public inbox for cygwin@cygwin.com
 help / color / mirror / Atom feed
From: Stefan Baur <X2Go-ML-1@baur-itcs.de>
To: cygwin@cygwin.com
Subject: Re: sshd permits logon using disabled user?
Date: Fri, 25 Jan 2019 10:36:00 -0000	[thread overview]
Message-ID: <d6f98cbc-bd2f-1c13-98bb-7ef42c000115@baur-itcs.de> (raw)
In-Reply-To: <1690850474.834980.1548391349102@mail.yahoo.com>

Am 25.01.19 um 05:42 schrieb matthew patton via cygwin:
> Why is this even a discussion? You *ALWAYS* refuse a login to an account that is disabled, locked out, or has an expired password or failed any of the other criteria that might be in effect (day/time restrictions, source IP restrictions, etc.)

Not on Linux (and possibly other Unices).  There, it's perfectly valid
to disable an account's password login (both locally and remote), but to
at the same time allow ssh key file based logins for the same account.

Since cygwin aims to be Linux-/POSIX-compatible to a certain degree, it
is indeed worthy of discussion - even if the final decision might be to
just block logins completely, even with an ssh key pair.

Before Corinna pushed her fix, it was possible to log in via SSH key,
even when the account was locked out/disabled.  Someone might have been
using that "feature" on cygwin, knowing it from Linux, where it is
indeed a feature/design choice.

If this fix hits stable, the same people might be wondering why their
ssh logins fail all of a sudden.

This could be a scenario for scripted uploads via rsync/scp/sftp, for
example, where people are using ssh keys locked down to certain
commands.  You just don't want that user account to be able to log in
with only a password, ever - because the only reason that would happen
would be an account compromise.  And because of that, having a "there is
no valid password for this account, you can try as hard as you like"
setting makes more sense than just setting a long and complex password
that hopefully no one ever guesses/bruteforces/sidechannel-hacks/...

Kind Regards,
Stefan Baur


-- 
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

  reply	other threads:[~2019-01-25 10:36 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <1690850474.834980.1548391349102.ref@mail.yahoo.com>
2019-01-25  4:42 ` matthew patton via cygwin
2019-01-25 10:36   ` Stefan Baur [this message]
2019-01-25 15:34     ` Bill Stewart
2019-01-25 17:48       ` Stephen Paul Carrier
2019-01-25 18:03         ` Bill Stewart
2019-01-27 17:48           ` Sam Edge (Cygwin)
2019-01-27 22:10             ` Corinna Vinschen
2019-01-28 13:35               ` Sam Edge
2019-01-28  9:59           ` Corinna Vinschen
2019-01-28 15:02             ` Bill Stewart
2019-01-28 16:52               ` Corinna Vinschen
2019-01-28 17:19                 ` Bill Stewart
2019-01-28 18:39                   ` Corinna Vinschen
2019-01-28 20:14                     ` Bill Stewart
2019-01-28 21:50                       ` Bill Stewart
2019-01-28 22:24                         ` Bill Stewart
2019-01-29 11:57                         ` Corinna Vinschen
2019-01-29 12:12                           ` Corinna Vinschen
2019-01-29 17:05                             ` Corinna Vinschen
2019-01-29 18:18                               ` Bill Stewart
2019-01-29 18:30                                 ` Corinna Vinschen
2019-01-24 13:28 Bill Stewart
2019-01-24 15:45 ` Corinna Vinschen
2019-01-24 15:51   ` Stefan Baur
2019-01-24 15:59     ` Corinna Vinschen
2019-01-24 16:16       ` Stefan Baur
2019-01-24 16:36         ` Corinna Vinschen
2019-01-24 17:01           ` Stefan Baur
2019-01-26 19:05         ` Andrey Repin
2019-01-24 16:49   ` Bill Stewart
2019-01-24 20:23     ` Corinna Vinschen
2019-01-24 20:37       ` Bill Stewart
2019-01-25 16:56         ` Corinna Vinschen
2019-01-24 17:52   ` Bill Stewart
2019-01-24 17:58     ` Stefan Baur
2019-01-24 18:13       ` Bill Stewart
2019-01-24 19:17         ` Wayne Davison
2019-01-24 19:22           ` Stefan Baur
2019-01-26 19:20     ` Andrey Repin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d6f98cbc-bd2f-1c13-98bb-7ef42c000115@baur-itcs.de \
    --to=x2go-ml-1@baur-itcs.de \
    --cc=cygwin@cygwin.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).