X-Spam-Check-By: sourceware.org To: cygwin AT cygwin DOT com From: "Mark A. Ziesemer" Subject: Re: sshd_conf and AllowGroups - how to make work with non-primary groups? Date: Tue, 28 Feb 2006 23:44:37 -0600 Lines: 532 Message-ID: References: X-IsSubscribed: yes Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com "Igor Peshansky" wrote in message news:Pine DOT GSO DOT 4 DOT 63 DOT 0602280917280 DOT 4185 AT access1 DOT cims DOT nyu DOT edu... > On Mon, 27 Feb 2006, Mark A. Ziesemer wrote: > >> I, too, am trying to lock down ssh access. Using OpenSSH's AllowGroups >> configuration option looks like it would fit my needs perfectly, but it >> doesn't work! More specifically, it ends up denying all users, unless >> the >> user's PRIMARY group (as defined in /etc/passwd) is within AllowGroups. >> >> I already found and read the following related posts, none of which >> actually >> resolve the issue: >> http://www.cygwin.com/ml/cygwin/2003-03/msg00128.html >> http://www.cygwin.com/ml/cygwin/2000-03/msg00591.html >> http://thread.gmane.org/gmane.os.cygwin/73007 ("sshd_conf and local >> groups" >> started 12/31/2005) >> >> Using AllowUsers works as expected - but this is an administrative >> nightmare. Ideally, I'd like to create a group called "SshUsers" and >> set "AllowGroups SshUsers". This works, but only if I set the needed >> user accounts in /etc/passwd to use this as their primary group. Some >> users need their primary group to remain otherwise for other reasons... >> >> I'm guessing this is more of an issue with the Cygwin user commands than >> it is with the OpenSSH implementation. I DID run both mkpasswd and >> mkgroup, and both my /etc/passwd and /etc/group files are populated. >> However, running "groups myuser" or "id -Gn myuser" returns only the >> primary group - "Domain Users". The results are identical whether >> running bash locally or through an ssh connection. >> >> I'm currently running "CYGWIN_NT-5.2 z 1.5.20s(0.154/4/2) 20060227 >> 13:07:35 i686 Cygwin", but have been able to reproduce this back to >> 1.5.18, etc... >> >> Any assistance would be greatly appreciated - thanks! > > Let's start here: > >> Problem reports: http://cygwin.com/problems.html > > In particular, for the group to be recognized by Cygwin, it needs to be in > /etc/group. I would guess that you're trying to set up a domain group... > You didn't say exactly what mkgroup options you used to update /etc/group, > so it may simply be that you're missing the necessary groups there (and > thus Cygwin is unable to determine group membership). But a proper > problem report based on the above guidelines (one that includes an > attached output of "cygcheck -svr" on your system) would allow us to track > this down further. Requested cygcheck attached, along with my sshd_config, group, and passwd files. (Files are from reproducing the issue on another box for privacy concerns, which explains why the Cygwin version is slightly different from my original post.) In this example, all accounts are local, with no domain involved. Additionally, the following is logged to my Application Event Log: Source: sshd, Category: None, Event ID: 0, User: NT AUTHORITY\SYSTEM ... The following information is part of the event: sshd: PID 1504: User MyUser from TestBox not allowed because none of user's groups are listed in AllowGroups. I do believe I misunderstood how the "groups" and "id" commands were working. I see that running "groups" without the username displays all groups for the current user (not all groups on the system), where "group MyUser" displays only the primary group. Some test output: MyUser AT winxpsp2base ~ $ groups None root Administrators Users SshUsers MyUser AT winxpsp2base ~ $ id uid=1004(MyUser) gid=513(None) groups=0(root),513(None),544(Administrators),545(Users),1005(SshUsers) MyUser AT winxpsp2base ~ $ groups MyUser MyUser : None MyUser AT winxpsp2base ~ $ id -Gn MyUser None I'm guessing the OpenSSH sshd service must run some form of the later pair, which returns only the primary group, and not all associated Windows groups... Thanks! -- Mark A. Ziesemer > Igor > -- > http://cs.nyu.edu/~pechtcha/ > |\ _,,,---,,_ pechtcha AT cs DOT nyu DOT edu | igor AT watson DOT ibm DOT com > ZZZzz /,`.-'`' -. ;-;;,_ Igor Peshansky, Ph.D. (name changed!) > |,4- ) )-,_. ,\ ( `'-' old name: Igor Pechtchanski > '---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow! > > "Las! je suis sot... -Mais non, tu ne l'es pas, puisque tu t'en rends > compte." > "But no -- you are no fool; you call yourself a fool, there's proof enough > in > that!" -- Rostand, "Cyrano de Bergerac" > begin 666 cygcheck.txt M#0I#>6=W:6X AT 0V]N9FEG=7)A=&EO;B!$:6%G;F]S=&EC7-T96T AT 5&EM93H AT 5'5E($9E8B R." R,SHQ,SHT.2 R,# V#0H-"E=I;F1O M=W,@6% @4')O9F5S6=W:6Y<=7-R7&QO8V%L7&)I;@T*"4,Z M7&-Y9W=I;EQB:6X-"@E#.EQC>6=W:6Y<8FEN#0H)0SI<8WEG=VEN7'5S6=W:6Y<8FEN7&ED+F5X92 H;F]N='-E8RD-"E5)1#H@,3 P-"A->55S97(I M(" @1TE$.B U,3,H3F]N92D-"C H55S97(I(" @1TE$.B U,3,H M3F]N92D-"C H7-T96TS,@T*5VEN1&ER.B!# M.EQ724Y$3U=3#0H-"E5315(@/2 G37E555S97)<07!P;&EC871I;VX AT 1&%T82<- M"DA/4U1.04U%(#T@)W=I;GAP#@V($9A;6EL>2 Q-2!-;V1E;" R M(%-T97!P:6YG(#@L($=E;G5I;F5);G1E;"<-"E=)3D1)4B ]("=#.EQ724Y$ M3U=3)PT*3TQ$4%=$(#T@)R]U55S97(O3$]#04Q3?C$O5&5M M<"<-"D-/34U/3E!23T=204U&24Q%4R ]("=#.EQ0&4G#0I435 @/2 G+V-Y9V1R:79E+V,O1$]#54U%?C$O37E56=W:6X-"DA+15E?0U524D5.5%]54T527%-O9G1W87)E7$-Y9VYU6=W:6Y<4')O9W)A;2!/<'1I M;VYS#0I(2T597TQ/0T%,7TU!0TA)3D5<4T]&5%=!4D5<0WEG;G5S(%-O;'5T M:6]N6=W:6Y<;6]U;G1S('8R#0H@("AD969A=6QT*2 ] M("6=W:6XG M#0H@(&9L86=S(#T@,'@P,# P,# P80T*2$M%65],3T-!3%]-04-(24Y%7%-/ M1E1705)%7$-Y9VYU# P,# P,#!A#0I(2T597TQ/0T%,7TU!0TA)3D5<4T]&5%=!4D5<0WEG M;G5S(%-O;'5T:6]N6=W:6Y<;6]U;G1S('8R7"]U6=W:6XO;&EB)PT*("!F;&%G6=N=7,@4V]L=71I M;VYS7$-Y9W=I;EQ07-T M96T@(&)I;FUO9&4-"D,Z7&-Y9W=I;B]B:6X@("]U6=W:6XO;&EB(" O=7-R+VQI8B @('-Y7-T96T@(&)I M;FUO9&4L8WEG9')I=F4-"@T*1F]U;F0Z($,Z7&-Y9W=I;EQB:6Y<87=K+F5X M90T*1F]U;F0Z($,Z7&-Y9W=I;EQB:6Y<8F%S:"YE>&4-"D9O=6YD.B!#.EQC M>6=W:6Y<8FEN7&-A="YE>&4-"D9O=6YD.B!#.EQC>6=W:6Y<8FEN7&-P+F5X M90T*3F]T($9O=6YD.B!C<' @*&=O;V0A*0T*3F]T($9O=6YD.B!C&4-"DYO="!&;W5N M9#H@;&0-"D9O=6YD.B!#.EQC>6=W:6Y<8FEN7&QS+F5X90T*3F]T($9O=6YD M.B!M86ME#0I&;W5N9#H AT 0SI<8WEG=VEN7&)I;EQM=BYE>&4-"DYO="!&;W5N M9#H@<&%T8V@-"DYO="!&;W5N9#H@<&5R; T*1F]U;F0Z($,Z7&-Y9W=I;EQB M:6Y<&4-"D9O=6YD.B!#.EQC>6=W:6Y<8FEN7'1A&4-"D9O=6YD M.B!#.EQC>6=W:6Y<8FEN7'1E6=W:6Y<8FEN M7&-Y9V)Z,BTQ+F1L;" M(&]S/30N,"!I;6<],2XP('-Y6=B>C(M,2YD;&PB('8P+C @=',],C P-2\W+SD@ M,#HP.0T*(" @(#=K(#(P,#4O,3$O,C @0SI<8WEG=VEN7&)I;EQC>6=C:&%R M6=C6=C6=C7!T;RTP+CDN."YD;&PB('8P M+C @=',],C P-2\Q,"\Q,2 W.C0W#0H@(" T,&L@,C P-2\P.2\R.2!#.EQC M>6=W:6Y<8FEN7&-Y9V9O7,] M-"XP#0H@(" @(" @(" @(" @(" @(" B8WEG9F]R;2TX+F1L;"(@=C N,"!T M6=F;W)M-BYD;&P@+2!O7,]-"XP#0H@(" @(" @ M(" @(" @(" @(" B8WEG9F]R;38N9&QL(B!V,"XP('1S/3(P,#(O,2\Y(# Z M,#,-"B @(#0X:R R,# S+S X+S Y($,Z7&-Y9W=I;EQB:6Y<8WEG9F]R;36=W:6Y<8FEN7&-Y9V=D8FTM,RYD;&P@+2!O M7,]-"XP#0H@(" @(" @(" @(" @(" @(" B8WEG M9V1B;2TS+F1L;"(@=C N,"!T6=G9&)M+30N9&QL("T@;W,]-"XP M(&EM9STQ+C @6=G9&)M7V-O;7!A="TS+F1L;" M(&]S/30N,"!I;6<] M,2XP('-Y6=G9&)M7V-O;7!A M="TS+F1L;"(@=C N,"!T6=G9&)M7V-O;7!A="TT+F1L;" M(&]S M/30N,"!I;6<],2XP('-Y6=G M9&)M7V-O;7!A="TT+F1L;"(@=C N,"!T30N9&QL M("T@;W,]-"XP(&EM9STQ+C @6=H:7-T;W)Y-2YD;&P@ M+2!O7,]-"XP#0H@(" @(" @(" @(" @(" @(" B M8WEG:&ES=&]R>34N9&QL(B!V,"XP('1S/3(P,#,O."\Q," Q.#HQ- AT T*(" @ M,C1K(#(P,#8O,#(O,3@@0SI<8WEG=VEN7&)I;EQC>6=H:7-T;W)Y-BYD;&P@ M+2!O7,]-"XP#0H@(" @(" @(" @(" @(" @(" B M8WEG:&ES=&]R>38N9&QL(B!V,"XP('1S/3(P,#8O,B\Q." P.C S#0H@(#DT M-VL@,C P-2\Q,2\R,"!#.EQC>6=W:6Y<8FEN7&-Y9VEC;VYV+3(N9&QL("T@ M;W,]-"XP(&EM9STQ+C @6=I M;G1L+3$N9&QL(B!V,"XP('1S/3(P,#$O,3(O,3,@,SHR. T*(" @,S=K(#(P M,#,O,#@O,3 @0SI<8WEG=VEN7&)I;EQC>6=I;G1L+3(N9&QL("T@;W,]-"XP M(&EM9STQ+C @6=M96YU+3 AT N9&QL("T@;W,]-"XP(&EM9STQ+C @6=M96YU-2YD;&PB('8P+C @=',],C P,2\T M+S(U(# Z,C<-"B @(#(P:R R,# R+S Q+S Y($,Z7&-Y9W=I;EQB:6Y<8WEG M;65N=38N9&QL("T@;W,]-"XP(&EM9STQ+C @6=W:6Y<8FEN7&-Y9VUE;G4W+F1L M;" M(&]S/30N,"!I;6<],2XP('-Y6=M96YU-RYD;&PB('8P+C @=',],C P,R\X+SD@-#HR-0T*(" @,C%K M(#(P,#0O,3 O,C(@0SI<8WEG=VEN7&)I;EQC>6=M:6YI6=M M:6YI6=W:6Y<8FEN7&-Y9VYC=7)S97,K*RTX+F1L;" M M(&]S/30N,"!I;6<],2XP('-Y6=N8W5R6=W:6Y<8FEN7&-Y9VYC=7)S97,K M*S8N9&QL("T@;W,]-"XP(&EM9STQ+C @6=N8W5R6=N8W5R M7,]-"XP#0H@(" @(" @(" @ M(" @(" @(" B8WEG;F-U6=W:6Y<8FEN7&-Y9VYC=7)S M97,V+F1L;" M(&]S/30N,"!I;6<],2XP('-Y6=N8W5R7,]-"XP#0H@(" @(" @(" @(" @(" @ M(" B8WEG<&%N96PM."YD;&PB('8P+C @=',],C P-2\Y+S(X(#(Q.C$U#0H@ M(" Q-6L@,C P,2\P-"\R-2!#.EQC>6=W:6Y<8FEN7&-Y9W!A;F5L-2YD;&P@ M+2!O7,]-"XP#0H@(" @(" @(" @(" @(" @(" B M8WEG<&%N96PU+F1L;"(@=C N,"!T6=P86YE;#8N9&QL("T@;W,] M-"XP(&EM9STQ+C @6=P8W)E8W!P+3 N9&QL(B!V M,"XP('1S/3(P,#4O.2\V(#$V.C(V#0H@(" @-FL@,C P-2\P.2\P-B!#.EQC M>6=W:6Y<8FEN7&-Y9W!C"TP+F1L;" M(&]S/30N,"!I;6<],2XP M('-Y6=P8W)E<&]S:7 AT M,"YD M;&PB('8P+C @=',],C P-2\Y+S8@,38Z,C8-"B @(#(R:R R,# R+S V+S Y M($,Z7&-Y9W=I;EQB:6Y<8WEG<&]P="TP+F1L;" M(&]S/30N,"!I;6<],2XP M('-Y6=P;W!T+3 N9&QL(B!V M,"XP('1S/3(P,#(O-B\Y(# Z-#4-"B @,3 X:R R,# Q+S V+S(X($,Z7&-Y M9W=I;EQB:6Y<8WEG6=R96%D;&EN930N9&QL(B!V M,"XP('1S/3(P,#$O,2\V(#(R.C,T#0H@(#$T.&L@,C P,R\P."\Q,"!#.EQC M>6=W:6Y<8FEN7&-Y9W)E861L:6YE-2YD;&P@+2!O7,]-"XP#0H@(" @(" @(" @(" @(" @(" B8WEG6=R96%D;&EN938N9&QL M(B!V,"XP('1S/3(P,#8O,B\Q." P.C S#0H@(#(S,6L@,C P-2\Q,"\Q-R!# M.EQC>6=W:6Y<8FEN7&-Y9W-S;"TP+CDN-RYD;&P@+2!O7,]-"XP#0H@(" @(" @(" @(" @(" @(" B8WEG6=S6=Z+F1L;" M(&]S/30N,"!I;6<],2XP('-Y M6=Z+F1L;"(@=C N,"!T7,]-"XP#0H@(" @ M(" @(" @(" @(" @(" B8WEG=VEN,2YD;&PB('8P+C @=',],C P-B\Q+S(P M(#$R.C(X#0H@(" @0WEG=VEN($1,3"!V97)S:6]N(&EN9F\Z#0H@(" @(" @ M($1,3"!V97)S:6]N.B Q+C4N,3D-"B @(" @(" @1$Q,(&5P;V-H.B Q.0T* M(" @(" @("!$3$P AT 8F%D('-I9VYA;"!M87-K.B Q.3 P-0T*(" @(" @("!$ M3$P@;VQD('1E6=N=7,@6=W:6X@6=D6=D7-T96T-"@T*#0I#>6=W:6X AT 4&%C:V%G92!);F9O6=U=&ELC)?,2 @(" @(" @(" @(" Q+C N,RTQ#0IL:6)C M:&%R' Z,3 P,SHU,3,Z05-0+DY%5"!-86-H:6YE($%C M8V]U;G0L52U724Y84%-0,D)!4T5<05-03D54+%,M,2TU+3(Q+34P-SDR,30P M-2TQ-C AT R-3(V-#@X+38X,C P,S,S,"TQ,# S.B]H;VUE+T%34$Y%5#HO8FEN M+V)A' Z-3 Q.C4Q,SI5+5=) M3EA04U R0D%315Q'=65S="Q3+3$M-2TR,2TU,#5]N="\R,# P+WAP.C$P,# Z-3$S.E)E;6]T92!$ M97-K=&]P($AE;' @07-S:7-T86YT($%C8V]U;G0L52U724Y84%-0,D)!4T5< M2&5L<$%S55S97(Z=6YU' Z,3 P-#HU,3,Z37E555S97(Z+V)I;B]B87-H"E-5 M4%!/4E1?,S AT X DOT 30U83 Z=6YU' Z,3 P,CHU,3,Z M0TX]36EC' Z,3 P-CHU,3,Z3HO8FEN+V9A;'-E"@`` ` end begin 666 sshd_config.txt M(PDD3W!E;D)31#H@' @) H*(R!4:&ES(&ES('1H92!S7-T96TM=VED92!C;VYF:6=U2!A;GD*(TQI0HC2&]S=$ME>2 O971C+W-S:%]H;W-T7V1S85]K97D*"B,@3&EF M971I;64 AT 86YD('-I>F4@;V8 AT 97!H96UE7-L;V=&86-I;&ET>2!!551("B-,;V=,979E;"!) M3D9/"@HC($%U=&AE;G1I8V%T:6]N DOT AT H*(TQO9VEN1W)A8V54:6UE(#)M"B-0 M97)M:712;V]T3&]G:6X@>65S"E-T65S"B-!=71H;W)I>F5D2V5YF5D M7VME>7,*"B,@1F]R('1H:7,@=&\@=V]R:R!Y;W4@=VEL;"!A;'-O(&YE960@ M:&]S="!K97ES(&EN("]E=&,O65S(&EF('EO=2!D;VXG="!T'0@<&%S65S"B-097)M:71%;7!T>5!A2!P87-S=V]R9',*(T-H M86QL96YG95)E65S"@HC($ME65S"@HC(%-E="!T:&ES('1O("=Y97,G('1O(&5N86)L92!004T AT 875T M:&5N=&EC871I;VXL(&%C8V]U;G0@<')O8V5S6]U6]U(&IU4]F9G-E=" Q, HC6#$Q M57-E3&]C86QH;W-T('EE%-T87)T=7!S(#$P"B-097)M:714=6YN96P@ M;F\*"B,@;F\@9&5F875L="!B86YN97(@<&%T: HC0F%N;F5R("]S;VUE+W!A M=&@*"B,@;W9E