X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:from:message-id:date
	:mime-version:in-reply-to:content-type; q=dns; s=default; b=oogX
	nkcHa9JlbSn/KZv/SV4mlNGTx5QxbwZdFTwNYuFLsJCvA5IVc18VQ09kkOIa2Iez
	2UIFk2QTLzQa40lQl5uxp8Gzzdl6cS95x55K/aylXWOB9aLA7pGrzV6IIy3h6UrD
	W8CDtoRCl5y3Bghzsbkm/wreDmYGs/sEep6uYxk=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:from:message-id:date
	:mime-version:in-reply-to:content-type; s=default; bh=O41JKYdpTS
	GSO8N4N58McD9HSno=; b=gCL3CLEZP5CJLfvYe3Dfm4NUAKad3247E6ig/YgYBO
	btiev9/8gYFufDySaTUCuqmDTE31TBa9qFjUz3fpdUGWsI5YTFlnyN/nczeHNRZd
	YuTpqgDvner2hhML2KDYInP+5w5FXVqTKuMR1DPmSANs1abv4k+ymNAR6JDWJpM8
	U=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: =?ISO-8859-1?Q?No, score=-0.9 required=5.0 tests=BAYES_00,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=no version=3.3.2 spammy=8:t, 8:un, 8:ha, 8:=c3=a4?=
X-HELO: mout.kundenserver.de
Subject: Re: sshd permits logon using disabled user?
To: cygwin AT cygwin DOT com
References: <CANV9t=SSyof86c5Yz3tNhwj4To=eKnrmveQcr59ZmMY-X9_txA AT mail DOT gmail DOT com> <20190124154533 DOT GK2802 AT calimero DOT vinschen DOT de> <2b348ac3-63d1-2cd3-430d-2568d650a583 AT baur-itcs DOT de> <20190124155918 DOT GL2802 AT calimero DOT vinschen DOT de>
From: Stefan Baur <X2Go-ML-1 AT baur-itcs DOT de>
Openpgp: preference=signencrypt
Message-ID: <51ded8a7-ffc0-c1b0-8bb6-8d2f5870ec68@baur-itcs.de>
Date: Thu, 24 Jan 2019 17:16:37 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <20190124155918.GL2802@calimero.vinschen.de>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="VZtROTBkf0XOqmAigdpMpnCmPnPE03HXr"
X-IsSubscribed: yes

--VZtROTBkf0XOqmAigdpMpnCmPnPE03HXr
Content-Type: multipart/mixed; boundary="P1tLbfwDBtd0AaqCLLWm0ELtVRlSOJgCe";
 protected-headers="v1"
From: Stefan Baur <X2Go-ML-1 AT baur-itcs DOT de>
To: cygwin AT cygwin DOT com
Message-ID: <51ded8a7-ffc0-c1b0-8bb6-8d2f5870ec68 AT baur-itcs DOT de>
Subject: Re: sshd permits logon using disabled user?
References: <CANV9t=SSyof86c5Yz3tNhwj4To=eKnrmveQcr59ZmMY-X9_txA AT mail DOT gmail DOT com>
 <20190124154533 DOT GK2802 AT calimero DOT vinschen DOT de>
 <2b348ac3-63d1-2cd3-430d-2568d650a583 AT baur-itcs DOT de>
 <20190124155918 DOT GL2802 AT calimero DOT vinschen DOT de>
In-Reply-To: <20190124155918 DOT GL2802 AT calimero DOT vinschen DOT de>


--P1tLbfwDBtd0AaqCLLWm0ELtVRlSOJgCe
Content-Type: text/plain; charset=utf-8
Content-Language: de-DE
Content-Transfer-Encoding: quoted-printable

Am 24.01.19 um 16:59 schrieb Corinna Vinschen:
> I think refusing an account manually and deliberately disabled by an
> admin makes lots of sense.
>=20
> I'm not so sure about locked out accounts.  THis might need some
> discussion.

It's been a while since I did Windows administration, so I can't really
make a recommendation here ... BUT:

If an admin can lock out an account (separately from disabling it
entirely), say, by setting an initial password, checking the "user must
change password on first login", and also checking "user is not allowed
to change password" simultaneously (if that's possible), or, say, by
just setting a random password without telling it to anyone ever,
followed by firing so many login attempts at the account that it gets
locked out, then telling them apart and treating locked out accounts
differently would make sense, IMO.

Kind Regards,
Stefan Baur

--=20
BAUR-ITCS UG (haftungsbeschr=C3=A4nkt)
Gesch=C3=A4ftsf=C3=BChrer: Stefan Baur
Eichen=C3=A4ckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243


--P1tLbfwDBtd0AaqCLLWm0ELtVRlSOJgCe--

--VZtROTBkf0XOqmAigdpMpnCmPnPE03HXr
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJcSeTlAAoJEG7d9BjNvlEZ7SAH/1tmwc8kuUz5TmZxanLRdDIn
Wwk2PnGjnbik5ZE0Wq32PUNEuN1xibsx0WBX1zTeOTtjctXg4seu2GtLyMlxWPWs
e3cFxS4phIvCOvk6grXVaRQGBD2JUFK8AG5ZBpXh90pCsvyEtqhbQ4cZp/ZgXYLM
3uMcLKzo72SYhjGahuKZ2PKUxCbUq2EZ1bzPtKvsKv2s6WqwUj4n2yudtX9w83pT
eJtkF4xD8TV0JXsuBu7L5JUB72tbhNLx4seJaecr7LaPtuksVrNMf57uZ3flqrkX
LFrMgXUf15J6KoyScE0cw494CTZFX19Vjad2dULj2gudbW4CITPPrklla4t3w5c=
=wpfU
-----END PGP SIGNATURE-----

--VZtROTBkf0XOqmAigdpMpnCmPnPE03HXr--