From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 120843 invoked by alias); 24 Jan 2019 15:45:58 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 120121 invoked by uid 89); 24 Jan 2019 15:45:44 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-100.9 required=5.0 tests=BAYES_00,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=locked, HCc:U*cygwin X-HELO: mout.kundenserver.de Received: from mout.kundenserver.de (HELO mout.kundenserver.de) (212.227.126.130) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 24 Jan 2019 15:45:41 +0000 Received: from calimero.vinschen.de ([24.134.7.25]) by mrelayeu.kundenserver.de (mreue012 [212.227.15.167]) with ESMTPSA (Nemesis) id 1MMH2M-1gWfyi2DLC-00JIMN; Thu, 24 Jan 2019 16:45:34 +0100 Received: by calimero.vinschen.de (Postfix, from userid 500) id DD87BA824F6; Thu, 24 Jan 2019 16:45:33 +0100 (CET) Date: Thu, 24 Jan 2019 15:45:00 -0000 From: Corinna Vinschen To: Bill Stewart Cc: cygwin@cygwin.com Subject: Re: sshd permits logon using disabled user? Message-ID: <20190124154533.GK2802@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: Bill Stewart , cygwin@cygwin.com References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="U/5EjKfnYgGK6hcj" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-SW-Source: 2019-01/txt/msg00199.txt.bz2 --U/5EjKfnYgGK6hcj Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 1104 On Jan 24 06:28, Bill Stewart wrote: > I am running Windows 10 (1803) and experimenting with sshd installed as a > Windows service. >=20 > The computer is a domain member. I created a local computer account for > testing. >=20 > I created host keys and a public/private key pair to use to log on the us= er. >=20 > This works, except I notice that if I disable the Windows user account, I > can still log on using ssh using that account. >=20 > In the shell, logged on as the disabled user, the 'whoami' command returns > the name of the disabled user. >=20 > This seems unexpected and not good. >=20 > Why does sshd allow logon for a disabled user? Because the underlying Cygwin function responsible for changing the user account only checks if the account exists. It does not check for any of the flags in the user DB. Yet. I pushed a patch to disallow changing the user account to a disabled or locked out account. I just uploaded new developer snapshots containing this change to https://cygwin.com/snapshots/ Please give them a try. Thanks, Corinna --=20 Corinna Vinschen Cygwin Maintainer --U/5EjKfnYgGK6hcj Content-Type: application/pgp-signature; name="signature.asc" Content-length: 833 -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlxJ3Z0ACgkQ9TYGna5E T6ALTQ/+JLutHuN+XSdvDU1riVHcxdM8c0aQapLmSjEkMN/SupMYExQpmQSc6Fic t2SUxIZYEwMKlXcZJquGi8oFDZ2F/2PBdnlC7ziAsuRyWsRL8Ng5C5B+u9GSwkjN nfJJX2q7xv+esUHhwzXYAeBoeZl8MhpZ/Eumc3Y9av5QZ5riDjU6wkXi1y6YFozk QKRDAfUmsgAZTfoGv2/dt6V8jUIOvnLh/d8MfuRZZ3eHYGGoODeMOWYsCfd6SndM 2+kpfhUEnql2PJLi+JxNzHQiNBvhLPI76AWo+N+QBGC4zNlXPJDI8BAcLVFg6mD9 d3WlXfs5uvRDsH6ezws5m4vVyMvKK5GSYZLoDV2BIfQ75eBUxCV4jljG1puXq8IE EeaCUYzebVXRufrkLClhVnUKBc8RVU/RLA9fkZEMB2Xn5Aib2OH+bKdKxiWvLYgY 6zBZ70VQ+16tRsqhMLNRd9HXfR1At8rPYAYjiaJ9/lk0ECRieTnjOG+KO4aD3C6u vsWYIJErZ19SOAWD/yfIPgHqaaOiDojP5mCn4sdvjHZ4h31F12SPRswLMeO2q86+ jRvmzPtLnLGOgqfg1UrqB/fqXYOpa84RwHzByu3yWoa8J0+dX+i2a1lm1QDB8FMX rx2gmfMrxY18nTDHA63buo/n9mh7fUKCyp3UwciUs4C3LIVRu1U= =nGKt -----END PGP SIGNATURE----- --U/5EjKfnYgGK6hcj--