This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: sshd_conf and AllowGroups - how to make work with non-primary groups?

"Igor Peshansky" <> wrote in message
> On Mon, 27 Feb 2006, Mark A. Ziesemer wrote:
>> I, too, am trying to lock down ssh access.  Using OpenSSH's AllowGroups
>> configuration option looks like it would fit my needs perfectly, but it
>> doesn't work!  More specifically, it ends up denying all users, unless 
>> the
>> user's PRIMARY group (as defined in /etc/passwd) is within AllowGroups.
>> I already found and read the following related posts, none of which 
>> actually
>> resolve the issue:
>> ("sshd_conf and local 
>> groups"
>> started 12/31/2005)
>> Using AllowUsers works as expected - but this is an administrative
>> nightmare.  Ideally, I'd like to create a group called "SshUsers" and
>> set "AllowGroups SshUsers".  This works, but only if I set the needed
>> user accounts in /etc/passwd to use this as their primary group.  Some
>> users need their primary group to remain otherwise for other reasons...
>> I'm guessing this is more of an issue with the Cygwin user commands than
>> it is with the OpenSSH implementation.  I DID run both mkpasswd and
>> mkgroup, and both my /etc/passwd and /etc/group files are populated.
>> However, running "groups myuser" or "id -Gn myuser" returns only the
>> primary group - "Domain Users".  The results are identical whether
>> running bash locally or through an ssh connection.
>> I'm currently running "CYGWIN_NT-5.2 z 1.5.20s(0.154/4/2) 20060227
>> 13:07:35 i686 Cygwin", but have been able to reproduce this back to
>> 1.5.18, etc...
>> Any assistance would be greatly appreciated - thanks!
> Let's start here:
>> Problem reports:
> In particular, for the group to be recognized by Cygwin, it needs to be in
> /etc/group.  I would guess that you're trying to set up a domain group...
> You didn't say exactly what mkgroup options you used to update /etc/group,
> so it may simply be that you're missing the necessary groups there (and
> thus Cygwin is unable to determine group membership).  But a proper
> problem report based on the above guidelines (one that includes an
> attached output of "cygcheck -svr" on your system) would allow us to track
> this down further.

Requested cygcheck attached, along with my sshd_config, group, and passwd
files.  (Files are from reproducing the issue on another box for privacy
concerns, which explains why the Cygwin version is slightly different from
my original post.)  In this example, all accounts are local, with no domain

Additionally, the following is logged to my Application Event Log:

Source: sshd, Category: None, Event ID: 0, User: NT AUTHORITY\SYSTEM
... The following information is part of the event: sshd: PID 1504: User
MyUser from TestBox not allowed because none of user's groups are listed in

I do believe I misunderstood how the "groups" and "id" commands were
working.  I see that running "groups" without the username displays all
groups for the current user (not all groups on the system), where "group
MyUser" displays only the primary group.  Some test output:

MyUser@winxpsp2base ~
$ groups
None root Administrators Users SshUsers

MyUser@winxpsp2base ~
$ id
uid=1004(MyUser) gid=513(None)

MyUser@winxpsp2base ~
$ groups MyUser
MyUser : None

MyUser@winxpsp2base ~
$ id -Gn MyUser

I'm guessing the OpenSSH sshd service must run some form of the later pair,
which returns only the primary group, and not all associated Windows


Mark A. Ziesemer

> Igor
> -- 
>      |\      _,,,---,,_ |
> ZZZzz /,`.-'`'    -.  ;-;;,_ Igor Peshansky, Ph.D. (name changed!)
>     |,4-  ) )-,_. ,\ (  `'-' old name: Igor Pechtchanski
>    '---''(_/--'  `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!
> "Las! je suis sot... -Mais non, tu ne l'es pas, puisque tu t'en rends 
> compte."
> "But no -- you are no fool; you call yourself a fool, there's proof enough

> in
> that!" -- Rostand, "Cyrano de Bergerac"

Attachment: cygcheck.txt
Description: Text document

Attachment: group.txt
Description: Text document

Attachment: passwd.txt
Description: Text document

Attachment: sshd_config.txt
Description: Text document

Unsubscribe info:
Problem reports:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]