sshd permits logon using disabled user?
Stefan Baur
X2Go-ML-1@baur-itcs.de
Thu Jan 24 17:01:00 GMT 2019
Am 24.01.19 um 17:36 schrieb Corinna Vinschen:
>> If an admin can lock out an account (separately from disabling it
>> entirely), say, by setting an initial password, checking the "user must
>> change password on first login", and also checking "user is not allowed
>> to change password" simultaneously (if that's possible), or, say, by
>> just setting a random password without telling it to anyone ever,
>> followed by firing so many login attempts at the account that it gets
>> locked out, then telling them apart and treating locked out accounts
>> differently would make sense, IMO.
> This description sounds extremly artificial to me.
> We should work under
> the assumption that the admin is the good guy.
Uh, where did I imply anything else?
> Usually a user locks
> itself out, or is locked out by a malicious login attempt. The admin
> can only define rules for locking out, other than that she can only
> remove the "account locked" flag.
The methods listed above, well, at least the "brute force" one, would
work for intentionally creating an account that is locked out, but not
disabled - as a good guy admin.
And the reason for doing so would be the same as running "passwd -l
username" on Linux - You don't want your users to log in with a
password, because you consider that too insecure - instead, you want
them to use the (hopefully passphrase-protected) SSH key file.
Kind Regards,
Stefan Baur
--
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://cygwin.com/pipermail/cygwin/attachments/20190124/4b3aeff2/attachment.sig>
More information about the Cygwin
mailing list