Web lists-archives.com

Re: sshd permits logon using disabled user?




On Jan 24 09:48, Bill Stewart wrote:
> Hello Corinna,
> 
> I performed the following steps:
> 
> 1. Downloaded cygwin-20190124.tar.xz
> 2. Extracted it
> 3. Stopped sshd
> 4. Renamed existing /bin/cygwin1.dll to cygwin1-20181108.dll
> 5. Copied cygwin1.dll from download to /bin
> 6. Started sshd
> 
> Did I miss anything?

No, I did.

> It still allows logon with disabled account.

I should have tested pubkey auth as well but as it was I just tested
with pathword auth.  These methods take slightly different paths in
Cygwin when trying to switch the user account.

I pushed another patch and created new snapshots in the same location
https://cygwin.com/snapshots/.


HTH,
Corinna


> 
> Thanks,
> 
> Bill
> 
> 
> On Thu, Jan 24, 2019 at 8:45 AM Corinna Vinschen <corinna-cygwin@xxxxxxxxxx>
> wrote:
> 
> > On Jan 24 06:28, Bill Stewart wrote:
> > > I am running Windows 10 (1803) and experimenting with sshd installed as a
> > > Windows service.
> > >
> > > The computer is a domain member. I created a local computer account for
> > > testing.
> > >
> > > I created host keys and a public/private key pair to use to log on the
> > user.
> > >
> > > This works, except I notice that if I disable the Windows user account, I
> > > can still log on using ssh using that account.
> > >
> > > In the shell, logged on as the disabled user, the 'whoami' command
> > returns
> > > the name of the disabled user.
> > >
> > > This seems unexpected and not good.
> > >
> > > Why does sshd allow logon for a disabled user?
> >
> > Because the underlying Cygwin function responsible for changing the user
> > account only checks if the account exists.  It does not check for any of
> > the flags in the user DB.  Yet.
> >
> > I pushed a patch to disallow changing the user account to a disabled or
> > locked out account.
> >
> > I just uploaded new developer snapshots containing this change to
> > https://cygwin.com/snapshots/
> >
> > Please give them a try.
> >
> >
> > Thanks,
> > Corinna
> >
> > --
> > Corinna Vinschen
> > Cygwin Maintainer
> >
> 
> --
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

-- 
Corinna Vinschen
Cygwin Maintainer

Attachment: signature.asc
Description: PGP signature