Mail Archives: cygwin/2019/07/03/04:42:31

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2019/07/03/04:42:31

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:from:reply-to:to:subject:date:message-id

:mime-version:content-type:content-transfer-encoding; q=dns; s=

default; b=OzfhWeko5PgQQxxuPQoGTe8+P5/hbIcAOI5U9RkZeEXHhl52LDEGY

5MEAS4WSwTg/PeF3zU2dT23np9EuMmAaMriEZljmC4R8cU4Kf8H4wwTzMeyImLXO

sBH+d38yyWLQ1UUk2/5goV6en0f6zaENlEEhKznTeiBA1Xh0tiBR+0=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:from:reply-to:to:subject:date:message-id

:mime-version:content-type:content-transfer-encoding; s=default;

bh=ik/fWDSR8X8B9hDYgt7oIC/Iv6Y=; b=pGpxQtH5oOTnqW2rC1Schm2V5RdT

OZp7IY4NxzG4x6pofiqVuX35SOYciaxpiR/vN5GgVPslU0FhR/m4cK+9w7BdDR3t

dY7R3QypGBCFCWKp/BnseMBHHEc9ALgk605/a0OR1/Vpy9VFNnLu+k+gL+ANe7rb

6bk2ifKMztN7eNc=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Spam-SWARE-Status: No, score=-2.1 required=5.0 tests=AWL,BAYES_00,HTML_MESSAGE,KAM_NUMSUBJECT,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.1 spammy=username, connection, Administrator, H*MI:lan

X-HELO: mx08-002cda01.pphosted.com

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=avl.com; h=from : to : subject : date : message-id : content-type : mime-version; s=19122018; bh=RHTtFLfQIReU+7o8TpeRtaiHMlsTSCUQOIq0JWjD6Dg=; b=U95lxOmai6m/cdXmpTTAoPaAAFa4jTFpXYmGvT9YrG0/ywzZPaM87fCjz/+ND9UJonmM c7pE3OeOOFjI3AvqbBI+DgOwPEe3xrdBMGt//ID1vl+hmszSAHUQ/n0ouNcZc3pvZPr6 VoRYYjscyqxyy8pQ/LRFJCnb0mDD8m1TR+IfGP0/S1S3VCrhTAPVyu1ZMH+dpsFEGSqG zaQtZ4RtXz6sKWvAEpi0cBtM8x2vMILhnQ1EEQ6cZ7nE/EVuH7p87S+xRj+GRrmNQu9J zblrn8z848Fl7LmOCju2lOGoWAYVELcbgQjSKSV417dL1fhVVEFAhXGi+vd5ygZI0XD0 7Q==

From: "Bergbauer, Daniel AVL/DE via cygwin" <cygwin AT cygwin DOT com>

Reply-To: "Bergbauer, Daniel AVL/DE" <Daniel DOT Bergbauer AT avl DOT com>

To: "cygwin AT cygwin DOT com" <cygwin AT cygwin DOT com>

Subject: Domain User restrictions - Windows server 2012 R2

Date: Wed, 3 Jul 2019 08:41:23 +0000

Message-ID: <9e8b10829e18453f9e3af064a0d67c7c@ATGRZSW1694.avl01.avlcorp.lan>

x-exclaimer-md-config: f9e74532-fb7d-4806-8539-2b9574eafa9a

MIME-Version: 1.0

X-IsSubscribed: yes

X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id x638gCC7025234

Hi everyone,
I know the user restriction topic with ssh was discussed a lot and there are also a few solutions out there but really nothing is working
for me (Domain Users)...

In our company we are using cygwin on each of our machines to be able to run our projects with GNU make (everyone uses Windows 10)!
I also developed a tool, with which all employees are able to synchronize their projects from their (slow) machines to our server (Windows Server 2012 R2),
run the make on the (fast) server, and synch the output back.
All that works with a cygwin ssh connection + rsync!
Informations:
* Cygwin (also ssh service) on the server is up and running on C:\tools\cygwin
* Added Domain Users group to /etc/group of cygwin installation (means everyone can login with their windows password!):
Domain Users:S-1-5-21-1054012322-559123688-2072061207-513:1049089:
(Domain Users has a whitespace in it)

* Added every Domain User to passwd file. ( with mkpasswd -d -u u89x77 )
After that the user is able to login with ssh to the server with his windows password (because of Domain Users of course)
Looks like this:
u89x77:*:1441234:1049123:U-OTP01\u89x77,S-1-5-21-1054012322-559123688-2072061207-398637:/home/u89x77:/bin/bash
* Mapped following directories in fstab file:
1. C:/tools/cygwin /
2. C:/projects /home (because the home folder of every user is: C:\projects\username)
3. C:/tools/cygwin/bin /usr/bin
4. C:/tools/cygwin/lib /usr/lib (I cannot remember why I mapped point 3 & 4)

* Created RSA keys for EVERY user on the user's machine and put it into his/her home folder on the server with ssh-copy-id ... (/home/u89x77/.ssh == C:\projects\u89x77\.ssh).
Everyone is now able to connect to his folder on the server without giving his/her windows password again (I had to do this because my tool to synch works with 'rsync')

What I want now is, to restrict every user, who connects to the server via ssh, to its home folder /home/'username' == C:\projects\'username'
For example: A user's username in our domain is u89x77. He's able to login normally via ssh but is also able to cd for example into C:\Windows or worse into C:\projects\'other username'\'absolute secret project'.
And that is not what I want. The user should be blocked to cd out of C:\projects\u89x77 but of course needs to look inside his folder like cd C:\projects\'u89x77\'u89x77 project'.
[X]
I tried a lot of things up to now and also made a lot of research. But unfortuneatly nothing worked...

1) Changed sshd_config file in cygwin/etc to:
# Subsystem sftp /usr/sbin/sftp-server
Subsystem sftp internal-sftp
ChrootDirectory /home
Match user u89x77
ChrootDirectory /home/u89x77
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

2) Tried the same with Match group "Domain Users"...
3) Also changed the ID of cyg_server to *:0: in the passwd file.
4) Tried to change the owner of the different folders like C:\tools\cygwin to Administrator or cyg_server
(but only windows/ACL rights...probably trying this with chown?...)

All that did not work.
I am absolutely clueless right now, read so much in the last months and nothing worked and now comes the time where it gets really important, because there'll be
a few security projects and so on...
This is the first time for me sending a mail here I don't even know if it is the right way, but I did not see any other forum or whatever.
Thank you very much in advance.

I am happy about every idea you have!

Best regards
Daniel Bergbauer

--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:reply-to:to:subject:date:message-id
	:mime-version:content-type:content-transfer-encoding; q=dns; s=
	default; b=OzfhWeko5PgQQxxuPQoGTe8+P5/hbIcAOI5U9RkZeEXHhl52LDEGY
	5MEAS4WSwTg/PeF3zU2dT23np9EuMmAaMriEZljmC4R8cU4Kf8H4wwTzMeyImLXO
	sBH+d38yyWLQ1UUk2/5goV6en0f6zaENlEEhKznTeiBA1Xh0tiBR+0=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:reply-to:to:subject:date:message-id
	:mime-version:content-type:content-transfer-encoding; s=default;
	bh=ik/fWDSR8X8B9hDYgt7oIC/Iv6Y=; b=pGpxQtH5oOTnqW2rC1Schm2V5RdT
	OZp7IY4NxzG4x6pofiqVuX35SOYciaxpiR/vN5GgVPslU0FhR/m4cK+9w7BdDR3t
	dY7R3QypGBCFCWKp/BnseMBHHEc9ALgk605/a0OR1/Vpy9VFNnLu+k+gL+ANe7rb
	6bk2ifKMztN7eNc=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Spam-SWARE-Status:	No, score=-2.1 required=5.0 tests=AWL,BAYES_00,HTML_MESSAGE,KAM_NUMSUBJECT,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.1 spammy=username, connection, Administrator, H*MI:lan
X-HELO:	mx08-002cda01.pphosted.com
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=avl.com; h=from : to : subject : date : message-id : content-type : mime-version; s=19122018; bh=RHTtFLfQIReU+7o8TpeRtaiHMlsTSCUQOIq0JWjD6Dg=; b=U95lxOmai6m/cdXmpTTAoPaAAFa4jTFpXYmGvT9YrG0/ywzZPaM87fCjz/+ND9UJonmM c7pE3OeOOFjI3AvqbBI+DgOwPEe3xrdBMGt//ID1vl+hmszSAHUQ/n0ouNcZc3pvZPr6 VoRYYjscyqxyy8pQ/LRFJCnb0mDD8m1TR+IfGP0/S1S3VCrhTAPVyu1ZMH+dpsFEGSqG zaQtZ4RtXz6sKWvAEpi0cBtM8x2vMILhnQ1EEQ6cZ7nE/EVuH7p87S+xRj+GRrmNQu9J zblrn8z848Fl7LmOCju2lOGoWAYVELcbgQjSKSV417dL1fhVVEFAhXGi+vd5ygZI0XD0 7Q==
From:	"Bergbauer, Daniel AVL/DE via cygwin" <cygwin AT cygwin DOT com>
Reply-To:	"Bergbauer, Daniel AVL/DE" <Daniel DOT Bergbauer AT avl DOT com>
To:	"cygwin AT cygwin DOT com" <cygwin AT cygwin DOT com>
Subject:	Domain User restrictions - Windows server 2012 R2
Date:	Wed, 3 Jul 2019 08:41:23 +0000
Message-ID:	<9e8b10829e18453f9e3af064a0d67c7c@ATGRZSW1694.avl01.avlcorp.lan>
x-exclaimer-md-config:	f9e74532-fb7d-4806-8539-2b9574eafa9a
MIME-Version:	1.0
X-IsSubscribed:	yes
X-MIME-Autoconverted:	from quoted-printable to 8bit by delorie.com id x638gCC7025234