From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 17566 invoked by alias); 24 Jan 2019 17:52:46 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 16424 invoked by uid 89); 24 Jan 2019 17:52:45 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 spammy=H*c:alternative, guy, she X-HELO: mout.gmx.com Received: from mout.gmx.com (HELO mout.gmx.com) (74.208.4.200) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 24 Jan 2019 17:52:43 +0000 X-UI-Sender-Class: 214d933f-fd2f-45c7-a636-f5d79ae31a79 Received: from mail-lj1-f176.google.com ([209.85.208.176]) by mail.gmx.com (mrgmxus001 [74.208.5.15]) with ESMTPSA (Nemesis) id 0M0gsy-1h3Z2c3SYw-00uuR7 for ; Thu, 24 Jan 2019 18:52:41 +0100 Received: by mail-lj1-f176.google.com with SMTP id q2-v6so6017747lji.10 for ; Thu, 24 Jan 2019 09:52:40 -0800 (PST) MIME-Version: 1.0 References: <20190124154533.GK2802@calimero.vinschen.de> In-Reply-To: <20190124154533.GK2802@calimero.vinschen.de> From: Bill Stewart Date: Thu, 24 Jan 2019 17:52:00 -0000 Message-ID: Subject: Re: sshd permits logon using disabled user? To: cygwin@cygwin.com Content-Type: text/plain; charset="UTF-8" X-IsSubscribed: yes X-SW-Source: 2019-01/txt/msg00209.txt.bz2 Corinna Vinschen wrote: > This description sounds extremly artificial to me. We should work under the > assumption that the admin is the good guy. Usually a user locks itself out, > or is locked out by a malicious login attempt. The admin can only define > rules for locking out, other than that she can only remove the "account > locked" flag. This is correct. >From a Windows perspective, "disabled" (UF_ACCOUNTDISABLE) means "account cannot be used to log on," and "locked out" (UF_LOCKOUT) means "there were too many bad password attempts, so the account is locked and cannot be used to log on at this time." The administrator can specify whether the UF_LOCKOUT duration is indefinite (this is usually not recommended, because this can be used for DoS) or not. Only an administrator (or a user with appropriate permissions) can set or clear UF_ACCOUNTDISABLE. It is used to prevent _any_ use of the account. UF_LOCKOUT is _only_ set by bad password attempts (the number of bad attempts is set by policy) and is not really intended to be used for any other purpose. UF_LOCKOUT can be cleared by an administrator (or user with appropriate permissions), or the system can clear it automatically after some duration (specified by policy), or it can be indefinite (although, as previously noted, this is not usually recommended). If you want to have an account that does not require a password, there is a separate flag for that - PASSWD_NOTREQD - although setting this may be prohibited by policy. So basically Corinna's idea is correct: If UF_ACCOUNTDISABLE or UF_LOCKOUT are set, the account should not allow logon. Regards, Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple