X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; q=dns; s= default; b=stF15F6IkmU7GTljdOAFnln1g9z7s9kyE4JnFOCyOfnGh6iYZ58If MsGy52kxBYlgXYtE6K+IkqDCETTqvlu/oxsE2ZkKW1wMoYjkeZtfMSQ8RZgZPohm Q8ByxF+SCNReoPiFvkgOlNn3fXfbiAf9YUA22yGh9XejxTU4E/rDaA= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; s=default; bh=LvVjwDY3BfnO56xYcCC9gv/6RmY=; b=o/UKVzCPveyEYqXlzZPAstE+xJwA 2DP5Lh8wOGX+tO4+ECIcV9TepCAvMadNK4LiO4fNG4tcPtpxpCDJKOM+6OGM2mMY zA33FtPa4FURrr2jZ7rO43Q6U9cQVh7y7ataeox6AxbhOB6ea/qX8w8z3cDdic9s 2xnejFkFNrP6Jg8= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-100.9 required=5.0 tests=BAYES_00,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy= X-HELO: mout.kundenserver.de Date: Sun, 27 Jan 2019 23:10:47 +0100 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Re: sshd permits logon using disabled user? Message-ID: <20190127221047.GI3912@calimero.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com References: <1690850474 DOT 834980 DOT 1548391349102 DOT ref AT mail DOT yahoo DOT com> <1690850474 DOT 834980 DOT 1548391349102 AT mail DOT yahoo DOT com> <20190125174833 DOT GA1710 AT zebra> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="brEuL7wsLY8+TuWz" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) --brEuL7wsLY8+TuWz Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Jan 27 17:49, Sam Edge (Cygwin) wrote: > On 25/01/2019 18:03, Bill Stewart wrote: > > On Fri, Jan 25, 2019 at 10:48 AM Stephen Paul Carrier > > wrote: > > > >> There are different paths to access and to completely disable the acco= unt > >> you need to close all of them. There are many reasons to disable some > >> paths without disabling all paths and converting the switch that can > >> disable one path to a switch that will disable all paths will break > >> some setups and be less flexible. (As Stefan Baur is pointing out > >> effectively.) > >> > >> To disable ssh logins really, instead of changing the way Cygwin works > >> for everyone, you could do what UNIX/Linux admins do, something like > >> moving the user .ssh folder to .ssh.disabled. > > This is a very problematic view from a Windows system management perspe= ctive. > > > > I respectfully (and strongly) disagree, for at least the following reas= ons: > > > > * Cygwin runs on Windows, and as such should respect Windows security. > > It is very unexpected, from a Windows administration perspective, to > > have a disabled account and still be able to log onto it. > > > > * Proper system management/security mitigation is made quite complex > > with this requirement. Imagine even a small Windows domain: I have to > > scan 20000 machines in my domain to find out if they're running ssh, > > troll through the disks to find ssh config files, find out the key > > file names, rename them, etc. This is quite a bit harder to do than > > just disabling accounts, which in many organizations is handled by an > > automated process. > > > > Regards, > > > > Bill >=20 >=20 > I totally agree that Cygwin should respect the Windows disabled & > locked-out semantics and disallow any form of login where either is set. > Trying to shoe-horn the disabled password but enabled pubkey function > into one or the other just doesn't feel right. Setting a hugely long > random password (maybe via a script that never reveals said password) is > a much better solution to achieve a similar effect without breaking > Windows security auditing. >=20 > On the other hand, I am baffled as to why Windows itself allows a token > to be created for an account that is disabled or locked out. If Cygwin > can do it, other programs could too so you're still vulnerable. No, Windows doesn't allow that unless the process has very specific privileges. But keep in mind that a token is required to do stuff on behalf of a user. So even if the user is disabled from interactive logon, a service process might have a valid reason to create a token for that user to perform a non-interactive purpose. In terms of these special privileges, right now we require these privileges for an account which switches the user (e.g., via sshd installed as a service), as outlined in https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1 However, this should change with the upcoming 3.0 release of Cygwin which replaces the "create token" method with another method called "S4U". This method creates perfectly valid tokens with only documented functions without requiring any super-special permissions. I'm pretty excited about this change because it drops the requirement to create a special CYgwin service account. sshd and other services can finally run under the normal LocalSystem account again. This patch is available in the most recent developer snapshot from https://cygwin.com/snapshots/ btw. Corinna --=20 Corinna Vinschen Cygwin Maintainer --brEuL7wsLY8+TuWz Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlxOLGYACgkQ9TYGna5E T6BwIBAAnZxYPHkN9kAVbpTH/gjcHy5uWv7Pjye3AYkFu2r9Qfg3cDAp4Ik9J6tn ChrU6s+b2KsQ7HxW8QRBOs7/cMarXzSvorapVKCzQXo1RtBh1mvUCgQsyh/yFxY8 IpSdtLJHM3GXzi2S9RtaKVymj8pJDLaGmOhaHKKa/YiTdJQsue+nIfEcELscHCS+ TE3r5Nu76tw8S7jPLbK6F4W/OvIqqAGmBng1UN4qEuZFABVqNH0kigO8waPmWl+A llupEFWDEE5O1K20rfTMwcF657TLtdwDZk/6cCdla4IUs51vsBalZ/738dN/emC+ NCV/h6Z37MDxs1GrBBhtJ87ELSauKZa3tqdSfCI6U5NlecIiQgBdYZwRvgjeYQvD 55VB7p5LUuIO9TgIZ6KEZMIgE3L/z8BA5iY9jvctaXhkWA5YasjTHGjLzmEY4HsJ RrC5a4eXRJfpEcu+DOunpDqVs5wb6FN6dCg0jv0s4kDfVhr3+TksoNzJnhSHGYAs zlOkNKYS3RSA7cx1c0hDReqmF7KSgifh46q9aroUEyrnE5akkPIXFIcC2t9lxU+5 EkYxafIhjeTRSWqN4uuAtv3Jvg2FHqdYKHq4Lc9zvwIAztu9sfevoq3wI3d+8HiE +uUZY+35/1VLJ7UQSk4TtgNXnnW7Ry0gnpGd5W7TSvwd73AYI/o= =g6Ga -----END PGP SIGNATURE----- --brEuL7wsLY8+TuWz--