > But disabling _password login_ is an entirely separate issue from > disabling _the account itself_. > > Before the fix, it was possible to log on to sshd using a disabled (or > locked) account. > > There should be _no_ scenario where it is possible to log on using a > disabled/locked account. There are different paths to access and to completely disable the account you need to close all of them. There are many reasons to disable some paths without disabling all paths and converting the switch that can disable one path to a switch that will disable all paths will break some setups and be less flexible. (As Stefan Baur is pointing out effectively.) To disable ssh logins really, instead of changing the way Cygwin works for everyone, you could do what UNIX/Linux admins do, something like moving the user .ssh folder to .ssh.disabled. Stephen Carrier Systems Administrator BEAR (Berkeley Evaluation & Assessment Research) Center Graduate School of Education University of California, Berkeley http://BEARcenter.Berkeley.EDU/ carrier@Berkeley.EDU -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple