Re: sshd permits logon using disabled user?
- Date: Thu, 24 Jan 2019 10:52:27 -0700
- From: Bill Stewart <bstewart@xxxxxxxxx>
- Subject: Re: sshd permits logon using disabled user?
Corinna Vinschen wrote:
> This description sounds extremly artificial to me. We should work under
> assumption that the admin is the good guy. Usually a user locks itself
> or is locked out by a malicious login attempt. The admin can only define
> rules for locking out, other than that she can only remove the "account
> locked" flag.
This is correct.
>From a Windows perspective, "disabled" (UF_ACCOUNTDISABLE) means "account
cannot be used to log on," and "locked out" (UF_LOCKOUT) means "there were
too many bad password attempts, so the account is locked and cannot be used
to log on at this time." The administrator can specify whether the
UF_LOCKOUT duration is indefinite (this is usually not recommended, because
this can be used for DoS) or not.
Only an administrator (or a user with appropriate permissions) can set or
clear UF_ACCOUNTDISABLE. It is used to prevent _any_ use of the account.
UF_LOCKOUT is _only_ set by bad password attempts (the number of bad
attempts is set by policy) and is not really intended to be used for any
other purpose. UF_LOCKOUT can be cleared by an administrator (or user with
appropriate permissions), or the system can clear it automatically after
some duration (specified by policy), or it can be indefinite (although, as
previously noted, this is not usually recommended).
If you want to have an account that does not require a password, there is a
separate flag for that - PASSWD_NOTREQD - although setting this may be
prohibited by policy.
So basically Corinna's idea is correct: If UF_ACCOUNTDISABLE or UF_LOCKOUT
are set, the account should not allow logon.
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple