Mail Archives: cygwin/2006/02/28/09:23:55
On Mon, 27 Feb 2006, Mark A. Ziesemer wrote:
> I, too, am trying to lock down ssh access. Using OpenSSH's AllowGroups
> configuration option looks like it would fit my needs perfectly, but it
> doesn't work! More specifically, it ends up denying all users, unless the
> user's PRIMARY group (as defined in /etc/passwd) is within AllowGroups.
>
> I already found and read the following related posts, none of which actually
> resolve the issue:
> http://www.cygwin.com/ml/cygwin/2003-03/msg00128.html
> http://www.cygwin.com/ml/cygwin/2000-03/msg00591.html
> http://thread.gmane.org/gmane.os.cygwin/73007 ("sshd_conf and local groups"
> started 12/31/2005)
>
> Using AllowUsers works as expected - but this is an administrative
> nightmare. Ideally, I'd like to create a group called "SshUsers" and
> set "AllowGroups SshUsers". This works, but only if I set the needed
> user accounts in /etc/passwd to use this as their primary group. Some
> users need their primary group to remain otherwise for other reasons...
>
> I'm guessing this is more of an issue with the Cygwin user commands than
> it is with the OpenSSH implementation. I DID run both mkpasswd and
> mkgroup, and both my /etc/passwd and /etc/group files are populated.
> However, running "groups myuser" or "id -Gn myuser" returns only the
> primary group - "Domain Users". The results are identical whether
> running bash locally or through an ssh connection.
>
> I'm currently running "CYGWIN_NT-5.2 z 1.5.20s(0.154/4/2) 20060227
> 13:07:35 i686 Cygwin", but have been able to reproduce this back to
> 1.5.18, etc...
>
> Any assistance would be greatly appreciated - thanks!
Let's start here:
> Problem reports: http://cygwin.com/problems.html
In particular, for the group to be recognized by Cygwin, it needs to be in
/etc/group. I would guess that you're trying to set up a domain group...
You didn't say exactly what mkgroup options you used to update /etc/group,
so it may simply be that you're missing the necessary groups there (and
thus Cygwin is unable to determine group membership). But a proper
problem report based on the above guidelines (one that includes an
attached output of "cygcheck -svr" on your system) would allow us to track
this down further.
Igor
--
http://cs.nyu.edu/~pechtcha/
|\ _,,,---,,_ pechtcha AT cs DOT nyu DOT edu | igor AT watson DOT ibm DOT com
ZZZzz /,`.-'`' -. ;-;;,_ Igor Peshansky, Ph.D. (name changed!)
|,4- ) )-,_. ,\ ( `'-' old name: Igor Pechtchanski
'---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow!
"Las! je suis sot... -Mais non, tu ne l'es pas, puisque tu t'en rends compte."
"But no -- you are no fool; you call yourself a fool, there's proof enough in
that!" -- Rostand, "Cyrano de Bergerac"
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -