This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Restrict active directory logins

On Mon, Aug 31, 2015 at 11:39 PM, E. Winston <> wrote:
> Hi all,
> I am running cygwin 2.2.1(0.289/5/3) and OpenSSH_7.1p1, OpenSSL 1.0.2d 9 Jul 2015 on a domain joined Windows 2012 R2 server. I am not using /etc/passwd or /etc/group and I would prefer not to use theses files as I anticipate a large number of accounts needing to be configured. As part of our group policy, NT AUTHORITY\Authenticated Users and NT AUTHORITY\Interactive are both part of the local Users group. The group policy also places  NT AUTHORITY\Authenticated Users into "Log on Locally"  security policy. My primary purpose is to use this as an SFTP server. I have been able to deny SSH logins and limit access to on SFTP.
> What I would like to know is with this setup, is if there is a way to prevent any user in our domain from logging into the server?
> Currently I have directory permissions set so they cannot see anything, but I'd rather not allow them to login at all.
> I have a local group created with only the domain accounts I want to be able to explicitly login but thus far I have not been able to determine how to limit logins to just the members of this group.
> Thanks in advance,
> -Ed
> --
> Problem reports:
> FAQ:         
> Documentation:
> Unsubscribe info:


I have a similar arrangement.  Short of reprogramming Cygwin to *not*
do an interactive logon (i.e. do a network logon instead), I think
you're out of luck.  A network logon would work for what an SFTP
server needs to do, but probably isn't right for other purposes such
as a full SSH terminal session -- and unfortunately both
authentication process goes through the same function in Cygwin.  I
thought about proposing some configurable setting in Cygwin on the
mailing list, but the need is really too nuanced to merit
implementation (in my opinion).  If the users don't have access to the
console, just make sure that you're not also allowing "Allow log on
through Remote Desktop Services" -- that should prevent a user from
being logged into via Remote Desktop.

That said, the problem may actually be worse than you think.  If you
have roaming profiles enabled, they may be getting synced every time a
user logs in via SFTP.  If this isn't desired, you'll want to enable
user profile cleanup and disable roaming profiles to that system, in
general.  It'll slow down the login in addition to bloat the profile

Problem reports:
Unsubscribe info:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]