X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:content-type; q=dns; s=default; b=WHQiRzP
	9eSTmZxlIXdFEaMYpD98Si5o57uCNvkCbl5d0QbjZyCvMU4iTlemx/LmZfNjko3A
	Sna83UP8ARKHmSkosnlEuGHdfwUVnYwPFVHdpsZIzNzKUU9XaSjjXwQ73RzxU6Jn
	4EJqJPBMaU93dNp4rqBDaeWGn9NQonKlJuLM=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:content-type; s=default; bh=zQ0QRFwd8mpuZ
	CcabXk9pNjiiIY=; b=UCb5MFyHxKS5nhpAWyLGiswd7669abdZUY041jlL/MQLN
	J+p3ZYOZgfoGfyyD4z3TDc8G/3Z4ZQPLC434NBOijtsZp2A1wJTLSdlOiUanScpz
	FKhiysINYIkx9T49blesYCOG6yUC+WNtZF7s1ulkoD1QSmlu7Qp0E+2kQTC7xk=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 spammy=H*c:alternative, guy, she
X-HELO: mout.gmx.com
X-UI-Sender-Class: 214d933f-fd2f-45c7-a636-f5d79ae31a79
MIME-Version: 1.0
References: <CANV9t=SSyof86c5Yz3tNhwj4To=eKnrmveQcr59ZmMY-X9_txA AT mail DOT gmail DOT com> <20190124154533 DOT GK2802 AT calimero DOT vinschen DOT de>
In-Reply-To: <20190124154533.GK2802@calimero.vinschen.de>
From: Bill Stewart <bstewart AT iname DOT com>
Date: Thu, 24 Jan 2019 10:52:27 -0700
Message-ID: <CANV9t=RtGmpkogw0J7oCME+f4GNkeWo=QSJZFA_jOqyBxPLLdw@mail.gmail.com>
Subject: Re: sshd permits logon using disabled user?
To: cygwin AT cygwin DOT com
Content-Type: text/plain; charset="UTF-8"
X-IsSubscribed: yes

Corinna Vinschen wrote:

> This description sounds extremly artificial to me.  We should work under
the
> assumption that the admin is the good guy.  Usually a user locks itself
out,
> or is locked out by a malicious login attempt.  The admin can only define
> rules for locking out, other than that she can only remove the "account
> locked" flag.

This is correct.

From a Windows perspective, "disabled" (UF_ACCOUNTDISABLE) means "account
cannot be used to log on," and "locked out" (UF_LOCKOUT) means "there were
too many bad password attempts, so the account is locked and cannot be used
to log on at this time." The administrator can specify whether the
UF_LOCKOUT duration is indefinite (this is usually not recommended, because
this can be used for DoS) or not.

Only an administrator (or a user with appropriate permissions) can set or
clear UF_ACCOUNTDISABLE. It is used to prevent _any_ use of the account.

UF_LOCKOUT is _only_ set by bad password attempts (the number of bad
attempts is set by policy) and is not really intended to be used for any
other purpose. UF_LOCKOUT can be cleared by an administrator (or user with
appropriate permissions), or the system can clear it automatically after
some duration (specified by policy), or it can be indefinite (although, as
previously noted, this is not usually recommended).

If you want to have an account that does not require a password, there is a
separate flag for that - PASSWD_NOTREQD - although setting this may be
prohibited by policy.

So basically Corinna's idea is correct: If UF_ACCOUNTDISABLE or UF_LOCKOUT
are set, the account should not allow logon.

Regards,

Bill

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple