From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 51290 invoked by alias); 24 Jan 2019 15:51:17 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 51199 invoked by uid 89); 24 Jan 2019 15:51:16 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: =?ISO-8859-1?Q?No, score=-0.9 required=5.0 tests=BAYES_00,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=no version=3.3.2 spammy=8:t, 8:un, 8:ha, 8:=c3=a4?= X-HELO: mout.kundenserver.de Received: from mout.kundenserver.de (HELO mout.kundenserver.de) (212.227.17.24) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 24 Jan 2019 15:51:15 +0000 Received: from [192.168.0.15] ([149.172.203.221]) by mrelayeu.kundenserver.de (mreue106 [212.227.15.145]) with ESMTPSA (Nemesis) id 1N0WLC-1h9ZDg0uzk-00wSo4 for ; Thu, 24 Jan 2019 16:51:12 +0100 Subject: Re: sshd permits logon using disabled user? To: cygwin@cygwin.com References: <20190124154533.GK2802@calimero.vinschen.de> From: Stefan Baur Openpgp: preference=signencrypt Message-ID: <2b348ac3-63d1-2cd3-430d-2568d650a583@baur-itcs.de> Date: Thu, 24 Jan 2019 15:51:00 -0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1 MIME-Version: 1.0 In-Reply-To: <20190124154533.GK2802@calimero.vinschen.de> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="tbPbYfSMHWKuInDWBVuksRE0RPIPq0O2c" X-IsSubscribed: yes X-SW-Source: 2019-01/txt/msg00200.txt.bz2 --tbPbYfSMHWKuInDWBVuksRE0RPIPq0O2c Content-Type: multipart/mixed; boundary="6PG6NOoSN4q53iovAoZZ5ytaBX9O8IZx7"; protected-headers="v1" From: Stefan Baur To: cygwin@cygwin.com Message-ID: <2b348ac3-63d1-2cd3-430d-2568d650a583@baur-itcs.de> Subject: Re: sshd permits logon using disabled user? References: <20190124154533.GK2802@calimero.vinschen.de> In-Reply-To: <20190124154533.GK2802@calimero.vinschen.de> --6PG6NOoSN4q53iovAoZZ5ytaBX9O8IZx7 Content-Type: text/plain; charset=utf-8 Content-Language: de-DE Content-Transfer-Encoding: quoted-printable Content-length: 1268 Am 24.01.19 um 16:45 schrieb Corinna Vinschen: >> In the shell, logged on as the disabled user, the 'whoami' command retur= ns >> the name of the disabled user. >> >> This seems unexpected and not good. >> >> Why does sshd allow logon for a disabled user? > Because the underlying Cygwin function responsible for changing the user > account only checks if the account exists. It does not check for any of > the flags in the user DB. Yet. >=20 > I pushed a patch to disallow changing the user account to a disabled or > locked out account. I would like to point out that on Linux, you can disable an account's password ("password -l username" / "usermod -L username"), and still log in using an SSH key pair. This is intentional and different to disabling an account entirely ("usermod -e 1 username" combined with the above). So I guess, the question is if there's a way to make Cygwin act similar to this - maybe if you can tell disabled vs. locked out apart, allow SSH key pair logins when locked out, but not when disabled? Kind Regards, Stefan Baur --=20 BAUR-ITCS UG (haftungsbeschr=C3=A4nkt) Gesch=C3=A4ftsf=C3=BChrer: Stefan Baur Eichen=C3=A4ckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243 --6PG6NOoSN4q53iovAoZZ5ytaBX9O8IZx7-- --tbPbYfSMHWKuInDWBVuksRE0RPIPq0O2c Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" Content-length: 473 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJcSd7rAAoJEG7d9BjNvlEZ17UH/1iDoRGls0JyV+0IWuXogsY4 hbqHbMiZU/I4XXedw9FsLhmAJifmYXSWiIy5FANlmjMp8K4oFM8KwK4l9WRE8Cjt T2oWz9bvWPAOEP1YK3fMiRdK+kJ2UMYXHjxqaQO4//pNlvoSCtcQVCK+10S1p0Vr 6DloVsVZjLFf86kPZGVmKRKE35KG3JrFV2gxu3kRUCrIoyLdj43r9rtwRb7F8ANO jKyj0mxQleryNOAPGe+iIcuNQ7xAvU22N3Riui4q3Fhfka3TDdHYmIizz+BG0oS6 UMLubTkgnTqClrsjbtfp1ECvepebazvDMy4RjXEopAODkKkgoFeb6Yn1NjhfzKc= =FvjL -----END PGP SIGNATURE----- --tbPbYfSMHWKuInDWBVuksRE0RPIPq0O2c--