This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: sshd permits logon using disabled user?

From: "matthew patton via cygwin" <cygwin at cygwin dot com>
To: <cygwin at cygwin dot com>
Date: Fri, 25 Jan 2019 04:42:29 +0000 (UTC)
Subject: Re: sshd permits logon using disabled user?
References: <1690850474.834980.1548391349102.ref@mail.yahoo.com>
Reply-to: matthew patton <pattonme at yahoo dot com>
Reply-to: matthew patton <pattonme at yahoo dot com>

 > I think refusing an account manually and deliberately disabled by an
 > admin makes lots of sense.

Why is this even a discussion? You *ALWAYS* refuse a login to an account that is disabled, locked out, or has an expired password or failed any of the other criteria that might be in effect (day/time restrictions, source IP restrictions, etc.)

Is someone suggesting that the Windows authentication API is actually returning a success code despite any of these conditions?

Furthermore you also *NEVER* hint to the user why the login was denied. It's rule #1 of security engineering.
Denied is denied. Explanations or hints are verboten.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Follow-Ups:
- Re: sshd permits logon using disabled user?
  - From: Stefan Baur

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]