Web lists-archives.com

Re: sshd permits logon using disabled user?

On 25/01/2019 18:03, Bill Stewart wrote:
> On Fri, Jan 25, 2019 at 10:48 AM Stephen Paul Carrier
> <carrier@xxxxxxxxxxxx> wrote:
>> There are different paths to access and to completely disable the account
>> you need to close all of them.  There are many reasons to disable some
>> paths without disabling all paths and converting the switch that can
>> disable one path to a switch that will disable all paths will break
>> some setups and be less flexible.  (As Stefan Baur is pointing out
>> effectively.)
>> To disable ssh logins really, instead of changing the way Cygwin works
>> for everyone, you could do what UNIX/Linux admins do, something like
>> moving the user .ssh folder to .ssh.disabled.
> This is a very problematic view from a Windows system management perspective.
> I respectfully (and strongly) disagree, for at least the following reasons:
> * Cygwin runs on Windows, and as such should respect Windows security.
> It is very unexpected, from a Windows administration perspective, to
> have a disabled account and still be able to log onto it.
> * Proper system management/security mitigation is made quite complex
> with this requirement. Imagine even a small Windows domain: I have to
> scan 20000 machines in my domain to find out if they're running ssh,
> troll through the disks to find ssh config files, find out the key
> file names, rename them, etc. This is quite a bit harder to do than
> just disabling accounts, which in many organizations is handled by an
> automated process.
> Regards,
> Bill

I totally agree that Cygwin should respect the Windows disabled &
locked-out semantics and disallow any form of login where either is set.
Trying to shoe-horn the disabled password but enabled pubkey function
into one or the other just doesn't feel right. Setting a hugely long
random password (maybe via a script that never reveals said password) is
a much better solution to achieve a similar effect without breaking
Windows security auditing.

On the other hand, I am baffled as to why Windows itself allows a token
to be created for an account that is disabled or locked out. If Cygwin
can do it, other programs could too so you're still vulnerable.

Sam Edge

Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple