On Jan 24 16:51, Stefan Baur wrote:
> Am 24.01.19 um 16:45 schrieb Corinna Vinschen:
> >> In the shell, logged on as the disabled user, the 'whoami' command returns
> >> the name of the disabled user.
> >>
> >> This seems unexpected and not good.
> >>
> >> Why does sshd allow logon for a disabled user?
> > Because the underlying Cygwin function responsible for changing the user
> > account only checks if the account exists. It does not check for any of
> > the flags in the user DB. Yet.
> >
> > I pushed a patch to disallow changing the user account to a disabled or
> > locked out account.
>
> I would like to point out that on Linux, you can disable an account's
> password ("password -l username" / "usermod -L username"), and still log
> in using an SSH key pair. This is intentional and different to
> disabling an account entirely ("usermod -e 1 username" combined with the
> above).
>
> So I guess, the question is if there's a way to make Cygwin act similar
> to this - maybe if you can tell disabled vs. locked out apart, allow SSH
> key pair logins when locked out, but not when disabled?Being disabled and being locked out are two different flags, so this can be recognized from each other. A disabled account is a an account which is explicitely disabled in the user DB. A locked out account in Windows is to my understanding an account which has unsuccessfully tried to login multiple times so the account is locked for security reasons, until an admin unlocks it. Right now, with the patch I just pushed, both types, explicitely disabled or locked out" are refused. I think refusing an account manually and deliberately disabled by an admin makes lots of sense. I'm not so sure about locked out accounts. THis might need some discussion. Corinna -- Corinna Vinschen Cygwin Maintainer
signature.asc
Description: PGP signature
