Web lists-archives.com

Re: sshd permits logon using disabled user?




Am 24.01.19 um 16:45 schrieb Corinna Vinschen:
>> In the shell, logged on as the disabled user, the 'whoami' command returns
>> the name of the disabled user.
>>
>> This seems unexpected and not good.
>>
>> Why does sshd allow logon for a disabled user?
> Because the underlying Cygwin function responsible for changing the user
> account only checks if the account exists.  It does not check for any of
> the flags in the user DB.  Yet.
> 
> I pushed a patch to disallow changing the user account to a disabled or
> locked out account.

I would like to point out that on Linux, you can disable an account's
password ("password -l username" / "usermod -L username"), and still log
in using an SSH key pair.  This is intentional and different to
disabling an account entirely ("usermod -e 1 username" combined with the
above).

So I guess, the question is if there's a way to make Cygwin act similar
to this - maybe if you can tell disabled vs. locked out apart, allow SSH
key pair logins when locked out, but not when disabled?

Kind Regards,
Stefan Baur


-- 
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243

Attachment: signature.asc
Description: OpenPGP digital signature