X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:reply-to:from:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=soCaYWSQMjnYL1sG
	9F1slvhzkCJ06r03F9T3z8vTiryXZ42H1pzCsJEYc7HPnlWaORT2l+hQnBwFMajv
	Cpem1cso0qK7abCN/9+f1A9Jt/n5MdliTggE4QiKUINAg4ODQG8nJYgqUkKFx4mk
	9IF3th9yu1M248ZfBw6Bg3R/1eU=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:reply-to:from:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; s=default; bh=8Oe3woOMznm6/rh1NX2BIw
	NPZdI=; b=IZm3ICVYXA8vTMqsfzWS0sA4ygOMbDUMCldqzFszCJrZGNAc5DJ3C/
	lME5ycYa+CVjE9F5wshn1Va++Ykp60F+ZyTwVnyi0vpIGmETeCJzPSAlBobwhjLS
	v/sxoSCrcSdD+uqYPbp0Do7H4HccFNBEIix39Q7OzvbL//UHPUXgM=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 spammy=vulnerable, 20000, administration, carrier
X-HELO: mout.gmx.net
Subject: Re: sshd permits logon using disabled user?
To: cygwin AT cygwin DOT com
References: <1690850474 DOT 834980 DOT 1548391349102 DOT ref AT mail DOT yahoo DOT com> <1690850474 DOT 834980 DOT 1548391349102 AT mail DOT yahoo DOT com> <d6f98cbc-bd2f-1c13-98bb-7ef42c000115 AT baur-itcs DOT de> <CANV9t=RKVWPfiqNMbnSgevTBvm8S1G-oFWK3BEisdgaSGz2OzA AT mail DOT gmail DOT com> <20190125174833 DOT GA1710 AT zebra> <CANV9t=Q2ZRqVD99a+qdVTet1hn_aM6RY5B2Cm1oc0E4Lf9x2ig AT mail DOT gmail DOT com>
Reply-To: cygwin AT cygwin DOT com
From: "Sam Edge (Cygwin)" <sam DOT edge DOT cygwin AT gmx DOT com>
Openpgp: preference=signencrypt
Message-ID: <d37a1aeb-913c-c773-b709-e68b54f28365@gmx.com>
Date: Sun, 27 Jan 2019 17:49:17 +0000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <CANV9t=Q2ZRqVD99a+qdVTet1hn_aM6RY5B2Cm1oc0E4Lf9x2ig@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

On 25/01/2019 18:03, Bill Stewart wrote:
> On Fri, Jan 25, 2019 at 10:48 AM Stephen Paul Carrier
> <carrier AT berkeley DOT edu> wrote:
>
>> There are different paths to access and to completely disable the account
>> you need to close all of them.  There are many reasons to disable some
>> paths without disabling all paths and converting the switch that can
>> disable one path to a switch that will disable all paths will break
>> some setups and be less flexible.  (As Stefan Baur is pointing out
>> effectively.)
>>
>> To disable ssh logins really, instead of changing the way Cygwin works
>> for everyone, you could do what UNIX/Linux admins do, something like
>> moving the user .ssh folder to .ssh.disabled.
> This is a very problematic view from a Windows system management perspective.
>
> I respectfully (and strongly) disagree, for at least the following reasons:
>
> * Cygwin runs on Windows, and as such should respect Windows security.
> It is very unexpected, from a Windows administration perspective, to
> have a disabled account and still be able to log onto it.
>
> * Proper system management/security mitigation is made quite complex
> with this requirement. Imagine even a small Windows domain: I have to
> scan 20000 machines in my domain to find out if they're running ssh,
> troll through the disks to find ssh config files, find out the key
> file names, rename them, etc. This is quite a bit harder to do than
> just disabling accounts, which in many organizations is handled by an
> automated process.
>
> Regards,
>
> Bill


I totally agree that Cygwin should respect the Windows disabled &
locked-out semantics and disallow any form of login where either is set.
Trying to shoe-horn the disabled password but enabled pubkey function
into one or the other just doesn't feel right. Setting a hugely long
random password (maybe via a script that never reveals said password) is
a much better solution to achieve a similar effect without breaking
Windows security auditing.

On the other hand, I am baffled as to why Windows itself allows a token
to be created for an account that is disabled or locked out. If Cygwin
can do it, other programs could too so you're still vulnerable.

-- 
Sam Edge


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple