Am 25.01.19 um 05:42 schrieb matthew patton via cygwin: > Why is this even a discussion? You *ALWAYS* refuse a login to an account that > is disabled, locked out, or has an expired password or failed any of the > other criteria that might be in effect (day/time restrictions, source IP > restrictions, etc.)
Not on Linux (and possibly other Unices). There, it's perfectly valid to disable an account's password login (both locally and remote), but to at the same time allow ssh key file based logins for the same account. Since cygwin aims to be Linux-/POSIX-compatible to a certain degree, it is indeed worthy of discussion - even if the final decision might be to just block logins completely, even with an ssh key pair. Before Corinna pushed her fix, it was possible to log in via SSH key, even when the account was locked out/disabled. Someone might have been using that "feature" on cygwin, knowing it from Linux, where it is indeed a feature/design choice. If this fix hits stable, the same people might be wondering why their ssh logins fail all of a sudden. This could be a scenario for scripted uploads via rsync/scp/sftp, for example, where people are using ssh keys locked down to certain commands. You just don't want that user account to be able to log in with only a password, ever - because the only reason that would happen would be an account compromise. And because of that, having a "there is no valid password for this account, you can try as hard as you like" setting makes more sense than just setting a long and complex password that hopefully no one ever guesses/bruteforces/sidechannel-hacks/... Kind Regards, Stefan Baur -- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243 -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple