Mail Archives: cygwin/2015/09/01/07:00:05

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2015/09/01/07:00:05

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:in-reply-to:references:date

:message-id:subject:from:to:content-type

:content-transfer-encoding; q=dns; s=default; b=fLFGRpGtTpTXSyxL

FHDcElgsYHKWOPbYqkJIKh2lRkInRq3Le6yNWfmd/aWvooy2H/2qwCdflHO1/FKO

6676qCUYgnzkfAhDeibObBeFF6jzR7Cc8bVEd+oFCFtWhCh1FXYxopYiAb/+jylX

dpoyIfL6ZRZIyUFn/HjOTHPxL3c=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:in-reply-to:references:date

:message-id:subject:from:to:content-type

:content-transfer-encoding; s=default; bh=jTTuazku91yoODjmeu33hi

dqfRE=; b=CW2Z/ctntPEO4s0LeMKyNkMTUT+Cg8SWZexY2IMLC6Kd4UMcsv4m0b

TR/aQdwHmtKqJdKfIt9CmcX2J1iGUzKCekOkSTPZUF1bPH+9z6TnCWlyufilHY+5

QVr6mSMiHRenovYTxi/j8Ahs8JtGmGOdzjetbELIsxYbrFpLFg9tk=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Virus-Found: No

X-Spam-SWARE-Status: No, score=0.4 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2

X-HELO: mail-la0-f42.google.com

MIME-Version: 1.0

X-Received: by 10.152.5.201 with SMTP id u9mr13108931lau.26.1441105180508; Tue, 01 Sep 2015 03:59:40 -0700 (PDT)

In-Reply-To: <BAY177-W41E7CF6FFF336C3E845A8EE36A0@phx.gbl>

References: <BAY177-W41E7CF6FFF336C3E845A8EE36A0 AT phx DOT gbl>

Date: Tue, 1 Sep 2015 06:59:40 -0400

Message-ID: <CADi7v6+KWE0S7YuW+AJ4O3SmxvOYM9wNTZeaFA=7vimixUsHhA@mail.gmail.com>

Subject: Re: Restrict active directory logins

From: Bryan Berns <bryan DOT berns AT gmail DOT com>

To: cygwin AT cygwin DOT com

X-IsSubscribed: yes

X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id t81AxxRi003804

On Mon, Aug 31, 2015 at 11:39 PM, E. Winston <craddle2grave AT hotmail DOT com> wrote:
> Hi all,
>
> I am running cygwin 2.2.1(0.289/5/3) and OpenSSH_7.1p1, OpenSSL 1.0.2d 9 Jul 2015 on a domain joined Windows 2012 R2 server. I am not using /etc/passwd or /etc/group and I would prefer not to use theses files as I anticipate a large number of accounts needing to be configured. As part of our group policy, NT AUTHORITY\Authenticated Users and NT AUTHORITY\Interactive are both part of the local Users group. The group policy also places  NT AUTHORITY\Authenticated Users into "Log on Locally"  security policy. My primary purpose is to use this as an SFTP server. I have been able to deny SSH logins and limit access to on SFTP.
>
> What I would like to know is with this setup, is if there is a way to prevent any user in our domain from logging into the server?
>
> Currently I have directory permissions set so they cannot see anything, but I'd rather not allow them to login at all.
>
> I have a local group created with only the domain accounts I want to be able to explicitly login but thus far I have not been able to determine how to limit logins to just the members of this group.
>
> Thanks in advance,
>
> -Ed
> --
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>

Ed,

I have a similar arrangement.  Short of reprogramming Cygwin to *not*
do an interactive logon (i.e. do a network logon instead), I think
you're out of luck.  A network logon would work for what an SFTP
server needs to do, but probably isn't right for other purposes such
as a full SSH terminal session -- and unfortunately both
authentication process goes through the same function in Cygwin.  I
thought about proposing some configurable setting in Cygwin on the
mailing list, but the need is really too nuanced to merit
implementation (in my opinion).  If the users don't have access to the
console, just make sure that you're not also allowing "Allow log on
through Remote Desktop Services" -- that should prevent a user from
being logged into via Remote Desktop.

That said, the problem may actually be worse than you think.  If you
have roaming profiles enabled, they may be getting synced every time a
user logs in via SFTP.  If this isn't desired, you'll want to enable
user profile cleanup and disable roaming profiles to that system, in
general.  It'll slow down the login in addition to bloat the profile
directory.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:date
	:message-id:subject:from:to:content-type
	:content-transfer-encoding; q=dns; s=default; b=fLFGRpGtTpTXSyxL
	FHDcElgsYHKWOPbYqkJIKh2lRkInRq3Le6yNWfmd/aWvooy2H/2qwCdflHO1/FKO
	6676qCUYgnzkfAhDeibObBeFF6jzR7Cc8bVEd+oFCFtWhCh1FXYxopYiAb/+jylX
	dpoyIfL6ZRZIyUFn/HjOTHPxL3c=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:date
	:message-id:subject:from:to:content-type
	:content-transfer-encoding; s=default; bh=jTTuazku91yoODjmeu33hi
	dqfRE=; b=CW2Z/ctntPEO4s0LeMKyNkMTUT+Cg8SWZexY2IMLC6Kd4UMcsv4m0b
	TR/aQdwHmtKqJdKfIt9CmcX2J1iGUzKCekOkSTPZUF1bPH+9z6TnCWlyufilHY+5
	QVr6mSMiHRenovYTxi/j8Ahs8JtGmGOdzjetbELIsxYbrFpLFg9tk=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=0.4 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2
X-HELO:	mail-la0-f42.google.com
MIME-Version:	1.0
X-Received:	by 10.152.5.201 with SMTP id u9mr13108931lau.26.1441105180508; Tue, 01 Sep 2015 03:59:40 -0700 (PDT)
In-Reply-To:	<BAY177-W41E7CF6FFF336C3E845A8EE36A0@phx.gbl>
References:	<BAY177-W41E7CF6FFF336C3E845A8EE36A0 AT phx DOT gbl>
Date:	Tue, 1 Sep 2015 06:59:40 -0400
Message-ID:	<CADi7v6+KWE0S7YuW+AJ4O3SmxvOYM9wNTZeaFA=7vimixUsHhA@mail.gmail.com>
Subject:	Re: Restrict active directory logins
From:	Bryan Berns <bryan DOT berns AT gmail DOT com>
To:	cygwin AT cygwin DOT com
X-IsSubscribed:	yes
X-MIME-Autoconverted:	from quoted-printable to 8bit by delorie.com id t81AxxRi003804