X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:from:message-id:date
	:mime-version:in-reply-to:content-type; q=dns; s=default; b=MvBu
	GZ2ebZx93E3q1Ppc9p4B4j4j55qBEQq08PfNRmMeovhleEEnf/UyNiuP+SiSNlMl
	sOUDf9Oax3TqC/xShZd8kR2c6TI9OhasdFWxXK8BaCCaF8v51b7P8HiS+EpUjLXi
	FSlyDpBo+lhTQB7jAlpigxZvT6Iw1UHDq1uZy90=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:from:message-id:date
	:mime-version:in-reply-to:content-type; s=default; bh=plCv427QBo
	p7MCJ1BacLqhGVtxA=; b=t0J0RxP7ejAqZ/1EFQ3mKtweOop6d9A1gBpdm2cABg
	BPgCTY/y+TMMWgMRWNoF6RBqI+NXukAmD/JuZDHk4XdhWs/VNlLCHWZTHbC1RmuA
	o4MQANN6PC8437URh2RNpcke4bKUZkP5CQR0nJO9uBQ8pTde6BGSBsTAqh/lSf5X
	w=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: =?ISO-8859-1?Q?No, score=-0.9 required=5.0 tests=BAYES_00,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=no version=3.3.2 spammy=8:t, 8:un, 8:ha, 8:=c3=a4?=
X-HELO: mout.kundenserver.de
Subject: Re: sshd permits logon using disabled user?
To: cygwin AT cygwin DOT com
References: <CANV9t=SSyof86c5Yz3tNhwj4To=eKnrmveQcr59ZmMY-X9_txA AT mail DOT gmail DOT com> <20190124154533 DOT GK2802 AT calimero DOT vinschen DOT de> <2b348ac3-63d1-2cd3-430d-2568d650a583 AT baur-itcs DOT de> <20190124155918 DOT GL2802 AT calimero DOT vinschen DOT de> <51ded8a7-ffc0-c1b0-8bb6-8d2f5870ec68 AT baur-itcs DOT de> <20190124163612 DOT GM2802 AT calimero DOT vinschen DOT de>
From: Stefan Baur <X2Go-ML-1 AT baur-itcs DOT de>
Openpgp: preference=signencrypt
Message-ID: <03a080c3-903e-ac05-fdaa-95dc0510bd08@baur-itcs.de>
Date: Thu, 24 Jan 2019 18:01:06 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <20190124163612.GM2802@calimero.vinschen.de>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="uJjbQx5ca6Sv8nOnWhRkxlC0yKUbj3TVW"
X-IsSubscribed: yes

--uJjbQx5ca6Sv8nOnWhRkxlC0yKUbj3TVW
Content-Type: multipart/mixed; boundary="QZezUhDzf7Ge8lNZxoB3aj2j9nd8u7qOM";
 protected-headers="v1"
From: Stefan Baur <X2Go-ML-1 AT baur-itcs DOT de>
To: cygwin AT cygwin DOT com
Message-ID: <03a080c3-903e-ac05-fdaa-95dc0510bd08 AT baur-itcs DOT de>
Subject: Re: sshd permits logon using disabled user?
References: <CANV9t=SSyof86c5Yz3tNhwj4To=eKnrmveQcr59ZmMY-X9_txA AT mail DOT gmail DOT com>
 <20190124154533 DOT GK2802 AT calimero DOT vinschen DOT de>
 <2b348ac3-63d1-2cd3-430d-2568d650a583 AT baur-itcs DOT de>
 <20190124155918 DOT GL2802 AT calimero DOT vinschen DOT de>
 <51ded8a7-ffc0-c1b0-8bb6-8d2f5870ec68 AT baur-itcs DOT de>
 <20190124163612 DOT GM2802 AT calimero DOT vinschen DOT de>
In-Reply-To: <20190124163612 DOT GM2802 AT calimero DOT vinschen DOT de>


--QZezUhDzf7Ge8lNZxoB3aj2j9nd8u7qOM
Content-Type: text/plain; charset=utf-8
Content-Language: de-DE
Content-Transfer-Encoding: quoted-printable

Am 24.01.19 um 17:36 schrieb Corinna Vinschen:
>> If an admin can lock out an account (separately from disabling it
>> entirely), say, by setting an initial password, checking the "user must
>> change password on first login", and also checking "user is not allowed
>> to change password" simultaneously (if that's possible), or, say, by
>> just setting a random password without telling it to anyone ever,
>> followed by firing so many login attempts at the account that it gets
>> locked out, then telling them apart and treating locked out accounts
>> differently would make sense, IMO.

> This description sounds extremly artificial to me.

> We should work under
> the assumption that the admin is the good guy.

Uh, where did I imply anything else?


>  Usually a user locks
> itself out, or is locked out by a malicious login attempt.  The admin
> can only define rules for locking out, other than that she can only
> remove the "account locked" flag.

The methods listed above, well, at least the "brute force" one, would
work for intentionally creating an account that is locked out, but not
disabled - as a good guy admin.

And the reason for doing so would be the same as running "passwd -l
username" on Linux - You don't want your users to log in with a
password, because you consider that too insecure - instead, you want
them to use the (hopefully passphrase-protected) SSH key file.

Kind Regards,
Stefan Baur

--=20
BAUR-ITCS UG (haftungsbeschr=C3=A4nkt)
Gesch=C3=A4ftsf=C3=BChrer: Stefan Baur
Eichen=C3=A4ckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243


--QZezUhDzf7Ge8lNZxoB3aj2j9nd8u7qOM--

--uJjbQx5ca6Sv8nOnWhRkxlC0yKUbj3TVW
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJcSe9SAAoJEG7d9BjNvlEZO/4H/1uwerv1PMPh3TaUKpE0/UOB
BK2R763fFDxfVdN/riXfOHKH8Em3h18wowyql99Zwjoysel+1m+GXoxO6Fn7Czah
ckPXhGgMTL0mTsS4KQMds5dkIdYNYYqSvUjo82AUe2ODTGc8Uw0VgY6ybujm9FbF
sM1EqNoictQNTueMy1sqmGVBHa7TmKdWFdWN/jRwozig7cWFxvv4WWgLs8uL85IR
6GNQHyayGt1meVdiGXL0vqJScMxmjT/G73ftG9NS3SopNfJeF6H2fRSVQpqJfMiT
dEnfptD/LP6PV41gWQP5xEVK0hiioq83k0KdD86y2VeBxZcFl9Y2spkQ+hqUIBk=
=m5sq
-----END PGP SIGNATURE-----

--uJjbQx5ca6Sv8nOnWhRkxlC0yKUbj3TVW--