X-Spam-Check-By: sourceware.org Date: Tue, 28 Feb 2006 09:23:40 -0500 (EST) From: Igor Peshansky Reply-To: cygwin AT cygwin DOT com To: "Mark A. Ziesemer" cc: cygwin AT cygwin DOT com Subject: Re: sshd_conf and AllowGroups - how to make work with non-primary groups? In-Reply-To: Message-ID: References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com On Mon, 27 Feb 2006, Mark A. Ziesemer wrote: > I, too, am trying to lock down ssh access. Using OpenSSH's AllowGroups > configuration option looks like it would fit my needs perfectly, but it > doesn't work! More specifically, it ends up denying all users, unless the > user's PRIMARY group (as defined in /etc/passwd) is within AllowGroups. > > I already found and read the following related posts, none of which actually > resolve the issue: > http://www.cygwin.com/ml/cygwin/2003-03/msg00128.html > http://www.cygwin.com/ml/cygwin/2000-03/msg00591.html > http://thread.gmane.org/gmane.os.cygwin/73007 ("sshd_conf and local groups" > started 12/31/2005) > > Using AllowUsers works as expected - but this is an administrative > nightmare. Ideally, I'd like to create a group called "SshUsers" and > set "AllowGroups SshUsers". This works, but only if I set the needed > user accounts in /etc/passwd to use this as their primary group. Some > users need their primary group to remain otherwise for other reasons... > > I'm guessing this is more of an issue with the Cygwin user commands than > it is with the OpenSSH implementation. I DID run both mkpasswd and > mkgroup, and both my /etc/passwd and /etc/group files are populated. > However, running "groups myuser" or "id -Gn myuser" returns only the > primary group - "Domain Users". The results are identical whether > running bash locally or through an ssh connection. > > I'm currently running "CYGWIN_NT-5.2 z 1.5.20s(0.154/4/2) 20060227 > 13:07:35 i686 Cygwin", but have been able to reproduce this back to > 1.5.18, etc... > > Any assistance would be greatly appreciated - thanks! Let's start here: > Problem reports: http://cygwin.com/problems.html In particular, for the group to be recognized by Cygwin, it needs to be in /etc/group. I would guess that you're trying to set up a domain group... You didn't say exactly what mkgroup options you used to update /etc/group, so it may simply be that you're missing the necessary groups there (and thus Cygwin is unable to determine group membership). But a proper problem report based on the above guidelines (one that includes an attached output of "cygcheck -svr" on your system) would allow us to track this down further. Igor -- http://cs.nyu.edu/~pechtcha/ |\ _,,,---,,_ pechtcha AT cs DOT nyu DOT edu | igor AT watson DOT ibm DOT com ZZZzz /,`.-'`' -. ;-;;,_ Igor Peshansky, Ph.D. (name changed!) |,4- ) )-,_. ,\ ( `'-' old name: Igor Pechtchanski '---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow! "Las! je suis sot... -Mais non, tu ne l'es pas, puisque tu t'en rends compte." "But no -- you are no fool; you call yourself a fool, there's proof enough in that!" -- Rostand, "Cyrano de Bergerac" -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/