Am 24.01.19 um 16:45 schrieb Corinna Vinschen: >> In the shell, logged on as the disabled user, the 'whoami' command returns >> the name of the disabled user. >> >> This seems unexpected and not good. >> >> Why does sshd allow logon for a disabled user? > Because the underlying Cygwin function responsible for changing the user > account only checks if the account exists. It does not check for any of > the flags in the user DB. Yet. > > I pushed a patch to disallow changing the user account to a disabled or > locked out account.
I would like to point out that on Linux, you can disable an account's password ("password -l username" / "usermod -L username"), and still log in using an SSH key pair. This is intentional and different to disabling an account entirely ("usermod -e 1 username" combined with the above). So I guess, the question is if there's a way to make Cygwin act similar to this - maybe if you can tell disabled vs. locked out apart, allow SSH key pair logins when locked out, but not when disabled? Kind Regards, Stefan Baur -- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
signature.asc
Description: OpenPGP digital signature