From: "Sam Edge (Cygwin)" <sam.edge.cygwin@gmx.com>
To: cygwin@cygwin.com
Subject: Re: sshd permits logon using disabled user?
Date: Sun, 27 Jan 2019 17:48:00 -0000 [thread overview]
Message-ID: <d37a1aeb-913c-c773-b709-e68b54f28365@gmx.com> (raw)
In-Reply-To: <CANV9t=Q2ZRqVD99a+qdVTet1hn_aM6RY5B2Cm1oc0E4Lf9x2ig@mail.gmail.com>
On 25/01/2019 18:03, Bill Stewart wrote:
> On Fri, Jan 25, 2019 at 10:48 AM Stephen Paul Carrier
> <carrier@berkeley.edu> wrote:
>
>> There are different paths to access and to completely disable the account
>> you need to close all of them. There are many reasons to disable some
>> paths without disabling all paths and converting the switch that can
>> disable one path to a switch that will disable all paths will break
>> some setups and be less flexible. (As Stefan Baur is pointing out
>> effectively.)
>>
>> To disable ssh logins really, instead of changing the way Cygwin works
>> for everyone, you could do what UNIX/Linux admins do, something like
>> moving the user .ssh folder to .ssh.disabled.
> This is a very problematic view from a Windows system management perspective.
>
> I respectfully (and strongly) disagree, for at least the following reasons:
>
> * Cygwin runs on Windows, and as such should respect Windows security.
> It is very unexpected, from a Windows administration perspective, to
> have a disabled account and still be able to log onto it.
>
> * Proper system management/security mitigation is made quite complex
> with this requirement. Imagine even a small Windows domain: I have to
> scan 20000 machines in my domain to find out if they're running ssh,
> troll through the disks to find ssh config files, find out the key
> file names, rename them, etc. This is quite a bit harder to do than
> just disabling accounts, which in many organizations is handled by an
> automated process.
>
> Regards,
>
> Bill
I totally agree that Cygwin should respect the Windows disabled &
locked-out semantics and disallow any form of login where either is set.
Trying to shoe-horn the disabled password but enabled pubkey function
into one or the other just doesn't feel right. Setting a hugely long
random password (maybe via a script that never reveals said password) is
a much better solution to achieve a similar effect without breaking
Windows security auditing.
On the other hand, I am baffled as to why Windows itself allows a token
to be created for an account that is disabled or locked out. If Cygwin
can do it, other programs could too so you're still vulnerable.
--
Sam Edge
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
next prev parent reply other threads:[~2019-01-27 17:48 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1690850474.834980.1548391349102.ref@mail.yahoo.com>
2019-01-25 4:42 ` matthew patton via cygwin
2019-01-25 10:36 ` Stefan Baur
2019-01-25 15:34 ` Bill Stewart
2019-01-25 17:48 ` Stephen Paul Carrier
2019-01-25 18:03 ` Bill Stewart
2019-01-27 17:48 ` Sam Edge (Cygwin) [this message]
2019-01-27 22:10 ` Corinna Vinschen
2019-01-28 13:35 ` Sam Edge
2019-01-28 9:59 ` Corinna Vinschen
2019-01-28 15:02 ` Bill Stewart
2019-01-28 16:52 ` Corinna Vinschen
2019-01-28 17:19 ` Bill Stewart
2019-01-28 18:39 ` Corinna Vinschen
2019-01-28 20:14 ` Bill Stewart
2019-01-28 21:50 ` Bill Stewart
2019-01-28 22:24 ` Bill Stewart
2019-01-29 11:57 ` Corinna Vinschen
2019-01-29 12:12 ` Corinna Vinschen
2019-01-29 17:05 ` Corinna Vinschen
2019-01-29 18:18 ` Bill Stewart
2019-01-29 18:30 ` Corinna Vinschen
2019-01-24 13:28 Bill Stewart
2019-01-24 15:45 ` Corinna Vinschen
2019-01-24 15:51 ` Stefan Baur
2019-01-24 15:59 ` Corinna Vinschen
2019-01-24 16:16 ` Stefan Baur
2019-01-24 16:36 ` Corinna Vinschen
2019-01-24 17:01 ` Stefan Baur
2019-01-26 19:05 ` Andrey Repin
2019-01-24 16:49 ` Bill Stewart
2019-01-24 20:23 ` Corinna Vinschen
2019-01-24 20:37 ` Bill Stewart
2019-01-25 16:56 ` Corinna Vinschen
2019-01-24 17:52 ` Bill Stewart
2019-01-24 17:58 ` Stefan Baur
2019-01-24 18:13 ` Bill Stewart
2019-01-24 19:17 ` Wayne Davison
2019-01-24 19:22 ` Stefan Baur
2019-01-26 19:20 ` Andrey Repin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d37a1aeb-913c-c773-b709-e68b54f28365@gmx.com \
--to=sam.edge.cygwin@gmx.com \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).