DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:date
	:message-id:subject:from:to:content-type
	:content-transfer-encoding; q=dns; s=default; b=fLFGRpGtTpTXSyxL
	FHDcElgsYHKWOPbYqkJIKh2lRkInRq3Le6yNWfmd/aWvooy2H/2qwCdflHO1/FKO
	6676qCUYgnzkfAhDeibObBeFF6jzR7Cc8bVEd+oFCFtWhCh1FXYxopYiAb/+jylX
	dpoyIfL6ZRZIyUFn/HjOTHPxL3c=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
MIME-Version: 1.0
In-Reply-To: <BAY177-W41E7CF6FFF336C3E845A8EE36A0@phx.gbl>
References: <BAY177-W41E7CF6FFF336C3E845A8EE36A0 AT phx DOT gbl>
Date: Tue, 1 Sep 2015 06:59:40 -0400
Message-ID: <CADi7v6+KWE0S7YuW+AJ4O3SmxvOYM9wNTZeaFA=7vimixUsHhA@mail.gmail.com>
Subject: Re: Restrict active directory logins
From: Bryan Berns <bryan DOT berns AT gmail DOT com>
To: cygwin AT cygwin DOT com
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

On Mon, Aug 31, 2015 at 11:39 PM, E. Winston <craddle2grave AT hotmail DOT com> wrote:
> Hi all,
>
> I am running cygwin 2.2.1(0.289/5/3) and OpenSSH_7.1p1, OpenSSL 1.0.2d 9 Jul 2015 on a domain joined Windows 2012 R2 server. I am not using /etc/passwd or /etc/group and I would prefer not to use theses files as I anticipate a large number of accounts needing to be configured. As part of our group policy, NT AUTHORITY\Authenticated Users and NT AUTHORITY\Interactive are both part of the local Users group. The group policy also places  NT AUTHORITY\Authenticated Users into "Log on Locally"  security policy. My primary purpose is to use this as an SFTP server. I have been able to deny SSH logins and limit access to on SFTP.
>
> What I would like to know is with this setup, is if there is a way to prevent any user in our domain from logging into the server?
>
> Currently I have directory permissions set so they cannot see anything, but I'd rather not allow them to login at all.
>
> I have a local group created with only the domain accounts I want to be able to explicitly login but thus far I have not been able to determine how to limit logins to just the members of this group.
>
> Thanks in advance,
>
> -Ed
> --
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>

Ed,

I have a similar arrangement.  Short of reprogramming Cygwin to *not*
do an interactive logon (i.e. do a network logon instead), I think
you're out of luck.  A network logon would work for what an SFTP
server needs to do, but probably isn't right for other purposes such
as a full SSH terminal session -- and unfortunately both
authentication process goes through the same function in Cygwin.  I
thought about proposing some configurable setting in Cygwin on the
mailing list, but the need is really too nuanced to merit
implementation (in my opinion).  If the users don't have access to the
console, just make sure that you're not also allowing "Allow log on
through Remote Desktop Services" -- that should prevent a user from
being logged into via Remote Desktop.

That said, the problem may actually be worse than you think.  If you
have roaming profiles enabled, they may be getting synced every time a
user logs in via SFTP.  If this isn't desired, you'll want to enable
user profile cleanup and disable roaming profiles to that system, in
general.  It'll slow down the login in addition to bloat the profile
directory.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple