| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:reply-to:subject:to:references:from:message-id | |
| :date:mime-version:in-reply-to:content-type | |
| :content-transfer-encoding; q=dns; s=default; b=akS5+a1mwFnnxwwv | |
| GmRQFybXko/HbeV8yVcZ0upbUhlOKtvG8hATz1bQvWv8F1BcLO1+XhHe6FQOfN/+ | |
| QYwEkx3Uk94A98DbWD0wOKJZDjGOg3wsvv2h+CZJK1ykzxHu7F2XlyRzdSNe2M3d | |
| ajFuzSemEt7ArIj15GbLe0/SXGg= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:reply-to:subject:to:references:from:message-id | |
| :date:mime-version:in-reply-to:content-type | |
| :content-transfer-encoding; s=default; bh=ceUJ/ecKuc9ywMLaXuRPTx | |
| /mdwU=; b=cCoHx8L65JCdJvH8Qi3GeoXEg1VqpSx6xdRIOE5JI5adUF9nNhVK+l | |
| 1imkFeca42e4GYRGlwe9XlVsS51hcZWzho05MLNXbFdw0TSNNTXV1MiNmk4ZyJud | |
| ZVIdnnSjsREArbus8XXmi89TuB/owlez/BLONuXv9V/rFox+0l0oc= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Spam-SWARE-Status: | No, score=-1.2 required=5.0 tests=AWL,BAYES_00,KAM_NUMSUBJECT,RCVD_IN_DNSWL_LOW,TBC autolearn=no version=3.3.1 spammy=H*R:D*ca, AVL, readers, discretion |
| X-HELO: | smtp-out-so.shaw.ca |
| Reply-To: | Brian DOT Inglis AT SystematicSw DOT ab DOT ca |
| Subject: | Re: Domain User restrictions - Windows server 2012 R2 |
| To: | cygwin AT cygwin DOT com |
| References: | <9e8b10829e18453f9e3af064a0d67c7c AT ATGRZSW1694 DOT avl01 DOT avlcorp DOT lan> |
| From: | Brian Inglis <Brian DOT Inglis AT SystematicSw DOT ab DOT ca> |
| Openpgp: | preference=signencrypt |
| Message-ID: | <97c5c30b-fe6e-d36f-c9f9-c031b8973362@SystematicSw.ab.ca> |
| Date: | Wed, 3 Jul 2019 10:24:12 -0600 |
| User-Agent: | Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 |
| MIME-Version: | 1.0 |
| In-Reply-To: | <9e8b10829e18453f9e3af064a0d67c7c@ATGRZSW1694.avl01.avlcorp.lan> |
| X-IsSubscribed: | yes |
On 2019-07-03 02:41, Bergbauer, Daniel AVL/DE via cygwin wrote: > I know the user restriction topic with ssh was discussed a lot and there are > also a few solutions out there but really nothing is working for me (Domain > Users)... > In our company we are using cygwin on each of our machines to be able to run > our projects with GNU make (everyone uses Windows 10)! > I also developed a tool, with which all employees are able to synchronize > their projects from their (slow) machines to our server (Windows Server 2012 > R2), run the make on the (fast) server, and synch the output back. > All that works with a cygwin ssh connection + rsync! > Informations: > * Cygwin (also ssh service) on the server is up and running on > C:\tools\cygwin > * Added Domain Users group to /etc/group of cygwin installation (means > everyone can login with their windows password!): > Domain Users:S-1-5-21-1054012322-559123688-2072061207-513:1049089: > (Domain Users has a whitespace in it) > * Added every Domain User to passwd file. ( with mkpasswd -d -u u89x77 ) > After that the user is able to login with ssh to the server with his windows > password (because of Domain Users of course) > Looks like this: > u89x77:*:1441234:1049123:U-OTP01\u89x77,S-1-5-21-1054012322-559123688- > 2072061207-398637:/home/u89x77:/bin/bash> * Mapped following directories in fstab file: > 1. C:/tools/cygwin / > 2. C:/projects /home (because the home folder of every user is: > C:\projects\username) > 3. C:/tools/cygwin/bin /usr/bin > 4. C:/tools/cygwin/lib /usr/lib > (I cannot remember why I mapped point 3 & 4) > * Created RSA keys for EVERY user on the user's machine and put it into > his/her home folder on the server with ssh-copy-id ... > (/home/u89x77/.ssh == C:\projects\u89x77\.ssh). > Everyone is now able to connect to his folder on the server without giving > his/her windows password again (I had to do this because my tool to synch > works with 'rsync') > What I want now is, to restrict every user, who connects to the server via > ssh, to its home folder /home/'username' == C:\projects\'username' > For example: A user's username in our domain is u89x77. He's able to login > normally via ssh but is also able to cd for example into C:\Windows or worse > into C:\projects\'other username'\'absolute secret project'. > And that is not what I want. The user should be blocked to cd out of > C:\projects\u89x77 but of course needs to look inside his folder like cd > C:\projects\'u89x77\'u89x77 project'. > [X] I tried a lot of things up to now and also made a lot of research. But > unfortuneatly nothing worked... > 1) Changed sshd_config file in cygwin/etc to: > # Subsystem sftp /usr/sbin/sftp-server > Subsystem sftp internal-sftp > ChrootDirectory /home > Match user u89x77 > ChrootDirectory /home/u89x77 > X11Forwarding no > AllowTcpForwarding no > ForceCommand internal-sftp > 2) Tried the same with Match group "Domain Users"... > 3) Also changed the ID of cyg_server to *:0: in the passwd file. > 4) Tried to change the owner of the different folders like C:\tools\cygwin to > Administrator or cyg_server (but only windows/ACL rights...probably trying > this with chown?...) > All that did not work. > I am absolutely clueless right now, read so much in the last months and > nothing worked and now comes the time where it gets really important, > because there'll be a few security projects and so on... > This is the first time for me sending a mail here I don't even know if it is > the right way, but I did not see any other forum or whatever. > Thank you very much in advance. > I am happy about every idea you have! If there is a solution, it is usually from the creative application of the explanations given locally in: /usr/share/doc/cygwin-doc/html/cygwin-ug-net/ntsec.html remotely at: https://cygwin.com/cygwin-ug-net/ntsec.html -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |