sshd_conf and AllowGroups - how to make work with non-primary groups?

Mark A. Ziesemer mark_z@charter.net
Sat Apr 8 17:38:00 GMT 2006 

I think I found part of the problem...

I found the source for "id" which calls either "getgroups()" or 
"getugroups()" depending upon the usage (if passed without or with a 
specific username, respectively).  getugroups() is the one with the 
problem.  It uses setgrent() / getgrent() / endgrent(), and the list of 
groups returned from getgrent() is always coming back empty.

All I can find for these last functions are the header declarations - no 
source.  It's looking like a problem with the implementation of getgrent().

How can I track this down further, or otherwise go about getting this fixed?

> From: Igor Peshansky <pechtcha <at> cs.nyu.edu>
> Subject: Re: sshd_conf and AllowGroups - how to make work with non-primary groups?
> Newsgroups: gmane.os.cygwin
> Date: 2006-03-01 16:55:50 GMT (5 weeks, 3 days and 19 minutes ago)
> 
> On Tue, 28 Feb 2006, Mark A. Ziesemer wrote:
> 
>> "Igor Peshansky" <pechtcha <at> XX.XXX.XXX> wrote:
> 
> <http://cygwin.com/acronyms/#PCYMTNQREAIYR>.  Thanks.
> 
>> > On Mon, 27 Feb 2006, Mark A. Ziesemer wrote:
>> >
>> >> I, too, am trying to lock down ssh access.  Using OpenSSH's
>> >> AllowGroups configuration option looks like it would fit my needs
>> >> perfectly, but it doesn't work!  More specifically, it ends up
>> >> denying all users, unless the user's PRIMARY group (as defined in
>> >> /etc/passwd) is within AllowGroups.
>> >>
>> >> I already found and read the following related posts, none of which
>> >> actually resolve the issue:
>> >> http://www.cygwin.com/ml/cygwin/2003-03/msg00128.html
>> >> http://www.cygwin.com/ml/cygwin/2000-03/msg00591.html
>> >> http://thread.gmane.org/gmane.os.cygwin/73007 ("sshd_conf and local
>> >> groups" started 12/31/2005)
>> >>
>> >> Using AllowUsers works as expected - but this is an administrative
>> >> nightmare.  Ideally, I'd like to create a group called "SshUsers" and
>> >> set "AllowGroups SshUsers".  This works, but only if I set the needed
>> >> user accounts in /etc/passwd to use this as their primary group.
>> >> Some users need their primary group to remain otherwise for other
>> >> reasons...
>> >>
>> >> I'm guessing this is more of an issue with the Cygwin user commands
>> >> than it is with the OpenSSH implementation.  I DID run both mkpasswd
>> >> and mkgroup, and both my /etc/passwd and /etc/group files are
>> >> populated. However, running "groups myuser" or "id -Gn myuser"
>> >> returns only the primary group - "Domain Users".  The results are
>> >> identical whether running bash locally or through an ssh connection.
>> >>
>> >> I'm currently running "CYGWIN_NT-5.2 z 1.5.20s(0.154/4/2) 20060227
>> >> 13:07:35 i686 Cygwin", but have been able to reproduce this back to
>> >> 1.5.18, etc...
>> >>
>> >> Any assistance would be greatly appreciated - thanks!
>> >
>> > Let's start here:
>> >
>> >> Problem reports:       http://cygwin.com/problems.html
>> >
>> > In particular, for the group to be recognized by Cygwin, it needs to
>> > be in /etc/group.  I would guess that you're trying to set up a domain
>> > group... You didn't say exactly what mkgroup options you used to
>> > update /etc/group, so it may simply be that you're missing the
>> > necessary groups there (and thus Cygwin is unable to determine group
>> > membership).  But a proper problem report based on the above
>> > guidelines (one that includes an attached output of "cygcheck -svr" on
>> > your system) would allow us to track this down further.
>>
>> Requested cygcheck attached, along with my sshd_config, group, and
>> passwd files.  (Files are from reproducing the issue on another box for
>> privacy concerns, which explains why the Cygwin version is slightly
>> different from my original post.)  In this example, all accounts are
>> local, with no domain involved.
>>
>> Additionally, the following is logged to my Application Event Log:
>>
>> Source: sshd, Category: None, Event ID: 0, User: NT AUTHORITY\SYSTEM ...
>> The following information is part of the event: sshd: PID 1504: User
>> MyUser from TestBox not allowed because none of user's groups are listed
>> in AllowGroups.
> 
> Ah, ok, so it's not a permissions issue.
> 
>> I do believe I misunderstood how the "groups" and "id" commands were
>> working.  I see that running "groups" without the username displays all
>> groups for the current user (not all groups on the system), where "group
>> MyUser" displays only the primary group.  Some test output:
>>
>> MyUser <at> winxpsp2base ~
>> $ groups
>> None root Administrators Users SshUsers
>>
>> MyUser <at> winxpsp2base ~
>> $ id
>> uid=1004(MyUser) gid=513(None)
>> groups=0(root),513(None),544(Administrators),545(Users),1005(SshUsers)
>>
>> MyUser <at> winxpsp2base ~
>> $ groups MyUser
>> MyUser : None
>>
>> MyUser <at> winxpsp2base ~
>> $ id -Gn MyUser
>> None
> 
> Not surprising, as "groups" essentially calls "id -Gn".
> 
>> I'm guessing the OpenSSH sshd service must run some form of the later
>> pair, which returns only the primary group, and not all associated
>> Windows groups...
> 
> This may be true (i.e., groups aren't listed properly)...  If you want to
> strip down sshd code to just the piece that queries for the groups, run
> that on Linux and Cygwin and demonstrate inconsistent results, I'm sure
> Corinna would be interested in such a testcase.

Running these commands under a real distro returns all groups as 
expected, so Cygwin is definitely behaving differently...

> 	Igor
> -- 
> 				http://cs.nyu.edu/~pechtcha/
>       |\      _,,,---,,_	    pechtcha <at> cs.nyu.edu | igor <at> watson.ibm.com
> ZZZzz /,`.-'`'    -.  ;-;;,_		Igor Peshansky, Ph.D. (name changed!)
>      |,4-  ) )-,_. ,\ (  `'-'		old name: Igor Pechtchanski
>     '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!
> 
> "Las! je suis sot... -Mais non, tu ne l'es pas, puisque tu t'en rends compte."
> "But no -- you are no fool; you call yourself a fool, there's proof enough in
> that!" -- Rostand, "Cyrano de Bergerac"


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

More information about the Cygwin mailing list