From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 128663 invoked by alias); 24 Jan 2019 15:59:23 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 128653 invoked by uid 89); 24 Jan 2019 15:59:23 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-100.9 required=5.0 tests=BAYES_00,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=login, logins, act X-HELO: mout.kundenserver.de Received: from mout.kundenserver.de (HELO mout.kundenserver.de) (212.227.126.131) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 24 Jan 2019 15:59:21 +0000 Received: from calimero.vinschen.de ([24.134.7.25]) by mrelayeu.kundenserver.de (mreue011 [212.227.15.167]) with ESMTPSA (Nemesis) id 1MOQyE-1gYugD1vlW-00PsWs for ; Thu, 24 Jan 2019 16:59:19 +0100 Received: by calimero.vinschen.de (Postfix, from userid 500) id 5AAFBA824F6; Thu, 24 Jan 2019 16:59:18 +0100 (CET) Date: Thu, 24 Jan 2019 15:59:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: sshd permits logon using disabled user? Message-ID: <20190124155918.GL2802@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <20190124154533.GK2802@calimero.vinschen.de> <2b348ac3-63d1-2cd3-430d-2568d650a583@baur-itcs.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="zsAhXfiBV62A5hVr" Content-Disposition: inline In-Reply-To: <2b348ac3-63d1-2cd3-430d-2568d650a583@baur-itcs.de> User-Agent: Mutt/1.10.1 (2018-07-13) X-SW-Source: 2019-01/txt/msg00201.txt.bz2 --zsAhXfiBV62A5hVr Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 1831 On Jan 24 16:51, Stefan Baur wrote: > Am 24.01.19 um 16:45 schrieb Corinna Vinschen: > >> In the shell, logged on as the disabled user, the 'whoami' command ret= urns > >> the name of the disabled user. > >> > >> This seems unexpected and not good. > >> > >> Why does sshd allow logon for a disabled user? > > Because the underlying Cygwin function responsible for changing the user > > account only checks if the account exists. It does not check for any of > > the flags in the user DB. Yet. > >=20 > > I pushed a patch to disallow changing the user account to a disabled or > > locked out account. >=20 > I would like to point out that on Linux, you can disable an account's > password ("password -l username" / "usermod -L username"), and still log > in using an SSH key pair. This is intentional and different to > disabling an account entirely ("usermod -e 1 username" combined with the > above). >=20 > So I guess, the question is if there's a way to make Cygwin act similar > to this - maybe if you can tell disabled vs. locked out apart, allow SSH > key pair logins when locked out, but not when disabled? Being disabled and being locked out are two different flags, so this can be recognized from each other. A disabled account is a an account which is explicitely disabled in the user DB. A locked out account in Windows is to my understanding an account which has unsuccessfully tried to login multiple times so the account is locked for security reasons, until an admin unlocks it. Right now, with the patch I just pushed, both types, explicitely disabled or locked out" are refused. I think refusing an account manually and deliberately disabled by an admin makes lots of sense. I'm not so sure about locked out accounts. THis might need some discussion. Corinna --=20 Corinna Vinschen Cygwin Maintainer --zsAhXfiBV62A5hVr Content-Type: application/pgp-signature; name="signature.asc" Content-length: 833 -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlxJ4NYACgkQ9TYGna5E T6Dlsw/+KDqC4rCNBRBfOrpTY1DrjNXzyfAdGADal+op5Mh4Tdm8q1diRGMODA+C 7dFS8Gle7UBSUFbovyRKCUWGPYt7IErJrhn/5vLKDFassk3JXVKBxj86F69N0QzK XLN3g/eQznwpX4WIS2Ra5/2bBypbdh4WYiNwom0FWnSeY/G2FK+2l0mKh3RzDVFj jJJ5xhhTO/V+9BNzdjPLqubg5c0RtzDO2SY66mfj5JgK3rNF8aGhVnC4xotUjeYt VN5u5hUgLEVlyqK37MwazsZHn/nRoW8X7PFOWvIe194VjG/JQq9YuXJOzNYOf/eb MGvqWsOjD7Uoyg+1t4t3PhNeFZXBQ7igR4s0tU8I30srzd1HBZtQeTLrVAScMeqB TjkUSdymiznOt49XizlHzg0IqzMiDOUCmkE9o4G+39zt8aaxvNf0Fr8hQmMiUsrW VuygmGOieWfME0Jef/RSF4PIu+M92YPMen7AHOz40LOfDrNCH/P08AZHAFIpaU3k k+yzqnyY8SoDvfhxb+yPWmwQrbPoXSwyf9WF3xYUml2ZLgNi9BMPI04mwxhBaWb8 M4/kF30aLJuU5ZQ33hlhXQJGMGkwI9uG17Q9Fm0ZT7y4oxcBBArfy/B1oKBzVFdU CE05CcygsBm9UlYKuVAIE//3fk/gKtaRiKtfZ+uQ9B7QuboEdH8= =Q/ly -----END PGP SIGNATURE----- --zsAhXfiBV62A5hVr--