From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 76083 invoked by alias); 28 Jan 2019 09:59:54 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 76075 invoked by uid 89); 28 Jan 2019 09:59:54 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-100.9 required=5.0 tests=BAYES_00,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=management X-HELO: mout.kundenserver.de Received: from mout.kundenserver.de (HELO mout.kundenserver.de) (212.227.17.10) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 28 Jan 2019 09:59:53 +0000 Received: from calimero.vinschen.de ([24.134.7.25]) by mrelayeu.kundenserver.de (mreue108 [212.227.15.183]) with ESMTPSA (Nemesis) id 1Mk0BK-1hTlFs1ClU-00kO0Q; Mon, 28 Jan 2019 10:59:48 +0100 Received: by calimero.vinschen.de (Postfix, from userid 500) id 9030DA825D9; Mon, 28 Jan 2019 10:59:47 +0100 (CET) Date: Mon, 28 Jan 2019 09:59:00 -0000 From: Corinna Vinschen To: Bill Stewart Cc: cygwin@cygwin.com Subject: Re: sshd permits logon using disabled user? Message-ID: <20190128095947.GN3912@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: Bill Stewart , cygwin@cygwin.com References: <1690850474.834980.1548391349102.ref@mail.yahoo.com> <1690850474.834980.1548391349102@mail.yahoo.com> <20190125174833.GA1710@zebra> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Li7ckgedzMh1NgdW" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-SW-Source: 2019-01/txt/msg00254.txt.bz2 --Li7ckgedzMh1NgdW Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 2016 Bill, On Jan 25 11:03, Bill Stewart wrote: > On Fri, Jan 25, 2019 at 10:48 AM Stephen Paul Carrier > wrote: >=20 > > There are different paths to access and to completely disable the accou= nt > > you need to close all of them. There are many reasons to disable some > > paths without disabling all paths and converting the switch that can > > disable one path to a switch that will disable all paths will break > > some setups and be less flexible. (As Stefan Baur is pointing out > > effectively.) > > > > To disable ssh logins really, instead of changing the way Cygwin works > > for everyone, you could do what UNIX/Linux admins do, something like > > moving the user .ssh folder to .ssh.disabled. >=20 > This is a very problematic view from a Windows system management perspect= ive. >=20 > I respectfully (and strongly) disagree, for at least the following reason= s: >=20 > * Cygwin runs on Windows, and as such should respect Windows security. > It is very unexpected, from a Windows administration perspective, to > have a disabled account and still be able to log onto it. >=20 > * Proper system management/security mitigation is made quite complex > with this requirement. Imagine even a small Windows domain: I have to > scan 20000 machines in my domain to find out if they're running ssh, > troll through the disks to find ssh config files, find out the key > file names, rename them, etc. This is quite a bit harder to do than > just disabling accounts, which in many organizations is handled by an > automated process. Can you please test again with the latest snapshot from https://cygwin.com/snapshots/? The new S4U authentication method used in this snapshot automatically applies the Windows account rules so in my testing the patch I applied originally is not required anymore. Consequentially I disabled it to rely fully on the Windows function's behaviour. Can you test this, too, please, just to be sure? Thanks, Coinna --=20 Corinna Vinschen Cygwin Maintainer --Li7ckgedzMh1NgdW Content-Type: application/pgp-signature; name="signature.asc" Content-length: 833 -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlxO0pMACgkQ9TYGna5E T6CfXA/+Iio2MxxyFJphldAMF7LGMQ4tNAxJnfFIffiguX+80PsPE8wehKmXFGTW dPVOjCBEAhhkr0rnCCK8DO87Cz+CUBwLghbJjGpOao6dcFUAt59x9kmUI/dIiYnf MM+UdULoJVh5Sscqrf7cpAKdVHgLNEBNnWOGHE6w9fV4DQ8QSz87/tBPbOWFRhZ/ MBUYsFWG5eaSuWYILcTL6s44IkwK47J19oULbWnhYY2LuitQ8RzmzuKcfK6bi+Gs CubrBpjRvs54RCZ+JdnN36BjoGR42s+hoVgEyJoCD6EkzRfZ2vdIEQs10l4miOXK CdsCDyvf2XoFOP5Ngmz3t6K/I9QBGF1dMxa3z3PTTvVMr4euVRKegJO5bn6E8iJ2 peguH90wTaCF2IVRrFxgadNLM6mIE5Ay6MukE9uo9KcvgwrNxqU0b3PmctSA6PN9 HS+7+B8B4BeyoQ8dJcRHTUWgOhYLyDvXV0elQZi3j3s6qksRnwAk9ARUEgU1BRdE VsVls/mrsPenFZWYBvkhad6iXIWHAhwnC9CIOxXm+gJWSD4140sjbBB1aX6OTcj1 ksFsm7z/Ggk8GAkZEeDw89aGFsu9Tlvh5IQVTM1UcDGpcKHGwplIstxvMlpIIxHg Lhhz74Ch0X+QnohRNz9mugHHe/g3czlRaEdIM2J0yPHt4e77I50= =sYYO -----END PGP SIGNATURE----- --Li7ckgedzMh1NgdW--