X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=jyf5ExIj2SuwDAEs3ujtc7eLUNCP4rqjN6dplEaiipz6TVDQtRlp+
	SDuqDFbG4rirs0RPamof0DgcRW71AF8o7bpMMA5W1I6qb5zgh6hDuSgo/vMrwxgd
	8UpEB/jBg0uyq4CZVtbqz0RTsdNovTeqV7rEGVksOlgVKpO3P04Il8=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; s=default;
	 bh=LU4r+pxlUGRr5b0yUUiVfWj/JNE=; b=SlCzuXT/0W3VKAfLA1OE7uX/2gKh
	4evE7zsxIi8vztbMMkgfzUacBcCtGc096Vuh7Fz3WgS6f5IExFepE4hFVutQb2mo
	xafOxOTA/z+7ht7pTP+3n7g7zg4s5PFUN+wYRPo1UJD51HXQADmVRITxFYeZGb76
	dMlza1YbySXN9wE=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-100.9 required=5.0 tests=BAYES_00,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=she, malicious, BUT, guy
X-HELO: mout.kundenserver.de
Date: Thu, 24 Jan 2019 17:36:12 +0100
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: sshd permits logon using disabled user?
Message-ID: <20190124163612.GM2802@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <CANV9t=SSyof86c5Yz3tNhwj4To=eKnrmveQcr59ZmMY-X9_txA AT mail DOT gmail DOT com> <20190124154533 DOT GK2802 AT calimero DOT vinschen DOT de> <2b348ac3-63d1-2cd3-430d-2568d650a583 AT baur-itcs DOT de> <20190124155918 DOT GL2802 AT calimero DOT vinschen DOT de> <51ded8a7-ffc0-c1b0-8bb6-8d2f5870ec68 AT baur-itcs DOT de>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;	protocol="application/pgp-signature"; boundary="bAwSoJxbKYwy34Oe"
Content-Disposition: inline
In-Reply-To: <51ded8a7-ffc0-c1b0-8bb6-8d2f5870ec68@baur-itcs.de>
User-Agent: Mutt/1.10.1 (2018-07-13)

--bAwSoJxbKYwy34Oe
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Jan 24 17:16, Stefan Baur wrote:
> Am 24.01.19 um 16:59 schrieb Corinna Vinschen:
> > I think refusing an account manually and deliberately disabled by an
> > admin makes lots of sense.
> >=20
> > I'm not so sure about locked out accounts.  THis might need some
> > discussion.
>=20
> It's been a while since I did Windows administration, so I can't really
> make a recommendation here ... BUT:
>=20
> If an admin can lock out an account (separately from disabling it
> entirely), say, by setting an initial password, checking the "user must
> change password on first login", and also checking "user is not allowed
> to change password" simultaneously (if that's possible), or, say, by
> just setting a random password without telling it to anyone ever,
> followed by firing so many login attempts at the account that it gets
> locked out, then telling them apart and treating locked out accounts
> differently would make sense, IMO.

This description sounds extremly artificial to me.  We should work under
the assumption that the admin is the good guy.  Usually a user locks
itself out, or is locked out by a malicious login attempt.  The admin
can only define rules for locking out, other than that she can only
remove the "account locked" flag.


Corinna

--=20
Corinna Vinschen
Cygwin Maintainer

--bAwSoJxbKYwy34Oe
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlxJ6XwACgkQ9TYGna5E
T6DUgxAAnWvVkSsoiN/jzQtjhfstKdz9YJ9kV3Bkob5ojALRHpYM2qQsg1DeTUyg
rMN/uwGt1i3ZqMKs4yWe1p8ZeHfy2DMkS0M4qyrFNyPVBuq5chwWkgkMhGkOJgYu
v4WE8lizT6zewAcid6gFas2hYNjH8fh9xwlQzSEPURNt3YYkvosyMw9LdZZbvmHM
UH3gHpEWomB31DcbZYk7nq+8Z07innJPGGKRqfbOqGCO40Eg/1zrZJ3iZWkZdmc8
21cdAolM27oxC1jcMJiWXr5EeDNm/WZKGlsR4kBkIq75Xb+KEbEZvMDqlaIFINE0
zvUVJmYUnoW3WMnZTyLHTUDnb6ANJNGDBYOMA0YrseiztQHpM0QwVfHVPXZZ8ga1
Lt3L7qzCywOa5JP5Qej1i2A8x/LMIAZW8GN8Txx1cikNgrXD3HhdyqlHtonLdK6K
V9i5tWvX1hS2AaMKU5bbzRkegbqvb0XDeRapU1l4oPSoonyqrQ1F5PI8XfXRwTOX
uNrhH2t4oao0xloVl+dxLx8SwuvPtjZiDihDGq8OxaP/6ShM7OyvltimIWAnp+U9
GcubWT292tbXiUYnQVxQ1qEsvF11uVcI+tr+HG2l0usR73qFi/F2SeJih905oI9h
9NeEQBO6hMaObZxmTq5i/yXW9pPnzW0dsb2QgtyVtWbFYXXxWlI=
=8Aj5
-----END PGP SIGNATURE-----

--bAwSoJxbKYwy34Oe--