X-Spam-Check-By: sourceware.org
To: cygwin AT cygwin DOT com
From: "Mark A. Ziesemer" <mark_z AT charter DOT net>
Subject:  sshd_conf and AllowGroups - how to make work with non-primary groups?
Date:  Mon, 27 Feb 2006 21:53:32 -0600
Lines: 34
Message-ID: <du0hh2$2ln$1@sea.gmane.org>
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

I, too, am trying to lock down ssh access.  Using OpenSSH's AllowGroups 
configuration option looks like it would fit my needs perfectly, but it 
doesn't work!  More specifically, it ends up denying all users, unless the 
user's PRIMARY group (as defined in /etc/passwd) is within AllowGroups.

I already found and read the following related posts, none of which actually 
resolve the issue:
http://www.cygwin.com/ml/cygwin/2003-03/msg00128.html
http://www.cygwin.com/ml/cygwin/2000-03/msg00591.html
http://thread.gmane.org/gmane.os.cygwin/73007 ("sshd_conf and local groups" 
started 12/31/2005)

Using AllowUsers works as expected - but this is an administrative 
nightmare.  Ideally, I'd like to create a group called "SshUsers" and set 
"AllowGroups SshUsers".  This works, but only if I set the needed user 
accounts in /etc/passwd to use this as their primary group.  Some users need 
their primary group to remain otherwise for other reasons...

I'm guessing this is more of an issue with the Cygwin user commands than it 
is with the OpenSSH implementation.  I DID run both mkpasswd and mkgroup, 
and both my /etc/passwd and /etc/group files are populated.  However, 
running "groups myuser" or "id -Gn myuser" returns only the primary group - 
"Domain Users".  The results are identical whether running bash locally or 
through an ssh connection.

I'm currently running "CYGWIN_NT-5.2 z 1.5.20s(0.154/4/2) 20060227 13:07:35 
i686 Cygwin", but have been able to reproduce this back to 1.5.18, etc...

Any assistance would be greatly appreciated - thanks!

-- 
Mark A. Ziesemer 




--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/