X-Spam-Check-By: sourceware.org To: cygwin AT cygwin DOT com From: "Mark A. Ziesemer" Subject: Re: sshd_conf and AllowGroups - how to make work with non-primary groups? Date: Sat, 08 Apr 2006 12:25:16 -0500 Lines: 134 Message-ID: <4437F1FC.6070608@charter.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit User-Agent: Thunderbird 1.5 (Windows/20051201) X-IsSubscribed: yes Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com I think I found part of the problem... I found the source for "id" which calls either "getgroups()" or "getugroups()" depending upon the usage (if passed without or with a specific username, respectively). getugroups() is the one with the problem. It uses setgrent() / getgrent() / endgrent(), and the list of groups returned from getgrent() is always coming back empty. All I can find for these last functions are the header declarations - no source. It's looking like a problem with the implementation of getgrent(). How can I track this down further, or otherwise go about getting this fixed? > From: Igor Peshansky cs.nyu.edu> > Subject: Re: sshd_conf and AllowGroups - how to make work with non-primary groups? > Newsgroups: gmane.os.cygwin > Date: 2006-03-01 16:55:50 GMT (5 weeks, 3 days and 19 minutes ago) > > On Tue, 28 Feb 2006, Mark A. Ziesemer wrote: > >> "Igor Peshansky" XX.XXX.XXX> wrote: > > . Thanks. > >> > On Mon, 27 Feb 2006, Mark A. Ziesemer wrote: >> > >> >> I, too, am trying to lock down ssh access. Using OpenSSH's >> >> AllowGroups configuration option looks like it would fit my needs >> >> perfectly, but it doesn't work! More specifically, it ends up >> >> denying all users, unless the user's PRIMARY group (as defined in >> >> /etc/passwd) is within AllowGroups. >> >> >> >> I already found and read the following related posts, none of which >> >> actually resolve the issue: >> >> http://www.cygwin.com/ml/cygwin/2003-03/msg00128.html >> >> http://www.cygwin.com/ml/cygwin/2000-03/msg00591.html >> >> http://thread.gmane.org/gmane.os.cygwin/73007 ("sshd_conf and local >> >> groups" started 12/31/2005) >> >> >> >> Using AllowUsers works as expected - but this is an administrative >> >> nightmare. Ideally, I'd like to create a group called "SshUsers" and >> >> set "AllowGroups SshUsers". This works, but only if I set the needed >> >> user accounts in /etc/passwd to use this as their primary group. >> >> Some users need their primary group to remain otherwise for other >> >> reasons... >> >> >> >> I'm guessing this is more of an issue with the Cygwin user commands >> >> than it is with the OpenSSH implementation. I DID run both mkpasswd >> >> and mkgroup, and both my /etc/passwd and /etc/group files are >> >> populated. However, running "groups myuser" or "id -Gn myuser" >> >> returns only the primary group - "Domain Users". The results are >> >> identical whether running bash locally or through an ssh connection. >> >> >> >> I'm currently running "CYGWIN_NT-5.2 z 1.5.20s(0.154/4/2) 20060227 >> >> 13:07:35 i686 Cygwin", but have been able to reproduce this back to >> >> 1.5.18, etc... >> >> >> >> Any assistance would be greatly appreciated - thanks! >> > >> > Let's start here: >> > >> >> Problem reports: http://cygwin.com/problems.html >> > >> > In particular, for the group to be recognized by Cygwin, it needs to >> > be in /etc/group. I would guess that you're trying to set up a domain >> > group... You didn't say exactly what mkgroup options you used to >> > update /etc/group, so it may simply be that you're missing the >> > necessary groups there (and thus Cygwin is unable to determine group >> > membership). But a proper problem report based on the above >> > guidelines (one that includes an attached output of "cygcheck -svr" on >> > your system) would allow us to track this down further. >> >> Requested cygcheck attached, along with my sshd_config, group, and >> passwd files. (Files are from reproducing the issue on another box for >> privacy concerns, which explains why the Cygwin version is slightly >> different from my original post.) In this example, all accounts are >> local, with no domain involved. >> >> Additionally, the following is logged to my Application Event Log: >> >> Source: sshd, Category: None, Event ID: 0, User: NT AUTHORITY\SYSTEM ... >> The following information is part of the event: sshd: PID 1504: User >> MyUser from TestBox not allowed because none of user's groups are listed >> in AllowGroups. > > Ah, ok, so it's not a permissions issue. > >> I do believe I misunderstood how the "groups" and "id" commands were >> working. I see that running "groups" without the username displays all >> groups for the current user (not all groups on the system), where "group >> MyUser" displays only the primary group. Some test output: >> >> MyUser winxpsp2base ~ >> $ groups >> None root Administrators Users SshUsers >> >> MyUser winxpsp2base ~ >> $ id >> uid=1004(MyUser) gid=513(None) >> groups=0(root),513(None),544(Administrators),545(Users),1005(SshUsers) >> >> MyUser winxpsp2base ~ >> $ groups MyUser >> MyUser : None >> >> MyUser winxpsp2base ~ >> $ id -Gn MyUser >> None > > Not surprising, as "groups" essentially calls "id -Gn". > >> I'm guessing the OpenSSH sshd service must run some form of the later >> pair, which returns only the primary group, and not all associated >> Windows groups... > > This may be true (i.e., groups aren't listed properly)... If you want to > strip down sshd code to just the piece that queries for the groups, run > that on Linux and Cygwin and demonstrate inconsistent results, I'm sure > Corinna would be interested in such a testcase. Running these commands under a real distro returns all groups as expected, so Cygwin is definitely behaving differently... > Igor > -- > http://cs.nyu.edu/~pechtcha/ > |\ _,,,---,,_ pechtcha cs.nyu.edu | igor watson.ibm.com > ZZZzz /,`.-'`' -. ;-;;,_ Igor Peshansky, Ph.D. (name changed!) > |,4- ) )-,_. ,\ ( `'-' old name: Igor Pechtchanski > '---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow! > > "Las! je suis sot... -Mais non, tu ne l'es pas, puisque tu t'en rends compte." > "But no -- you are no fool; you call yourself a fool, there's proof enough in > that!" -- Rostand, "Cyrano de Bergerac" -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/