From: Igor Peshansky <pechtcha <at> cs.nyu.edu>
Subject: Re: sshd_conf and AllowGroups - how to make work with non-primary groups?
Newsgroups: gmane.os.cygwin
Date: 2006-03-01 16:55:50 GMT (5 weeks, 3 days and 19 minutes ago)
On Tue, 28 Feb 2006, Mark A. Ziesemer wrote:
"Igor Peshansky" <pechtcha <at> XX.XXX.XXX> wrote:
<http://cygwin.com/acronyms/#PCYMTNQREAIYR>. Thanks.
> On Mon, 27 Feb 2006, Mark A. Ziesemer wrote:
>
>> I, too, am trying to lock down ssh access. Using OpenSSH's
>> AllowGroups configuration option looks like it would fit my needs
>> perfectly, but it doesn't work! More specifically, it ends up
>> denying all users, unless the user's PRIMARY group (as defined in
>> /etc/passwd) is within AllowGroups.
>>
>> I already found and read the following related posts, none of which
>> actually resolve the issue:
>> http://www.cygwin.com/ml/cygwin/2003-03/msg00128.html
>> http://www.cygwin.com/ml/cygwin/2000-03/msg00591.html
>> http://thread.gmane.org/gmane.os.cygwin/73007 ("sshd_conf and local
>> groups" started 12/31/2005)
>>
>> Using AllowUsers works as expected - but this is an administrative
>> nightmare. Ideally, I'd like to create a group called "SshUsers" and
>> set "AllowGroups SshUsers". This works, but only if I set the needed
>> user accounts in /etc/passwd to use this as their primary group.
>> Some users need their primary group to remain otherwise for other
>> reasons...
>>
>> I'm guessing this is more of an issue with the Cygwin user commands
>> than it is with the OpenSSH implementation. I DID run both mkpasswd
>> and mkgroup, and both my /etc/passwd and /etc/group files are
>> populated. However, running "groups myuser" or "id -Gn myuser"
>> returns only the primary group - "Domain Users". The results are
>> identical whether running bash locally or through an ssh connection.
>>
>> I'm currently running "CYGWIN_NT-5.2 z 1.5.20s(0.154/4/2) 20060227
>> 13:07:35 i686 Cygwin", but have been able to reproduce this back to
>> 1.5.18, etc...
>>
>> Any assistance would be greatly appreciated - thanks!
>
> Let's start here:
>
>> Problem reports: http://cygwin.com/problems.html
>
> In particular, for the group to be recognized by Cygwin, it needs to
> be in /etc/group. I would guess that you're trying to set up a domain
> group... You didn't say exactly what mkgroup options you used to
> update /etc/group, so it may simply be that you're missing the
> necessary groups there (and thus Cygwin is unable to determine group
> membership). But a proper problem report based on the above
> guidelines (one that includes an attached output of "cygcheck -svr" on
> your system) would allow us to track this down further.
Requested cygcheck attached, along with my sshd_config, group, and
passwd files. (Files are from reproducing the issue on another box for
privacy concerns, which explains why the Cygwin version is slightly
different from my original post.) In this example, all accounts are
local, with no domain involved.
Additionally, the following is logged to my Application Event Log:
Source: sshd, Category: None, Event ID: 0, User: NT AUTHORITY\SYSTEM ...
The following information is part of the event: sshd: PID 1504: User
MyUser from TestBox not allowed because none of user's groups are listed
in AllowGroups.
Ah, ok, so it's not a permissions issue.
I do believe I misunderstood how the "groups" and "id" commands were
working. I see that running "groups" without the username displays all
groups for the current user (not all groups on the system), where "group
MyUser" displays only the primary group. Some test output:
MyUser <at> winxpsp2base ~
$ groups
None root Administrators Users SshUsers
MyUser <at> winxpsp2base ~
$ id
uid=1004(MyUser) gid=513(None)
groups=0(root),513(None),544(Administrators),545(Users),1005(SshUsers)
MyUser <at> winxpsp2base ~
$ groups MyUser
MyUser : None
MyUser <at> winxpsp2base ~
$ id -Gn MyUser
None
Not surprising, as "groups" essentially calls "id -Gn".
I'm guessing the OpenSSH sshd service must run some form of the later
pair, which returns only the primary group, and not all associated
Windows groups...
This may be true (i.e., groups aren't listed properly)... If you want to
strip down sshd code to just the piece that queries for the groups, run
that on Linux and Cygwin and demonstrate inconsistent results, I'm sure
Corinna would be interested in such a testcase.
Igor
--
http://cs.nyu.edu/~pechtcha/
|\ _,,,---,,_ pechtcha <at> cs.nyu.edu | igor <at> watson.ibm.com
ZZZzz /,`.-'`' -. ;-;;,_ Igor Peshansky, Ph.D. (name changed!)
|,4- ) )-,_. ,\ ( `'-' old name: Igor Pechtchanski
'---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow!
"Las! je suis sot... -Mais non, tu ne l'es pas, puisque tu t'en rends compte."
"But no -- you are no fool; you call yourself a fool, there's proof enough in
that!" -- Rostand, "Cyrano de Bergerac"