On Jan 24 06:28, Bill Stewart wrote:
> I am running Windows 10 (1803) and experimenting with sshd installed as a
> Windows service.
> 
> The computer is a domain member. I created a local computer account for
> testing.
> 
> I created host keys and a public/private key pair to use to log on the user.
> 
> This works, except I notice that if I disable the Windows user account, I
> can still log on using ssh using that account.
> 
> In the shell, logged on as the disabled user, the 'whoami' command returns
> the name of the disabled user.
> 
> This seems unexpected and not good.
> 
> Why does sshd allow logon for a disabled user?

Because the underlying Cygwin function responsible for changing the user
account only checks if the account exists.  It does not check for any of
the flags in the user DB.  Yet.

I pushed a patch to disallow changing the user account to a disabled or
locked out account.

I just uploaded new developer snapshots containing this change to
https://cygwin.com/snapshots/

Please give them a try.


Thanks,
Corinna

-- 
Corinna Vinschen
Cygwin Maintainer