On 25/01/2019 18:03, Bill Stewart wrote: > On Fri, Jan 25, 2019 at 10:48 AM Stephen Paul Carrier > <carr...@berkeley.edu> wrote: > >> There are different paths to access and to completely disable the account >> you need to close all of them. There are many reasons to disable some >> paths without disabling all paths and converting the switch that can >> disable one path to a switch that will disable all paths will break >> some setups and be less flexible. (As Stefan Baur is pointing out >> effectively.) >> >> To disable ssh logins really, instead of changing the way Cygwin works >> for everyone, you could do what UNIX/Linux admins do, something like >> moving the user .ssh folder to .ssh.disabled. > This is a very problematic view from a Windows system management perspective. > > I respectfully (and strongly) disagree, for at least the following reasons: > > * Cygwin runs on Windows, and as such should respect Windows security. > It is very unexpected, from a Windows administration perspective, to > have a disabled account and still be able to log onto it. > > * Proper system management/security mitigation is made quite complex > with this requirement. Imagine even a small Windows domain: I have to > scan 20000 machines in my domain to find out if they're running ssh, > troll through the disks to find ssh config files, find out the key > file names, rename them, etc. This is quite a bit harder to do than > just disabling accounts, which in many organizations is handled by an > automated process. > > Regards, > > Bill
I totally agree that Cygwin should respect the Windows disabled & locked-out semantics and disallow any form of login where either is set. Trying to shoe-horn the disabled password but enabled pubkey function into one or the other just doesn't feel right. Setting a hugely long random password (maybe via a script that never reveals said password) is a much better solution to achieve a similar effect without breaking Windows security auditing. On the other hand, I am baffled as to why Windows itself allows a token to be created for an account that is disabled or locked out. If Cygwin can do it, other programs could too so you're still vulnerable. -- Sam Edge -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple