Re: sshd permits logon using disabled user?

[Bill Stewart <bstewart at iname dot com>]

Hello Corinna,

I performed the following steps:

1. Downloaded cygwin-20190124.tar.xz
2. Extracted it
3. Stopped sshd
4. Renamed existing /bin/cygwin1.dll to cygwin1-20181108.dll
5. Copied cygwin1.dll from download to /bin
6. Started sshd

Did I miss anything?

It still allows logon with disabled account.

Thanks,

Bill


On Thu, Jan 24, 2019 at 8:45 AM Corinna Vinschen <corinna-cygwin@cygwin.com>
wrote:

> On Jan 24 06:28, Bill Stewart wrote:
> > I am running Windows 10 (1803) and experimenting with sshd installed as a
> > Windows service.
> >
> > The computer is a domain member. I created a local computer account for
> > testing.
> >
> > I created host keys and a public/private key pair to use to log on the
> user.
> >
> > This works, except I notice that if I disable the Windows user account, I
> > can still log on using ssh using that account.
> >
> > In the shell, logged on as the disabled user, the 'whoami' command
> returns
> > the name of the disabled user.
> >
> > This seems unexpected and not good.
> >
> > Why does sshd allow logon for a disabled user?
>
> Because the underlying Cygwin function responsible for changing the user
> account only checks if the account exists.  It does not check for any of
> the flags in the user DB.  Yet.
>
> I pushed a patch to disallow changing the user account to a disabled or
> locked out account.
>
> I just uploaded new developer snapshots containing this change to
> https://cygwin.com/snapshots/
>
> Please give them a try.
>
>
> Thanks,
> Corinna
>
> --
> Corinna Vinschen
> Cygwin Maintainer
>

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple