Re: sshd permits logon using disabled user?
On Jan 29 11:18, Bill Stewart wrote: > On Tue, Jan 29, 2019 at 10:05 AM Corinna Vinschen > wrote: > > > Please try the snapshots I just uploaded to https://cygwin.com/snapshots/ > > They should fix the problem. It turned out that I restricted the > > permissions of processes too much for Windows 7. The same code works > > fine since Windows 8. > > Tested updated DLL - working on Windows 7. Excellent - thank you! > > Bill Thanks a lot for testing, Corinna -- Corinna Vinschen Cygwin Maintainer signature.asc Description: PGP signature
Re: sshd permits logon using disabled user?
On Tue, Jan 29, 2019 at 10:05 AM Corinna Vinschen wrote: > Please try the snapshots I just uploaded to https://cygwin.com/snapshots/ > They should fix the problem. It turned out that I restricted the > permissions of processes too much for Windows 7. The same code works > fine since Windows 8. Tested updated DLL - working on Windows 7. Excellent - thank you! Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: sshd permits logon using disabled user?
On Jan 29 13:12, Corinna Vinschen wrote:
> On Jan 29 12:56, Corinna Vinschen wrote:
> > On Jan 28 14:49, Bill Stewart wrote:
> > > On Mon, Jan 28, 2019 at 1:14 PM Bill Stewart wrote:
> > >
> > > > Thank you. I wanted to point out that I have not had a chance to test
> > > > using a non-domain computer yet. I will try that scenario as well.
> > >
> > > Hi Corinna,
> > >
> > > I unjoined a Windows 7 machine from the domain and tested as follows:
> > >
> > > 1. Ran setup and installed cygwin
> > >
> > > 2. Ran sshd-host-config and answered "no" to install as service
> > >
> > > 3. Installed service using this command line:
> > >
> > > cygrunsrv -I cygsshd -d "Cygwin SSH Service" -p "/usr/sbin/sshd" -a
> > > "-D" -y "tcpip"
> > >
> > > 4. Renamed cygwin1.dll to a backup name and replaced with copy from
> > > latest snapshot
> > >
> > > When I try to start the service, I get error 1067 ("the process
> > > terminated unexpectedly"). Event log states:
> > >
> > > cygsshd: PID : starting service `cygsshd' failed: fork: 11,
> > > Resource temporarily available
> > >
> > > If I start bash elevated and run this:
> > >
> > > /usr/sbin/sshd -d
> > >
> > > It starts and listens on port 22 and I can connect.
> > >
> > > Thoughts?
> >
> > I can reproduce this on W7, while it works fine on W10. Unfortunately I
> > haven't much time today and tomorrow but I'll try to get around to it
> > Thursday or Friday.
> >
> > In the meantime, can you try the snapshots which one started to
> > introduce this issue?
>
> Never mind, I found the culprit.
Please try the snapshots I just uploaded to https://cygwin.com/snapshots/
They should fix the problem. It turned out that I restricted the
permissions of processes too much for Windows 7. The same code works
fine since Windows 8.
Thanks,
Corinna
--
Corinna Vinschen
Cygwin Maintainer
signature.asc
Description: PGP signature
Re: sshd permits logon using disabled user?
On Jan 29 12:56, Corinna Vinschen wrote:
> On Jan 28 14:49, Bill Stewart wrote:
> > On Mon, Jan 28, 2019 at 1:14 PM Bill Stewart wrote:
> >
> > > Thank you. I wanted to point out that I have not had a chance to test
> > > using a non-domain computer yet. I will try that scenario as well.
> >
> > Hi Corinna,
> >
> > I unjoined a Windows 7 machine from the domain and tested as follows:
> >
> > 1. Ran setup and installed cygwin
> >
> > 2. Ran sshd-host-config and answered "no" to install as service
> >
> > 3. Installed service using this command line:
> >
> > cygrunsrv -I cygsshd -d "Cygwin SSH Service" -p "/usr/sbin/sshd" -a
> > "-D" -y "tcpip"
> >
> > 4. Renamed cygwin1.dll to a backup name and replaced with copy from
> > latest snapshot
> >
> > When I try to start the service, I get error 1067 ("the process
> > terminated unexpectedly"). Event log states:
> >
> > cygsshd: PID : starting service `cygsshd' failed: fork: 11,
> > Resource temporarily available
> >
> > If I start bash elevated and run this:
> >
> > /usr/sbin/sshd -d
> >
> > It starts and listens on port 22 and I can connect.
> >
> > Thoughts?
>
> I can reproduce this on W7, while it works fine on W10. Unfortunately I
> haven't much time today and tomorrow but I'll try to get around to it
> Thursday or Friday.
>
> In the meantime, can you try the snapshots which one started to
> introduce this issue?
Never mind, I found the culprit.
Corinna
--
Corinna Vinschen
Cygwin Maintainer
signature.asc
Description: PGP signature
Re: sshd permits logon using disabled user?
On Jan 28 14:49, Bill Stewart wrote:
> On Mon, Jan 28, 2019 at 1:14 PM Bill Stewart wrote:
>
> > Thank you. I wanted to point out that I have not had a chance to test
> > using a non-domain computer yet. I will try that scenario as well.
>
> Hi Corinna,
>
> I unjoined a Windows 7 machine from the domain and tested as follows:
>
> 1. Ran setup and installed cygwin
>
> 2. Ran sshd-host-config and answered "no" to install as service
>
> 3. Installed service using this command line:
>
> cygrunsrv -I cygsshd -d "Cygwin SSH Service" -p "/usr/sbin/sshd" -a
> "-D" -y "tcpip"
>
> 4. Renamed cygwin1.dll to a backup name and replaced with copy from
> latest snapshot
>
> When I try to start the service, I get error 1067 ("the process
> terminated unexpectedly"). Event log states:
>
> cygsshd: PID : starting service `cygsshd' failed: fork: 11,
> Resource temporarily available
>
> If I start bash elevated and run this:
>
> /usr/sbin/sshd -d
>
> It starts and listens on port 22 and I can connect.
>
> Thoughts?
I can reproduce this on W7, while it works fine on W10. Unfortunately I
haven't much time today and tomorrow but I'll try to get around to it
Thursday or Friday.
In the meantime, can you try the snapshots which one started to
introduce this issue?
Thanks and sorry for the hassle,
Corinna
--
Corinna Vinschen
Cygwin Maintainer
signature.asc
Description: PGP signature
Re: sshd permits logon using disabled user?
On Mon, Jan 28, 2019 at 2:49 PM Bill Stewart wrote:
> I unjoined a Windows 7 machine from the domain and tested as follows:
>
> 1. Ran setup and installed cygwin
>
> 2. Ran sshd-host-config and answered "no" to install as service
>
> 3. Installed service using this command line:
>
> cygrunsrv -I cygsshd -d "Cygwin SSH Service" -p "/usr/sbin/sshd" -a
> "-D" -y "tcpip"
>
> 4. Renamed cygwin1.dll to a backup name and replaced with copy from
> latest snapshot
>
> When I try to start the service, I get error 1067 ("the process
> terminated unexpectedly"). Event log states:
>
> cygsshd: PID : starting service `cygsshd' failed: fork: 11,
> Resource temporarily available
>
> If I start bash elevated and run this:
>
> /usr/sbin/sshd -d
>
> It starts and listens on port 22 and I can connect.
Also: If I revert cygwin1.dll to the 11/8/2018 version I am able to
start the service.
Bill
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: sshd permits logon using disabled user?
On Mon, Jan 28, 2019 at 1:14 PM Bill Stewart wrote:
> Thank you. I wanted to point out that I have not had a chance to test
> using a non-domain computer yet. I will try that scenario as well.
Hi Corinna,
I unjoined a Windows 7 machine from the domain and tested as follows:
1. Ran setup and installed cygwin
2. Ran sshd-host-config and answered "no" to install as service
3. Installed service using this command line:
cygrunsrv -I cygsshd -d "Cygwin SSH Service" -p "/usr/sbin/sshd" -a
"-D" -y "tcpip"
4. Renamed cygwin1.dll to a backup name and replaced with copy from
latest snapshot
When I try to start the service, I get error 1067 ("the process
terminated unexpectedly"). Event log states:
cygsshd: PID : starting service `cygsshd' failed: fork: 11,
Resource temporarily available
If I start bash elevated and run this:
/usr/sbin/sshd -d
It starts and listens on port 22 and I can connect.
Thoughts?
Bill
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: sshd permits logon using disabled user?
On Mon, Jan 28, 2019 at 11:39 AM Corinna Vinschen wrote: > Along these lines I have an OpenSSH patch in the loop which reverts > the ssh-host-config script back to using the SYSTEM user, just as > in the olden Windows XP days. I'll send it upstream as soon as > Cygwin 3.0 is officially released. I attached the resulting > ssh-host-config script to this mail, if you or anybody else want > to test it. > ... > Super, thank you! I guess I will role out a Cygwin test release in the > next couple of days. Hi Corinna, Thank you. I wanted to point out that I have not had a chance to test using a non-domain computer yet. I will try that scenario as well. Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: sshd permits logon using disabled user?
On Jan 28 10:18, Bill Stewart wrote:
> On Mon, Jan 28, 2019 at 9:52 AM Corinna Vinschen
> wrote:
> >
> > On Jan 28 08:02, Bill Stewart wrote:
> > > On Mon, Jan 28, 2019 at 2:59 AM Corinna Vinschen
> > > wrote:
> > >
> > > > Can you please test again with the latest snapshot from
> > > > https://cygwin.com/snapshots/? The new S4U authentication method
> > > > used in this snapshot automatically applies the Windows account rules so
> > > > in my testing the patch I applied originally is not required anymore.
> > > > Consequentially I disabled it to rely fully on the Windows function's
> > > > behaviour. Can you test this, too, please, just to be sure?
> > >
> > > Thank you Corinna; I will test.
> > >
> > > Will the S4U authentication work on standalone (non domain-joined)
> > > machines also?
> >
> > It uses MsV1_0 S4U on standalone workstations, Kerberos S4U on domain
> > meber machines with fallback to MsV1_0 under some circumstances.
>
> Hi Corinna,
>
> This is great that the service can run using the SYSTEM account! It
> greatly simplifies management.
Along these lines I have an OpenSSH patch in the loop which reverts
the ssh-host-config script back to using the SYSTEM user, just as
in the olden Windows XP days. I'll send it upstream as soon as
Cygwin 3.0 is officially released. I attached the resulting
ssh-host-config script to this mail, if you or anybody else want
to test it.
> I tested and it worked as expected.
>
> Thank you!
Super, thank you! I guess I will role out a Cygwin test release in the
next couple of days.
Stay tuned,
Corinna
--
Corinna Vinschen
Cygwin Maintainer
#!/bin/bash
#
# ssh-host-config, Copyright 2000-2014 Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR
# THE USE OR OTHER DEALINGS IN THE SOFTWARE.
# ==
# Initialization
# ==
CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
# List of apps used. This is checkad for existence in csih_sanity_check
# Don't use *any* transient commands before sourcing the csih helper script,
# otherwise the sanity checks are short-circuited.
declare -a csih_required_commands=(
/usr/bin/basename coreutils
/usr/bin/cat coreutils
/usr/bin/chmod coreutils
/usr/bin/dirname coreutils
/usr/bin/id coreutils
/usr/bin/mv coreutils
/usr/bin/rm coreutils
/usr/bin/cygpath cygwin
/usr/bin/mkpasswd cygwin
/usr/bin/mount cygwin
/usr/bin/ps cygwin
/usr/bin/umount cygwin
/usr/bin/cmp diffutils
/usr/bin/grep grep
/usr/bin/awk gawk
/usr/bin/ssh-keygen openssh
/usr/sbin/sshd openssh
/usr/bin/sed sed
)
csih_sanity_check_server=yes
source ${CSIH_SCRIPT}
PROGNAME=$(/usr/bin/basename $0)
_tdir=$(/usr/bin/dirname $0)
PROGDIR=$(cd $_tdir && pwd)
# Subdirectory where the new package is being installed
PREFIX=/usr
# Directory where the config files are stored
SYSCONFDIR=/etc
LOCALSTATEDIR=/var
sshd_config_configured=no
port_number=22
service_name=cygsshd
strictmodes=yes
cygwin_value=""
user_account=
password_value=
opt_force=no
# ==
# Routine: update_services_file
# ==
update_services_file() {
local _my_etcdir="/ssh-host-config.$$"
local _win_etcdir
local _services
local _spaces
local _serv_tmp
local _wservices
local ret=0
_win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
_services="${_my_etcdir}/services"
_spaces=" #"
_serv_tmp="${_my_etcdir}/srv.out.$$"
/usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}"
# Depends on the above mount
_wservices=`cygpath -w "${_services}"`
# Add ssh 22/tcp and ssh 22/udp to services
if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo
$?` -ne 0 ]
then
if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh
22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh
22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" >
"${_serv_tmp}"
then
if /usr/bin/mv "${_serv_tmp}" "${_services}"
then
csih_inform "Added ssh to
Re: sshd permits logon using disabled user?
On Mon, Jan 28, 2019 at 9:52 AM Corinna Vinschen wrote: > > On Jan 28 08:02, Bill Stewart wrote: > > On Mon, Jan 28, 2019 at 2:59 AM Corinna Vinschen > > wrote: > > > > > Can you please test again with the latest snapshot from > > > https://cygwin.com/snapshots/? The new S4U authentication method > > > used in this snapshot automatically applies the Windows account rules so > > > in my testing the patch I applied originally is not required anymore. > > > Consequentially I disabled it to rely fully on the Windows function's > > > behaviour. Can you test this, too, please, just to be sure? > > > > Thank you Corinna; I will test. > > > > Will the S4U authentication work on standalone (non domain-joined) > > machines also? > > It uses MsV1_0 S4U on standalone workstations, Kerberos S4U on domain > meber machines with fallback to MsV1_0 under some circumstances. Hi Corinna, This is great that the service can run using the SYSTEM account! It greatly simplifies management. I tested and it worked as expected. Thank you! Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: sshd permits logon using disabled user?
On Jan 28 08:02, Bill Stewart wrote: > On Mon, Jan 28, 2019 at 2:59 AM Corinna Vinschen > wrote: > > > Can you please test again with the latest snapshot from > > https://cygwin.com/snapshots/? The new S4U authentication method > > used in this snapshot automatically applies the Windows account rules so > > in my testing the patch I applied originally is not required anymore. > > Consequentially I disabled it to rely fully on the Windows function's > > behaviour. Can you test this, too, please, just to be sure? > > Thank you Corinna; I will test. > > Will the S4U authentication work on standalone (non domain-joined) > machines also? It uses MsV1_0 S4U on standalone workstations, Kerberos S4U on domain meber machines with fallback to MsV1_0 under some circumstances. Corinna -- Corinna Vinschen Cygwin Maintainer signature.asc Description: PGP signature
Re: sshd permits logon using disabled user?
On Mon, Jan 28, 2019 at 2:59 AM Corinna Vinschen wrote: > Can you please test again with the latest snapshot from > https://cygwin.com/snapshots/? The new S4U authentication method > used in this snapshot automatically applies the Windows account rules so > in my testing the patch I applied originally is not required anymore. > Consequentially I disabled it to rely fully on the Windows function's > behaviour. Can you test this, too, please, just to be sure? Thank you Corinna; I will test. Will the S4U authentication work on standalone (non domain-joined) machines also? Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: sshd permits logon using disabled user?
On 27/01/2019 22:10, Corinna Vinschen wrote: > On Jan 27 17:49, Sam Edge (Cygwin) wrote: >> On 25/01/2019 18:03, Bill Stewart wrote: >>> On Fri, Jan 25, 2019 at 10:48 AM Stephen Paul Carrier >>> wrote: >>> There are different paths to access and to completely disable the account you need to close all of them. There are many reasons to disable some paths without disabling all paths and converting the switch that can disable one path to a switch that will disable all paths will break some setups and be less flexible. (As Stefan Baur is pointing out effectively.) To disable ssh logins really, instead of changing the way Cygwin works for everyone, you could do what UNIX/Linux admins do, something like moving the user .ssh folder to .ssh.disabled. >>> This is a very problematic view from a Windows system management >>> perspective. >>> >>> I respectfully (and strongly) disagree, for at least the following reasons: >>> >>> * Cygwin runs on Windows, and as such should respect Windows security. >>> It is very unexpected, from a Windows administration perspective, to >>> have a disabled account and still be able to log onto it. >>> >>> * Proper system management/security mitigation is made quite complex >>> with this requirement. Imagine even a small Windows domain: I have to >>> scan 2 machines in my domain to find out if they're running ssh, >>> troll through the disks to find ssh config files, find out the key >>> file names, rename them, etc. This is quite a bit harder to do than >>> just disabling accounts, which in many organizations is handled by an >>> automated process. >>> >>> Regards, >>> >>> Bill >> >> I totally agree that Cygwin should respect the Windows disabled & >> locked-out semantics and disallow any form of login where either is set. >> Trying to shoe-horn the disabled password but enabled pubkey function >> into one or the other just doesn't feel right. Setting a hugely long >> random password (maybe via a script that never reveals said password) is >> a much better solution to achieve a similar effect without breaking >> Windows security auditing. >> >> On the other hand, I am baffled as to why Windows itself allows a token >> to be created for an account that is disabled or locked out. If Cygwin >> can do it, other programs could too so you're still vulnerable. > No, Windows doesn't allow that unless the process has very specific > privileges. But keep in mind that a token is required to do stuff on > behalf of a user. So even if the user is disabled from interactive > logon, a service process might have a valid reason to create a token > for that user to perform a non-interactive purpose. > > In terms of these special privileges, right now we require these > privileges for an account which switches the user (e.g., via sshd > installed as a service), as outlined in > https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1 > > However, this should change with the upcoming 3.0 release of Cygwin > which replaces the "create token" method with another method called > "S4U". This method creates perfectly valid tokens with only documented > functions without requiring any super-special permissions. > > I'm pretty excited about this change because it drops the requirement > to create a special CYgwin service account. sshd and other services > can finally run under the normal LocalSystem account again. > > This patch is available in the most recent developer snapshot from > https://cygwin.com/snapshots/ btw. > > > Corinna > Hi Corinna. Thanks for the explanation. And the heads-up on the change. Having a rummage through docs out of curiosity. (Tangential to my day job.) I think I grok Win32 and Linux FS ACLs but my expertise on OS process security models peaked somewhere around System V. :-S Anyway, the fact that activity can still occur in the name of disabled/locked-out accounts is, perhaps, something that people in Bill's position should consider, given his concerns. But that's rather OT. As ever, kudos to yourself and the rest of the contributors to Cygwin. Still my go-to tool wherever I land. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: sshd permits logon using disabled user?
Bill, On Jan 25 11:03, Bill Stewart wrote: > On Fri, Jan 25, 2019 at 10:48 AM Stephen Paul Carrier > wrote: > > > There are different paths to access and to completely disable the account > > you need to close all of them. There are many reasons to disable some > > paths without disabling all paths and converting the switch that can > > disable one path to a switch that will disable all paths will break > > some setups and be less flexible. (As Stefan Baur is pointing out > > effectively.) > > > > To disable ssh logins really, instead of changing the way Cygwin works > > for everyone, you could do what UNIX/Linux admins do, something like > > moving the user .ssh folder to .ssh.disabled. > > This is a very problematic view from a Windows system management perspective. > > I respectfully (and strongly) disagree, for at least the following reasons: > > * Cygwin runs on Windows, and as such should respect Windows security. > It is very unexpected, from a Windows administration perspective, to > have a disabled account and still be able to log onto it. > > * Proper system management/security mitigation is made quite complex > with this requirement. Imagine even a small Windows domain: I have to > scan 2 machines in my domain to find out if they're running ssh, > troll through the disks to find ssh config files, find out the key > file names, rename them, etc. This is quite a bit harder to do than > just disabling accounts, which in many organizations is handled by an > automated process. Can you please test again with the latest snapshot from https://cygwin.com/snapshots/? The new S4U authentication method used in this snapshot automatically applies the Windows account rules so in my testing the patch I applied originally is not required anymore. Consequentially I disabled it to rely fully on the Windows function's behaviour. Can you test this, too, please, just to be sure? Thanks, Coinna -- Corinna Vinschen Cygwin Maintainer signature.asc Description: PGP signature
Re: sshd permits logon using disabled user?
On Jan 27 17:49, Sam Edge (Cygwin) wrote: > On 25/01/2019 18:03, Bill Stewart wrote: > > On Fri, Jan 25, 2019 at 10:48 AM Stephen Paul Carrier > > wrote: > > > >> There are different paths to access and to completely disable the account > >> you need to close all of them. There are many reasons to disable some > >> paths without disabling all paths and converting the switch that can > >> disable one path to a switch that will disable all paths will break > >> some setups and be less flexible. (As Stefan Baur is pointing out > >> effectively.) > >> > >> To disable ssh logins really, instead of changing the way Cygwin works > >> for everyone, you could do what UNIX/Linux admins do, something like > >> moving the user .ssh folder to .ssh.disabled. > > This is a very problematic view from a Windows system management > > perspective. > > > > I respectfully (and strongly) disagree, for at least the following reasons: > > > > * Cygwin runs on Windows, and as such should respect Windows security. > > It is very unexpected, from a Windows administration perspective, to > > have a disabled account and still be able to log onto it. > > > > * Proper system management/security mitigation is made quite complex > > with this requirement. Imagine even a small Windows domain: I have to > > scan 2 machines in my domain to find out if they're running ssh, > > troll through the disks to find ssh config files, find out the key > > file names, rename them, etc. This is quite a bit harder to do than > > just disabling accounts, which in many organizations is handled by an > > automated process. > > > > Regards, > > > > Bill > > > I totally agree that Cygwin should respect the Windows disabled & > locked-out semantics and disallow any form of login where either is set. > Trying to shoe-horn the disabled password but enabled pubkey function > into one or the other just doesn't feel right. Setting a hugely long > random password (maybe via a script that never reveals said password) is > a much better solution to achieve a similar effect without breaking > Windows security auditing. > > On the other hand, I am baffled as to why Windows itself allows a token > to be created for an account that is disabled or locked out. If Cygwin > can do it, other programs could too so you're still vulnerable. No, Windows doesn't allow that unless the process has very specific privileges. But keep in mind that a token is required to do stuff on behalf of a user. So even if the user is disabled from interactive logon, a service process might have a valid reason to create a token for that user to perform a non-interactive purpose. In terms of these special privileges, right now we require these privileges for an account which switches the user (e.g., via sshd installed as a service), as outlined in https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1 However, this should change with the upcoming 3.0 release of Cygwin which replaces the "create token" method with another method called "S4U". This method creates perfectly valid tokens with only documented functions without requiring any super-special permissions. I'm pretty excited about this change because it drops the requirement to create a special CYgwin service account. sshd and other services can finally run under the normal LocalSystem account again. This patch is available in the most recent developer snapshot from https://cygwin.com/snapshots/ btw. Corinna -- Corinna Vinschen Cygwin Maintainer signature.asc Description: PGP signature
Re: sshd permits logon using disabled user?
On 25/01/2019 18:03, Bill Stewart wrote: > On Fri, Jan 25, 2019 at 10:48 AM Stephen Paul Carrier > wrote: > >> There are different paths to access and to completely disable the account >> you need to close all of them. There are many reasons to disable some >> paths without disabling all paths and converting the switch that can >> disable one path to a switch that will disable all paths will break >> some setups and be less flexible. (As Stefan Baur is pointing out >> effectively.) >> >> To disable ssh logins really, instead of changing the way Cygwin works >> for everyone, you could do what UNIX/Linux admins do, something like >> moving the user .ssh folder to .ssh.disabled. > This is a very problematic view from a Windows system management perspective. > > I respectfully (and strongly) disagree, for at least the following reasons: > > * Cygwin runs on Windows, and as such should respect Windows security. > It is very unexpected, from a Windows administration perspective, to > have a disabled account and still be able to log onto it. > > * Proper system management/security mitigation is made quite complex > with this requirement. Imagine even a small Windows domain: I have to > scan 2 machines in my domain to find out if they're running ssh, > troll through the disks to find ssh config files, find out the key > file names, rename them, etc. This is quite a bit harder to do than > just disabling accounts, which in many organizations is handled by an > automated process. > > Regards, > > Bill I totally agree that Cygwin should respect the Windows disabled & locked-out semantics and disallow any form of login where either is set. Trying to shoe-horn the disabled password but enabled pubkey function into one or the other just doesn't feel right. Setting a hugely long random password (maybe via a script that never reveals said password) is a much better solution to achieve a similar effect without breaking Windows security auditing. On the other hand, I am baffled as to why Windows itself allows a token to be created for an account that is disabled or locked out. If Cygwin can do it, other programs could too so you're still vulnerable. -- Sam Edge -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: sshd permits logon using disabled user?
Greetings, Bill Stewart! > Only an administrator (or a user with appropriate permissions) can set or > clear UF_ACCOUNTDISABLE. It is used to prevent _any_ use of the account. I would raise a correction, which is immaterial for Cygwin perspective. Disabled accounts may still be used for internal/maintenance purposes. I.e. a disabled Administrator account won't prevent invocation of a database recovery procedure. -- With best regards, Andrey Repin Saturday, January 26, 2019 22:13:54 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: sshd permits logon using disabled user?
Greetings, Stefan Baur! > If an admin can lock out an account (separately from disabling it > entirely), say, by setting an initial password, checking the "user must > change password on first login", and also checking "user is not allowed > to change password" simultaneously (if that's possible), Unfortunately, that's not possible. -- With best regards, Andrey Repin Saturday, January 26, 2019 22:01:42 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: sshd permits logon using disabled user?
On Fri, Jan 25, 2019 at 10:48 AM Stephen Paul Carrier wrote: > There are different paths to access and to completely disable the account > you need to close all of them. There are many reasons to disable some > paths without disabling all paths and converting the switch that can > disable one path to a switch that will disable all paths will break > some setups and be less flexible. (As Stefan Baur is pointing out > effectively.) > > To disable ssh logins really, instead of changing the way Cygwin works > for everyone, you could do what UNIX/Linux admins do, something like > moving the user .ssh folder to .ssh.disabled. This is a very problematic view from a Windows system management perspective. I respectfully (and strongly) disagree, for at least the following reasons: * Cygwin runs on Windows, and as such should respect Windows security. It is very unexpected, from a Windows administration perspective, to have a disabled account and still be able to log onto it. * Proper system management/security mitigation is made quite complex with this requirement. Imagine even a small Windows domain: I have to scan 2 machines in my domain to find out if they're running ssh, troll through the disks to find ssh config files, find out the key file names, rename them, etc. This is quite a bit harder to do than just disabling accounts, which in many organizations is handled by an automated process. Regards, Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: sshd permits logon using disabled user?
On Fri, Jan 25, 2019 at 08:34:09AM -0700, Bill Stewart wrote: > On Fri, Jan 25, 2019 at 3:36 AM Stefan Baur wrote: > > > Not on Linux (and possibly other Unices). There, it's perfectly valid > > to disable an account's password login (both locally and remote), but to > > at the same time allow ssh key file based logins for the same account. > > But disabling _password login_ is an entirely separate issue from > disabling _the account itself_. > > Before the fix, it was possible to log on to sshd using a disabled (or > locked) account. > > There should be _no_ scenario where it is possible to log on using a > disabled/locked account. There are different paths to access and to completely disable the account you need to close all of them. There are many reasons to disable some paths without disabling all paths and converting the switch that can disable one path to a switch that will disable all paths will break some setups and be less flexible. (As Stefan Baur is pointing out effectively.) To disable ssh logins really, instead of changing the way Cygwin works for everyone, you could do what UNIX/Linux admins do, something like moving the user .ssh folder to .ssh.disabled. Stephen Carrier Systems Administrator BEAR (Berkeley Evaluation & Assessment Research) Center Graduate School of Education University of California, Berkeley http://BEARcenter.Berkeley.EDU/ carr...@berkeley.edu -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: sshd permits logon using disabled user?
On Jan 24 13:36, Bill Stewart wrote: > On Thu, Jan 24, 2019 at 1:23 PM Corinna Vinschen > wrote: > > > I should have tested pubkey auth as well but as it was I just tested > > with pathword auth. These methods take slightly different paths in > > Cygwin when trying to switch the user account. > > > > I pushed another patch and created new snapshots in the same location > > https://cygwin.com/snapshots/. > > Just tested. Working now. > > This is definitely the correct behavior IMO. > > Thank you! Thanks for testing, Corinna -- Corinna Vinschen Cygwin Maintainer signature.asc Description: PGP signature
Re: sshd permits logon using disabled user?
On Fri, Jan 25, 2019 at 3:36 AM Stefan Baur wrote: > Not on Linux (and possibly other Unices). There, it's perfectly valid > to disable an account's password login (both locally and remote), but to > at the same time allow ssh key file based logins for the same account. But disabling _password login_ is an entirely separate issue from disabling _the account itself_. Before the fix, it was possible to log on to sshd using a disabled (or locked) account. There should be _no_ scenario where it is possible to log on using a disabled/locked account. (To state the obvious: That's the whole point of having disabled/locked out flags - so the account cannot be used to log on.) Regards, Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: sshd permits logon using disabled user?
Am 25.01.19 um 05:42 schrieb matthew patton via cygwin: > Why is this even a discussion? You *ALWAYS* refuse a login to an account that > is disabled, locked out, or has an expired password or failed any of the > other criteria that might be in effect (day/time restrictions, source IP > restrictions, etc.) Not on Linux (and possibly other Unices). There, it's perfectly valid to disable an account's password login (both locally and remote), but to at the same time allow ssh key file based logins for the same account. Since cygwin aims to be Linux-/POSIX-compatible to a certain degree, it is indeed worthy of discussion - even if the final decision might be to just block logins completely, even with an ssh key pair. Before Corinna pushed her fix, it was possible to log in via SSH key, even when the account was locked out/disabled. Someone might have been using that "feature" on cygwin, knowing it from Linux, where it is indeed a feature/design choice. If this fix hits stable, the same people might be wondering why their ssh logins fail all of a sudden. This could be a scenario for scripted uploads via rsync/scp/sftp, for example, where people are using ssh keys locked down to certain commands. You just don't want that user account to be able to log in with only a password, ever - because the only reason that would happen would be an account compromise. And because of that, having a "there is no valid password for this account, you can try as hard as you like" setting makes more sense than just setting a long and complex password that hopefully no one ever guesses/bruteforces/sidechannel-hacks/... Kind Regards, Stefan Baur -- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243 -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: sshd permits logon using disabled user?
> I think refusing an account manually and deliberately disabled by an > admin makes lots of sense. Why is this even a discussion? You *ALWAYS* refuse a login to an account that is disabled, locked out, or has an expired password or failed any of the other criteria that might be in effect (day/time restrictions, source IP restrictions, etc.) Is someone suggesting that the Windows authentication API is actually returning a success code despite any of these conditions? Furthermore you also *NEVER* hint to the user why the login was denied. It's rule #1 of security engineering. Denied is denied. Explanations or hints are verboten. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: sshd permits logon using disabled user?
On Thu, Jan 24, 2019 at 1:23 PM Corinna Vinschen wrote: > I should have tested pubkey auth as well but as it was I just tested > with pathword auth. These methods take slightly different paths in > Cygwin when trying to switch the user account. > > I pushed another patch and created new snapshots in the same location > https://cygwin.com/snapshots/. Just tested. Working now. This is definitely the correct behavior IMO. Thank you! Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: sshd permits logon using disabled user?
On Jan 24 09:48, Bill Stewart wrote: > Hello Corinna, > > I performed the following steps: > > 1. Downloaded cygwin-20190124.tar.xz > 2. Extracted it > 3. Stopped sshd > 4. Renamed existing /bin/cygwin1.dll to cygwin1-20181108.dll > 5. Copied cygwin1.dll from download to /bin > 6. Started sshd > > Did I miss anything? No, I did. > It still allows logon with disabled account. I should have tested pubkey auth as well but as it was I just tested with pathword auth. These methods take slightly different paths in Cygwin when trying to switch the user account. I pushed another patch and created new snapshots in the same location https://cygwin.com/snapshots/. HTH, Corinna > > Thanks, > > Bill > > > On Thu, Jan 24, 2019 at 8:45 AM Corinna Vinschen > wrote: > > > On Jan 24 06:28, Bill Stewart wrote: > > > I am running Windows 10 (1803) and experimenting with sshd installed as a > > > Windows service. > > > > > > The computer is a domain member. I created a local computer account for > > > testing. > > > > > > I created host keys and a public/private key pair to use to log on the > > user. > > > > > > This works, except I notice that if I disable the Windows user account, I > > > can still log on using ssh using that account. > > > > > > In the shell, logged on as the disabled user, the 'whoami' command > > returns > > > the name of the disabled user. > > > > > > This seems unexpected and not good. > > > > > > Why does sshd allow logon for a disabled user? > > > > Because the underlying Cygwin function responsible for changing the user > > account only checks if the account exists. It does not check for any of > > the flags in the user DB. Yet. > > > > I pushed a patch to disallow changing the user account to a disabled or > > locked out account. > > > > I just uploaded new developer snapshots containing this change to > > https://cygwin.com/snapshots/ > > > > Please give them a try. > > > > > > Thanks, > > Corinna > > > > -- > > Corinna Vinschen > > Cygwin Maintainer > > > > -- > Problem reports: http://cygwin.com/problems.html > FAQ: http://cygwin.com/faq/ > Documentation: http://cygwin.com/docs.html > Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple -- Corinna Vinschen Cygwin Maintainer signature.asc Description: PGP signature
Re: sshd permits logon using disabled user?
Am 24.01.19 um 20:17 schrieb Wayne Davison: >> I don't think Windows natively supports password-free logons using only key >> files (but I might be wrong about that). > Don't forget that sshd_config fully supports disabling passwords. You > can turn a password off for a single user via: > > Match User foobar > PasswordAuthentication no > > Or set the "PasswordAuthentication no" as the default for all users. Yes, but that will still allow the user to log in with their password when they have access to the local screen and keyboard, or the machine is reachable via RDP or CIFS, for example. Kind Regards, Stefan Baur -- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243 -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: sshd permits logon using disabled user?
On Thu, Jan 24, 2019 at 10:13 AM Bill Stewart wrote: > I don't think Windows natively supports password-free logons using only key > files (but I might be wrong about that). Don't forget that sshd_config fully supports disabling passwords. You can turn a password off for a single user via: Match User foobar PasswordAuthentication no Or set the "PasswordAuthentication no" as the default for all users. ..wayne.. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: sshd permits logon using disabled user?
On Thu, Jan 24, 2019 at 10:58 AM Stefan Baur wrote: That sounds like the total opposite - allowing login without a password. > > Now, if there was a flag PASSWD_NOTPERMITTED or something like that, > then we'd be able to emulate what can be done on Linux with "passwd -l > username" and an ssh key file. > You are correct; "password not required" != "password not permitted." I don't think Windows natively supports password-free logons using only key files (but I might be wrong about that). In any case, I'm not sure it's needed to support this scenario. Just set a very long/random/complex password on the account. Regards, Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: sshd permits logon using disabled user?
Am 24.01.19 um 18:52 schrieb Bill Stewart: > If you want to have an account that does not require a password, there is a > separate flag for that - PASSWD_NOTREQD - although setting this may be > prohibited by policy. That sounds like the total opposite - allowing login without a password. Now, if there was a flag PASSWD_NOTPERMITTED or something like that, then we'd be able to emulate what can be done on Linux with "passwd -l username" and an ssh key file. Kind Regards, Stefan Baur -- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243 -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: sshd permits logon using disabled user?
Corinna Vinschen wrote: > This description sounds extremly artificial to me. We should work under the > assumption that the admin is the good guy. Usually a user locks itself out, > or is locked out by a malicious login attempt. The admin can only define > rules for locking out, other than that she can only remove the "account > locked" flag. This is correct. >From a Windows perspective, "disabled" (UF_ACCOUNTDISABLE) means "account cannot be used to log on," and "locked out" (UF_LOCKOUT) means "there were too many bad password attempts, so the account is locked and cannot be used to log on at this time." The administrator can specify whether the UF_LOCKOUT duration is indefinite (this is usually not recommended, because this can be used for DoS) or not. Only an administrator (or a user with appropriate permissions) can set or clear UF_ACCOUNTDISABLE. It is used to prevent _any_ use of the account. UF_LOCKOUT is _only_ set by bad password attempts (the number of bad attempts is set by policy) and is not really intended to be used for any other purpose. UF_LOCKOUT can be cleared by an administrator (or user with appropriate permissions), or the system can clear it automatically after some duration (specified by policy), or it can be indefinite (although, as previously noted, this is not usually recommended). If you want to have an account that does not require a password, there is a separate flag for that - PASSWD_NOTREQD - although setting this may be prohibited by policy. So basically Corinna's idea is correct: If UF_ACCOUNTDISABLE or UF_LOCKOUT are set, the account should not allow logon. Regards, Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: sshd permits logon using disabled user?
Am 24.01.19 um 17:36 schrieb Corinna Vinschen: >> If an admin can lock out an account (separately from disabling it >> entirely), say, by setting an initial password, checking the "user must >> change password on first login", and also checking "user is not allowed >> to change password" simultaneously (if that's possible), or, say, by >> just setting a random password without telling it to anyone ever, >> followed by firing so many login attempts at the account that it gets >> locked out, then telling them apart and treating locked out accounts >> differently would make sense, IMO. > This description sounds extremly artificial to me. > We should work under > the assumption that the admin is the good guy. Uh, where did I imply anything else? > Usually a user locks > itself out, or is locked out by a malicious login attempt. The admin > can only define rules for locking out, other than that she can only > remove the "account locked" flag. The methods listed above, well, at least the "brute force" one, would work for intentionally creating an account that is locked out, but not disabled - as a good guy admin. And the reason for doing so would be the same as running "passwd -l username" on Linux - You don't want your users to log in with a password, because you consider that too insecure - instead, you want them to use the (hopefully passphrase-protected) SSH key file. Kind Regards, Stefan Baur -- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243 signature.asc Description: OpenPGP digital signature
Re: sshd permits logon using disabled user?
Hello Corinna, I performed the following steps: 1. Downloaded cygwin-20190124.tar.xz 2. Extracted it 3. Stopped sshd 4. Renamed existing /bin/cygwin1.dll to cygwin1-20181108.dll 5. Copied cygwin1.dll from download to /bin 6. Started sshd Did I miss anything? It still allows logon with disabled account. Thanks, Bill On Thu, Jan 24, 2019 at 8:45 AM Corinna Vinschen wrote: > On Jan 24 06:28, Bill Stewart wrote: > > I am running Windows 10 (1803) and experimenting with sshd installed as a > > Windows service. > > > > The computer is a domain member. I created a local computer account for > > testing. > > > > I created host keys and a public/private key pair to use to log on the > user. > > > > This works, except I notice that if I disable the Windows user account, I > > can still log on using ssh using that account. > > > > In the shell, logged on as the disabled user, the 'whoami' command > returns > > the name of the disabled user. > > > > This seems unexpected and not good. > > > > Why does sshd allow logon for a disabled user? > > Because the underlying Cygwin function responsible for changing the user > account only checks if the account exists. It does not check for any of > the flags in the user DB. Yet. > > I pushed a patch to disallow changing the user account to a disabled or > locked out account. > > I just uploaded new developer snapshots containing this change to > https://cygwin.com/snapshots/ > > Please give them a try. > > > Thanks, > Corinna > > -- > Corinna Vinschen > Cygwin Maintainer > -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: sshd permits logon using disabled user?
On Jan 24 17:16, Stefan Baur wrote: > Am 24.01.19 um 16:59 schrieb Corinna Vinschen: > > I think refusing an account manually and deliberately disabled by an > > admin makes lots of sense. > > > > I'm not so sure about locked out accounts. THis might need some > > discussion. > > It's been a while since I did Windows administration, so I can't really > make a recommendation here ... BUT: > > If an admin can lock out an account (separately from disabling it > entirely), say, by setting an initial password, checking the "user must > change password on first login", and also checking "user is not allowed > to change password" simultaneously (if that's possible), or, say, by > just setting a random password without telling it to anyone ever, > followed by firing so many login attempts at the account that it gets > locked out, then telling them apart and treating locked out accounts > differently would make sense, IMO. This description sounds extremly artificial to me. We should work under the assumption that the admin is the good guy. Usually a user locks itself out, or is locked out by a malicious login attempt. The admin can only define rules for locking out, other than that she can only remove the "account locked" flag. Corinna -- Corinna Vinschen Cygwin Maintainer signature.asc Description: PGP signature
Re: sshd permits logon using disabled user?
Am 24.01.19 um 16:59 schrieb Corinna Vinschen: > I think refusing an account manually and deliberately disabled by an > admin makes lots of sense. > > I'm not so sure about locked out accounts. THis might need some > discussion. It's been a while since I did Windows administration, so I can't really make a recommendation here ... BUT: If an admin can lock out an account (separately from disabling it entirely), say, by setting an initial password, checking the "user must change password on first login", and also checking "user is not allowed to change password" simultaneously (if that's possible), or, say, by just setting a random password without telling it to anyone ever, followed by firing so many login attempts at the account that it gets locked out, then telling them apart and treating locked out accounts differently would make sense, IMO. Kind Regards, Stefan Baur -- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243 signature.asc Description: OpenPGP digital signature
Re: sshd permits logon using disabled user?
On Jan 24 16:51, Stefan Baur wrote:
> Am 24.01.19 um 16:45 schrieb Corinna Vinschen:
> >> In the shell, logged on as the disabled user, the 'whoami' command returns
> >> the name of the disabled user.
> >>
> >> This seems unexpected and not good.
> >>
> >> Why does sshd allow logon for a disabled user?
> > Because the underlying Cygwin function responsible for changing the user
> > account only checks if the account exists. It does not check for any of
> > the flags in the user DB. Yet.
> >
> > I pushed a patch to disallow changing the user account to a disabled or
> > locked out account.
>
> I would like to point out that on Linux, you can disable an account's
> password ("password -l username" / "usermod -L username"), and still log
> in using an SSH key pair. This is intentional and different to
> disabling an account entirely ("usermod -e 1 username" combined with the
> above).
>
> So I guess, the question is if there's a way to make Cygwin act similar
> to this - maybe if you can tell disabled vs. locked out apart, allow SSH
> key pair logins when locked out, but not when disabled?
Being disabled and being locked out are two different flags, so this
can be recognized from each other. A disabled account is a an account
which is explicitely disabled in the user DB. A locked out account in
Windows is to my understanding an account which has unsuccessfully tried
to login multiple times so the account is locked for security reasons,
until an admin unlocks it.
Right now, with the patch I just pushed, both types, explicitely disabled
or locked out" are refused.
I think refusing an account manually and deliberately disabled by an
admin makes lots of sense.
I'm not so sure about locked out accounts. THis might need some
discussion.
Corinna
--
Corinna Vinschen
Cygwin Maintainer
signature.asc
Description: PGP signature
Re: sshd permits logon using disabled user?
Am 24.01.19 um 16:45 schrieb Corinna Vinschen:
>> In the shell, logged on as the disabled user, the 'whoami' command returns
>> the name of the disabled user.
>>
>> This seems unexpected and not good.
>>
>> Why does sshd allow logon for a disabled user?
> Because the underlying Cygwin function responsible for changing the user
> account only checks if the account exists. It does not check for any of
> the flags in the user DB. Yet.
>
> I pushed a patch to disallow changing the user account to a disabled or
> locked out account.
I would like to point out that on Linux, you can disable an account's
password ("password -l username" / "usermod -L username"), and still log
in using an SSH key pair. This is intentional and different to
disabling an account entirely ("usermod -e 1 username" combined with the
above).
So I guess, the question is if there's a way to make Cygwin act similar
to this - maybe if you can tell disabled vs. locked out apart, allow SSH
key pair logins when locked out, but not when disabled?
Kind Regards,
Stefan Baur
--
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
signature.asc
Description: OpenPGP digital signature
Re: sshd permits logon using disabled user?
On Jan 24 06:28, Bill Stewart wrote: > I am running Windows 10 (1803) and experimenting with sshd installed as a > Windows service. > > The computer is a domain member. I created a local computer account for > testing. > > I created host keys and a public/private key pair to use to log on the user. > > This works, except I notice that if I disable the Windows user account, I > can still log on using ssh using that account. > > In the shell, logged on as the disabled user, the 'whoami' command returns > the name of the disabled user. > > This seems unexpected and not good. > > Why does sshd allow logon for a disabled user? Because the underlying Cygwin function responsible for changing the user account only checks if the account exists. It does not check for any of the flags in the user DB. Yet. I pushed a patch to disallow changing the user account to a disabled or locked out account. I just uploaded new developer snapshots containing this change to https://cygwin.com/snapshots/ Please give them a try. Thanks, Corinna -- Corinna Vinschen Cygwin Maintainer signature.asc Description: PGP signature
sshd permits logon using disabled user?
I am running Windows 10 (1803) and experimenting with sshd installed as a Windows service. The computer is a domain member. I created a local computer account for testing. I created host keys and a public/private key pair to use to log on the user. This works, except I notice that if I disable the Windows user account, I can still log on using ssh using that account. In the shell, logged on as the disabled user, the 'whoami' command returns the name of the disabled user. This seems unexpected and not good. Why does sshd allow logon for a disabled user? Thanks Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
