Web lists-archives.com

Re: sshd permits logon using disabled user?




On Jan 24 16:51, Stefan Baur wrote:
> Am 24.01.19 um 16:45 schrieb Corinna Vinschen:
> >> In the shell, logged on as the disabled user, the 'whoami' command returns
> >> the name of the disabled user.
> >>
> >> This seems unexpected and not good.
> >>
> >> Why does sshd allow logon for a disabled user?
> > Because the underlying Cygwin function responsible for changing the user
> > account only checks if the account exists.  It does not check for any of
> > the flags in the user DB.  Yet.
> > 
> > I pushed a patch to disallow changing the user account to a disabled or
> > locked out account.
> 
> I would like to point out that on Linux, you can disable an account's
> password ("password -l username" / "usermod -L username"), and still log
> in using an SSH key pair.  This is intentional and different to
> disabling an account entirely ("usermod -e 1 username" combined with the
> above).
> 
> So I guess, the question is if there's a way to make Cygwin act similar
> to this - maybe if you can tell disabled vs. locked out apart, allow SSH
> key pair logins when locked out, but not when disabled?

Being disabled and being locked out are two different flags, so this
can be recognized from each other.  A disabled account is a an account
which is explicitely disabled in the user DB.  A locked out account in
Windows is to my understanding an account which has unsuccessfully tried
to login multiple times so the account is locked for security reasons,
until an admin unlocks it.

Right now, with the patch I just pushed, both types, explicitely disabled
or locked out" are refused.

I think refusing an account manually and deliberately disabled by an
admin makes lots of sense.

I'm not so sure about locked out accounts.  THis might need some
discussion.


Corinna

-- 
Corinna Vinschen
Cygwin Maintainer

Attachment: signature.asc
Description: PGP signature