Re: sshd permits logon using disabled user?
- Date: Sun, 27 Jan 2019 17:49:17 +0000
- From: "Sam Edge (Cygwin)" <sam.edge.cygwin@xxxxxxx>
- Subject: Re: sshd permits logon using disabled user?
On 25/01/2019 18:03, Bill Stewart wrote:
> On Fri, Jan 25, 2019 at 10:48 AM Stephen Paul Carrier
> <carrier@xxxxxxxxxxxx> wrote:
>> There are different paths to access and to completely disable the account
>> you need to close all of them. There are many reasons to disable some
>> paths without disabling all paths and converting the switch that can
>> disable one path to a switch that will disable all paths will break
>> some setups and be less flexible. (As Stefan Baur is pointing out
>> To disable ssh logins really, instead of changing the way Cygwin works
>> for everyone, you could do what UNIX/Linux admins do, something like
>> moving the user .ssh folder to .ssh.disabled.
> This is a very problematic view from a Windows system management perspective.
> I respectfully (and strongly) disagree, for at least the following reasons:
> * Cygwin runs on Windows, and as such should respect Windows security.
> It is very unexpected, from a Windows administration perspective, to
> have a disabled account and still be able to log onto it.
> * Proper system management/security mitigation is made quite complex
> with this requirement. Imagine even a small Windows domain: I have to
> scan 20000 machines in my domain to find out if they're running ssh,
> troll through the disks to find ssh config files, find out the key
> file names, rename them, etc. This is quite a bit harder to do than
> just disabling accounts, which in many organizations is handled by an
> automated process.
I totally agree that Cygwin should respect the Windows disabled &
locked-out semantics and disallow any form of login where either is set.
Trying to shoe-horn the disabled password but enabled pubkey function
into one or the other just doesn't feel right. Setting a hugely long
random password (maybe via a script that never reveals said password) is
a much better solution to achieve a similar effect without breaking
Windows security auditing.
On the other hand, I am baffled as to why Windows itself allows a token
to be created for an account that is disabled or locked out. If Cygwin
can do it, other programs could too so you're still vulnerable.
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple