Re: sshd permits logon using disabled user?

[Corinna Vinschen <corinna-cygwin@cygwin.com>]

[-- Attachment #1: Type: text/plain, Size: 3594 bytes --]

On Jan 27 17:49, Sam Edge (Cygwin) wrote:
> On 25/01/2019 18:03, Bill Stewart wrote:
> > On Fri, Jan 25, 2019 at 10:48 AM Stephen Paul Carrier
> > <carrier@berkeley.edu> wrote:
> >
> >> There are different paths to access and to completely disable the account
> >> you need to close all of them.  There are many reasons to disable some
> >> paths without disabling all paths and converting the switch that can
> >> disable one path to a switch that will disable all paths will break
> >> some setups and be less flexible.  (As Stefan Baur is pointing out
> >> effectively.)
> >>
> >> To disable ssh logins really, instead of changing the way Cygwin works
> >> for everyone, you could do what UNIX/Linux admins do, something like
> >> moving the user .ssh folder to .ssh.disabled.
> > This is a very problematic view from a Windows system management perspective.
> >
> > I respectfully (and strongly) disagree, for at least the following reasons:
> >
> > * Cygwin runs on Windows, and as such should respect Windows security.
> > It is very unexpected, from a Windows administration perspective, to
> > have a disabled account and still be able to log onto it.
> >
> > * Proper system management/security mitigation is made quite complex
> > with this requirement. Imagine even a small Windows domain: I have to
> > scan 20000 machines in my domain to find out if they're running ssh,
> > troll through the disks to find ssh config files, find out the key
> > file names, rename them, etc. This is quite a bit harder to do than
> > just disabling accounts, which in many organizations is handled by an
> > automated process.
> >
> > Regards,
> >
> > Bill
> 
> 
> I totally agree that Cygwin should respect the Windows disabled &
> locked-out semantics and disallow any form of login where either is set.
> Trying to shoe-horn the disabled password but enabled pubkey function
> into one or the other just doesn't feel right. Setting a hugely long
> random password (maybe via a script that never reveals said password) is
> a much better solution to achieve a similar effect without breaking
> Windows security auditing.
> 
> On the other hand, I am baffled as to why Windows itself allows a token
> to be created for an account that is disabled or locked out. If Cygwin
> can do it, other programs could too so you're still vulnerable.

No, Windows doesn't allow that unless the process has very specific
privileges.  But keep in mind that a token is required to do stuff on
behalf of a user.  So even if the user is disabled from interactive
logon, a service process might have a valid reason to create a token
for that user to perform a non-interactive purpose.

In terms of these special privileges, right now we require these
privileges for an account which switches the user (e.g., via sshd
installed as a service), as outlined in
https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1

However, this should change with the upcoming 3.0 release of Cygwin
which replaces the "create token" method with another method called
"S4U".  This method creates perfectly valid tokens with only documented
functions without requiring any super-special permissions.

I'm pretty excited about this change because it drops the requirement
to create a special CYgwin service account.  sshd and other services
can finally run under the normal LocalSystem account again.

This patch is available in the most recent developer snapshot from
https://cygwin.com/snapshots/ btw.


Corinna

-- 
Corinna Vinschen
Cygwin Maintainer

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]