X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:cc:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=SJMHfQs1rnfqpy1ej/1UiG1pDFLQzzi1l+wjoRVwNcGu1pH//ILp7
	FbhvALj1VaNJQP9rHV44M3iEaSW4nw6Omj3fv8LuytAE/BvYDKitumyzdR5Yl6SB
	aMndkg+GLJn91Q9nh530hvooJi35In9arFmCJUjwI++il5IT6Blmn0=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:cc:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; s=default;
	 bh=AqaF6zbsUhF4xs00YL40dlaMxuQ=; b=R8WG24ONBJwCrWL3rxpjqNKxqJuW
	fY5YQhALqfYlLVFLOp29QIQQ337EsRr5PP5OxUF+V0yQ80hb0isc6xVegXcT0RCS
	h5LLzg3iGtzbmiq8/Tb+UI1ZXtZr0Lu1HCTCa167nd/Fuh42GH3umLQTaIE9v2xm
	LYeVEifKixOmwdk=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-100.9 required=5.0 tests=BAYES_00,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=locked, HCc:U*cygwin
X-HELO: mout.kundenserver.de
Date: Thu, 24 Jan 2019 16:45:33 +0100
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: Bill Stewart <bstewart AT iname DOT com>
Cc: cygwin AT cygwin DOT com
Subject: Re: sshd permits logon using disabled user?
Message-ID: <20190124154533.GK2802@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: Bill Stewart <bstewart AT iname DOT com>, cygwin AT cygwin DOT com
References: <CANV9t=SSyof86c5Yz3tNhwj4To=eKnrmveQcr59ZmMY-X9_txA AT mail DOT gmail DOT com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;	protocol="application/pgp-signature"; boundary="U/5EjKfnYgGK6hcj"
Content-Disposition: inline
In-Reply-To: <CANV9t=SSyof86c5Yz3tNhwj4To=eKnrmveQcr59ZmMY-X9_txA@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)

--U/5EjKfnYgGK6hcj
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Jan 24 06:28, Bill Stewart wrote:
> I am running Windows 10 (1803) and experimenting with sshd installed as a
> Windows service.
>=20
> The computer is a domain member. I created a local computer account for
> testing.
>=20
> I created host keys and a public/private key pair to use to log on the us=
er.
>=20
> This works, except I notice that if I disable the Windows user account, I
> can still log on using ssh using that account.
>=20
> In the shell, logged on as the disabled user, the 'whoami' command returns
> the name of the disabled user.
>=20
> This seems unexpected and not good.
>=20
> Why does sshd allow logon for a disabled user?

Because the underlying Cygwin function responsible for changing the user
account only checks if the account exists.  It does not check for any of
the flags in the user DB.  Yet.

I pushed a patch to disallow changing the user account to a disabled or
locked out account.

I just uploaded new developer snapshots containing this change to
https://cygwin.com/snapshots/

Please give them a try.


Thanks,
Corinna

--=20
Corinna Vinschen
Cygwin Maintainer

--U/5EjKfnYgGK6hcj
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlxJ3Z0ACgkQ9TYGna5E
T6ALTQ/+JLutHuN+XSdvDU1riVHcxdM8c0aQapLmSjEkMN/SupMYExQpmQSc6Fic
t2SUxIZYEwMKlXcZJquGi8oFDZ2F/2PBdnlC7ziAsuRyWsRL8Ng5C5B+u9GSwkjN
nfJJX2q7xv+esUHhwzXYAeBoeZl8MhpZ/Eumc3Y9av5QZ5riDjU6wkXi1y6YFozk
QKRDAfUmsgAZTfoGv2/dt6V8jUIOvnLh/d8MfuRZZ3eHYGGoODeMOWYsCfd6SndM
2+kpfhUEnql2PJLi+JxNzHQiNBvhLPI76AWo+N+QBGC4zNlXPJDI8BAcLVFg6mD9
d3WlXfs5uvRDsH6ezws5m4vVyMvKK5GSYZLoDV2BIfQ75eBUxCV4jljG1puXq8IE
EeaCUYzebVXRufrkLClhVnUKBc8RVU/RLA9fkZEMB2Xn5Aib2OH+bKdKxiWvLYgY
6zBZ70VQ+16tRsqhMLNRd9HXfR1At8rPYAYjiaJ9/lk0ECRieTnjOG+KO4aD3C6u
vsWYIJErZ19SOAWD/yfIPgHqaaOiDojP5mCn4sdvjHZ4h31F12SPRswLMeO2q86+
jRvmzPtLnLGOgqfg1UrqB/fqXYOpa84RwHzByu3yWoa8J0+dX+i2a1lm1QDB8FMX
rx2gmfMrxY18nTDHA63buo/n9mh7fUKCyp3UwciUs4C3LIVRu1U=
=nGKt
-----END PGP SIGNATURE-----

--U/5EjKfnYgGK6hcj--