From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 22217 invoked by alias); 24 Jan 2019 16:36:17 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 22204 invoked by uid 89); 24 Jan 2019 16:36:17 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-100.9 required=5.0 tests=BAYES_00,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=she, malicious, BUT, guy X-HELO: mout.kundenserver.de Received: from mout.kundenserver.de (HELO mout.kundenserver.de) (212.227.126.131) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 24 Jan 2019 16:36:15 +0000 Received: from calimero.vinschen.de ([24.134.7.25]) by mrelayeu.kundenserver.de (mreue010 [212.227.15.167]) with ESMTPSA (Nemesis) id 1MUY5o-1gdo0C2IoC-00QQk0 for ; Thu, 24 Jan 2019 17:36:12 +0100 Received: by calimero.vinschen.de (Postfix, from userid 500) id 2E31CA824F7; Thu, 24 Jan 2019 17:36:12 +0100 (CET) Date: Thu, 24 Jan 2019 16:36:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: sshd permits logon using disabled user? Message-ID: <20190124163612.GM2802@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <20190124154533.GK2802@calimero.vinschen.de> <2b348ac3-63d1-2cd3-430d-2568d650a583@baur-itcs.de> <20190124155918.GL2802@calimero.vinschen.de> <51ded8a7-ffc0-c1b0-8bb6-8d2f5870ec68@baur-itcs.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="bAwSoJxbKYwy34Oe" Content-Disposition: inline In-Reply-To: <51ded8a7-ffc0-c1b0-8bb6-8d2f5870ec68@baur-itcs.de> User-Agent: Mutt/1.10.1 (2018-07-13) X-SW-Source: 2019-01/txt/msg00204.txt.bz2 --bAwSoJxbKYwy34Oe Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 1305 On Jan 24 17:16, Stefan Baur wrote: > Am 24.01.19 um 16:59 schrieb Corinna Vinschen: > > I think refusing an account manually and deliberately disabled by an > > admin makes lots of sense. > >=20 > > I'm not so sure about locked out accounts. THis might need some > > discussion. >=20 > It's been a while since I did Windows administration, so I can't really > make a recommendation here ... BUT: >=20 > If an admin can lock out an account (separately from disabling it > entirely), say, by setting an initial password, checking the "user must > change password on first login", and also checking "user is not allowed > to change password" simultaneously (if that's possible), or, say, by > just setting a random password without telling it to anyone ever, > followed by firing so many login attempts at the account that it gets > locked out, then telling them apart and treating locked out accounts > differently would make sense, IMO. This description sounds extremly artificial to me. We should work under the assumption that the admin is the good guy. Usually a user locks itself out, or is locked out by a malicious login attempt. The admin can only define rules for locking out, other than that she can only remove the "account locked" flag. Corinna --=20 Corinna Vinschen Cygwin Maintainer --bAwSoJxbKYwy34Oe Content-Type: application/pgp-signature; name="signature.asc" Content-length: 833 -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlxJ6XwACgkQ9TYGna5E T6DUgxAAnWvVkSsoiN/jzQtjhfstKdz9YJ9kV3Bkob5ojALRHpYM2qQsg1DeTUyg rMN/uwGt1i3ZqMKs4yWe1p8ZeHfy2DMkS0M4qyrFNyPVBuq5chwWkgkMhGkOJgYu v4WE8lizT6zewAcid6gFas2hYNjH8fh9xwlQzSEPURNt3YYkvosyMw9LdZZbvmHM UH3gHpEWomB31DcbZYk7nq+8Z07innJPGGKRqfbOqGCO40Eg/1zrZJ3iZWkZdmc8 21cdAolM27oxC1jcMJiWXr5EeDNm/WZKGlsR4kBkIq75Xb+KEbEZvMDqlaIFINE0 zvUVJmYUnoW3WMnZTyLHTUDnb6ANJNGDBYOMA0YrseiztQHpM0QwVfHVPXZZ8ga1 Lt3L7qzCywOa5JP5Qej1i2A8x/LMIAZW8GN8Txx1cikNgrXD3HhdyqlHtonLdK6K V9i5tWvX1hS2AaMKU5bbzRkegbqvb0XDeRapU1l4oPSoonyqrQ1F5PI8XfXRwTOX uNrhH2t4oao0xloVl+dxLx8SwuvPtjZiDihDGq8OxaP/6ShM7OyvltimIWAnp+U9 GcubWT292tbXiUYnQVxQ1qEsvF11uVcI+tr+HG2l0usR73qFi/F2SeJih905oI9h 9NeEQBO6hMaObZxmTq5i/yXW9pPnzW0dsb2QgtyVtWbFYXXxWlI= =8Aj5 -----END PGP SIGNATURE----- --bAwSoJxbKYwy34Oe--