From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 5108 invoked by alias); 25 Jan 2019 18:03:38 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 5097 invoked by uid 89); 25 Jan 2019 18:03:38 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 spammy=disagree, 20000, Stephen, management X-HELO: mout.gmx.com Received: from mout.gmx.com (HELO mout.gmx.com) (74.208.4.201) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 25 Jan 2019 18:03:37 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mail.com; s=dbd5af2cbaf7; t=1548439413; bh=TS1UvmqBopK55dxQQkqOZ8yxwh3GlrBbMQtnhXt+M50=; h=X-UI-Sender-Class:References:In-Reply-To:From:Date:Subject:To; b=xNKXly3C308lR+jA1DZg6YbqGnt0gm/ZoUi+XK9iFJVGgOBDVTJd058gh1qph+NOA 0r8ZM9KYiQincCLye3dZNFHBvdTSNBG69oV/mfOdM/fBF10Tj/kva1VmxCs3waVr6N vMLRU2t6oEz4DJHR8ZLe5emiaCJAQe4r5x//6krg= X-UI-Sender-Class: 214d933f-fd2f-45c7-a636-f5d79ae31a79 Received: from mail-lj1-f173.google.com ([209.85.208.173]) by mail.gmx.com (mrgmxus002 [74.208.5.15]) with ESMTPSA (Nemesis) id 0M7YR7-1h9Rf12zGJ-00xLfX for ; Fri, 25 Jan 2019 19:03:32 +0100 Received: by mail-lj1-f173.google.com with SMTP id c19-v6so9104510lja.5 for ; Fri, 25 Jan 2019 10:03:32 -0800 (PST) MIME-Version: 1.0 References: <1690850474.834980.1548391349102.ref@mail.yahoo.com> <1690850474.834980.1548391349102@mail.yahoo.com> <20190125174833.GA1710@zebra> In-Reply-To: <20190125174833.GA1710@zebra> From: Bill Stewart Date: Fri, 25 Jan 2019 18:03:00 -0000 Message-ID: Subject: Re: sshd permits logon using disabled user? To: cygwin@cygwin.com Content-Type: text/plain; charset="UTF-8" X-IsSubscribed: yes X-SW-Source: 2019-01/txt/msg00230.txt.bz2 On Fri, Jan 25, 2019 at 10:48 AM Stephen Paul Carrier wrote: > There are different paths to access and to completely disable the account > you need to close all of them. There are many reasons to disable some > paths without disabling all paths and converting the switch that can > disable one path to a switch that will disable all paths will break > some setups and be less flexible. (As Stefan Baur is pointing out > effectively.) > > To disable ssh logins really, instead of changing the way Cygwin works > for everyone, you could do what UNIX/Linux admins do, something like > moving the user .ssh folder to .ssh.disabled. This is a very problematic view from a Windows system management perspective. I respectfully (and strongly) disagree, for at least the following reasons: * Cygwin runs on Windows, and as such should respect Windows security. It is very unexpected, from a Windows administration perspective, to have a disabled account and still be able to log onto it. * Proper system management/security mitigation is made quite complex with this requirement. Imagine even a small Windows domain: I have to scan 20000 machines in my domain to find out if they're running ssh, troll through the disks to find ssh config files, find out the key file names, rename them, etc. This is quite a bit harder to do than just disabling accounts, which in many organizations is handled by an automated process. Regards, Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple