sshd permits logon using disabled user?
Stefan Baur
X2Go-ML-1@baur-itcs.de
Thu Jan 24 15:51:00 GMT 2019
Am 24.01.19 um 16:45 schrieb Corinna Vinschen:
>> In the shell, logged on as the disabled user, the 'whoami' command returns
>> the name of the disabled user.
>>
>> This seems unexpected and not good.
>>
>> Why does sshd allow logon for a disabled user?
> Because the underlying Cygwin function responsible for changing the user
> account only checks if the account exists. It does not check for any of
> the flags in the user DB. Yet.
>
> I pushed a patch to disallow changing the user account to a disabled or
> locked out account.
I would like to point out that on Linux, you can disable an account's
password ("password -l username" / "usermod -L username"), and still log
in using an SSH key pair. This is intentional and different to
disabling an account entirely ("usermod -e 1 username" combined with the
above).
So I guess, the question is if there's a way to make Cygwin act similar
to this - maybe if you can tell disabled vs. locked out apart, allow SSH
key pair logins when locked out, but not when disabled?
Kind Regards,
Stefan Baur
--
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://cygwin.com/pipermail/cygwin/attachments/20190124/3f035130/attachment.sig>
More information about the Cygwin
mailing list