X-Spam-Check-By: sourceware.org Date: Wed, 1 Mar 2006 11:55:50 -0500 (EST) From: Igor Peshansky Reply-To: cygwin AT cygwin DOT com To: "Mark A. Ziesemer" cc: cygwin AT cygwin DOT com Subject: Re: sshd_conf and AllowGroups - how to make work with non-primary groups? In-Reply-To: <006601c63cf3$5933bc00$2a52a8c0@ziesemermark> Message-ID: References: <006601c63cf3$5933bc00$2a52a8c0 AT ziesemermark> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com On Tue, 28 Feb 2006, Mark A. Ziesemer wrote: > "Igor Peshansky" wrote: . Thanks. > > On Mon, 27 Feb 2006, Mark A. Ziesemer wrote: > > > >> I, too, am trying to lock down ssh access. Using OpenSSH's > >> AllowGroups configuration option looks like it would fit my needs > >> perfectly, but it doesn't work! More specifically, it ends up > >> denying all users, unless the user's PRIMARY group (as defined in > >> /etc/passwd) is within AllowGroups. > >> > >> I already found and read the following related posts, none of which > >> actually resolve the issue: > >> http://www.cygwin.com/ml/cygwin/2003-03/msg00128.html > >> http://www.cygwin.com/ml/cygwin/2000-03/msg00591.html > >> http://thread.gmane.org/gmane.os.cygwin/73007 ("sshd_conf and local > >> groups" started 12/31/2005) > >> > >> Using AllowUsers works as expected - but this is an administrative > >> nightmare. Ideally, I'd like to create a group called "SshUsers" and > >> set "AllowGroups SshUsers". This works, but only if I set the needed > >> user accounts in /etc/passwd to use this as their primary group. > >> Some users need their primary group to remain otherwise for other > >> reasons... > >> > >> I'm guessing this is more of an issue with the Cygwin user commands > >> than it is with the OpenSSH implementation. I DID run both mkpasswd > >> and mkgroup, and both my /etc/passwd and /etc/group files are > >> populated. However, running "groups myuser" or "id -Gn myuser" > >> returns only the primary group - "Domain Users". The results are > >> identical whether running bash locally or through an ssh connection. > >> > >> I'm currently running "CYGWIN_NT-5.2 z 1.5.20s(0.154/4/2) 20060227 > >> 13:07:35 i686 Cygwin", but have been able to reproduce this back to > >> 1.5.18, etc... > >> > >> Any assistance would be greatly appreciated - thanks! > > > > Let's start here: > > > >> Problem reports: http://cygwin.com/problems.html > > > > In particular, for the group to be recognized by Cygwin, it needs to > > be in /etc/group. I would guess that you're trying to set up a domain > > group... You didn't say exactly what mkgroup options you used to > > update /etc/group, so it may simply be that you're missing the > > necessary groups there (and thus Cygwin is unable to determine group > > membership). But a proper problem report based on the above > > guidelines (one that includes an attached output of "cygcheck -svr" on > > your system) would allow us to track this down further. > > Requested cygcheck attached, along with my sshd_config, group, and > passwd files. (Files are from reproducing the issue on another box for > privacy concerns, which explains why the Cygwin version is slightly > different from my original post.) In this example, all accounts are > local, with no domain involved. > > Additionally, the following is logged to my Application Event Log: > > Source: sshd, Category: None, Event ID: 0, User: NT AUTHORITY\SYSTEM ... > The following information is part of the event: sshd: PID 1504: User > MyUser from TestBox not allowed because none of user's groups are listed > in AllowGroups. Ah, ok, so it's not a permissions issue. > I do believe I misunderstood how the "groups" and "id" commands were > working. I see that running "groups" without the username displays all > groups for the current user (not all groups on the system), where "group > MyUser" displays only the primary group. Some test output: > > MyUser AT winxpsp2base ~ > $ groups > None root Administrators Users SshUsers > > MyUser AT winxpsp2base ~ > $ id > uid=1004(MyUser) gid=513(None) > groups=0(root),513(None),544(Administrators),545(Users),1005(SshUsers) > > MyUser AT winxpsp2base ~ > $ groups MyUser > MyUser : None > > MyUser AT winxpsp2base ~ > $ id -Gn MyUser > None Not surprising, as "groups" essentially calls "id -Gn". > I'm guessing the OpenSSH sshd service must run some form of the later > pair, which returns only the primary group, and not all associated > Windows groups... This may be true (i.e., groups aren't listed properly)... If you want to strip down sshd code to just the piece that queries for the groups, run that on Linux and Cygwin and demonstrate inconsistent results, I'm sure Corinna would be interested in such a testcase. Igor -- http://cs.nyu.edu/~pechtcha/ |\ _,,,---,,_ pechtcha AT cs DOT nyu DOT edu | igor AT watson DOT ibm DOT com ZZZzz /,`.-'`' -. ;-;;,_ Igor Peshansky, Ph.D. (name changed!) |,4- ) )-,_. ,\ ( `'-' old name: Igor Pechtchanski '---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow! "Las! je suis sot... -Mais non, tu ne l'es pas, puisque tu t'en rends compte." "But no -- you are no fool; you call yourself a fool, there's proof enough in that!" -- Rostand, "Cyrano de Bergerac" -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/