Domain User restrictions - Windows server 2012 R2

Domain User restrictions - Windows server 2012 R2

[Bergbauer, Daniel AVL/DE via cygwin]

Hi everyone,
I know the user restriction topic with ssh was discussed a lot and there are also a few solutions out there but really nothing is working
for me (Domain Users)...

In our company we are using cygwin on each of our machines to be able to run our projects with GNU make (everyone uses Windows 10)!
I also developed a tool, with which all employees are able to synchronize their projects from their (slow) machines to our server (Windows Server 2012 R2),
run the make on the (fast) server, and synch the output back.
All that works with a cygwin ssh connection + rsync!
Informations:
*       Cygwin (also ssh service) on the server is up and running on C:\tools\cygwin
*       Added Domain Users group to /etc/group of cygwin installation (means everyone can login with their windows password!):
   Domain Users:S-1-5-21-1054012322-559123688-2072061207-513:1049089:
   (Domain Users has a whitespace in it)

*       Added every Domain User to passwd file. ( with mkpasswd -d -u u89x77 )
   After that the user is able to login with ssh to the server with his windows password (because of Domain Users of course)
   Looks like this:
   u89x77:*:1441234:1049123:U-OTP01\u89x77,S-1-5-21-1054012322-559123688-2072061207-398637:/home/u89x77:/bin/bash
*       Mapped following directories in fstab file:
1.      C:/tools/cygwin /
2.      C:/projects /home (because the home folder of every user is: C:\projects\username)
3.      C:/tools/cygwin/bin /usr/bin
4.      C:/tools/cygwin/lib /usr/lib (I cannot remember why I mapped point 3 & 4)

*       Created RSA keys for EVERY user on the user's machine and put it into his/her home folder on the server with ssh-copy-id ... (/home/u89x77/.ssh  ==  C:\projects\u89x77\.ssh).
   Everyone is now able to connect to his folder on the server without giving his/her windows password again (I had to do this because my tool to synch works with 'rsync')


What I want now is, to restrict every user, who connects to the server via ssh, to its home folder /home/'username' == C:\projects\'username'
For example: A user's username in our domain is u89x77. He's able to login normally via ssh but is also able to cd for example into C:\Windows or worse into C:\projects\'other username'\'absolute secret project'.
And that is not what I want. The user should be blocked to cd out of C:\projects\u89x77 but of course needs to look inside his folder like cd C:\projects\'u89x77\'u89x77 project'.
[X]
I tried a lot of things up to now and also made a lot of research. But unfortuneatly nothing worked...

1) Changed sshd_config file in cygwin/etc to:
     # Subsystem        sftp    /usr/sbin/sftp-server
     Subsystem   sftp  internal-sftp
     ChrootDirectory   /home
     Match user u89x77
        ChrootDirectory /home/u89x77
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp

2) Tried the same with Match group "Domain Users"...
3) Also changed the ID of cyg_server to *:0:  in the passwd file.
4) Tried to change the owner of the different folders like C:\tools\cygwin to Administrator or cyg_server
    (but only windows/ACL rights...probably trying this with chown?...)

All that did not work.
I am absolutely clueless right now, read so much in the last months and nothing worked and now comes the time where it gets really important, because there'll be
a few security projects and so on...
This is the first time for me sending a mail here I don't even know if it is the right way, but I did not see any other forum or whatever.
Thank you very much in advance.

I am happy about every idea you have!

Best regards
Daniel Bergbauer




--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Domain User restrictions - Windows server 2012 R2

[Brian Inglis]

On 2019-07-03 02:41, Bergbauer, Daniel AVL/DE via cygwin wrote:
> I know the user restriction topic with ssh was discussed a lot and there are 
> also a few solutions out there but really nothing is working for me (Domain
> Users)...
> In our company we are using cygwin on each of our machines to be able to run 
> our projects with GNU make (everyone uses Windows 10)!
> I also developed a tool, with which all employees are able to synchronize 
> their projects from their (slow) machines to our server (Windows Server 2012
> R2), run the make on the (fast) server, and synch the output back.
> All that works with a cygwin ssh connection + rsync!
> Informations:
> * Cygwin (also ssh service) on the server is up and running on 
>   C:\tools\cygwin
> * Added Domain Users group to /etc/group of cygwin installation (means 
>   everyone can login with their windows password!):
>   Domain Users:S-1-5-21-1054012322-559123688-2072061207-513:1049089:
>   (Domain Users has a whitespace in it)
> * Added every Domain User to passwd file. ( with mkpasswd -d -u u89x77 )
>   After that the user is able to login with ssh to the server with his windows 
>   password (because of Domain Users of course)
>   Looks like this:
>   u89x77:*:1441234:1049123:U-OTP01\u89x77,S-1-5-21-1054012322-559123688- 
>   2072061207-398637:/home/u89x77:/bin/bash> * Mapped following directories in fstab file:
> 1. C:/tools/cygwin /
> 2. C:/projects /home (because the home folder of every user is: 
>    C:\projects\username)
> 3. C:/tools/cygwin/bin /usr/bin
> 4. C:/tools/cygwin/lib /usr/lib
>   (I cannot remember why I mapped point 3 & 4)
> * Created RSA keys for EVERY user on the user's machine and put it into 
>   his/her home folder on the server with ssh-copy-id ... 
>   (/home/u89x77/.ssh == C:\projects\u89x77\.ssh).
> Everyone is now able to connect to his folder on the server without giving 
> his/her windows password again (I had to do this because my tool to synch
> works with 'rsync')
> What I want now is, to restrict every user, who connects to the server via
> ssh, to its home folder /home/'username' == C:\projects\'username'
> For example: A user's username in our domain is u89x77. He's able to login 
> normally via ssh but is also able to cd for example into C:\Windows or worse 
> into C:\projects\'other username'\'absolute secret project'.
> And that is not what I want. The user should be blocked to cd out of 
> C:\projects\u89x77 but of course needs to look inside his folder like cd 
> C:\projects\'u89x77\'u89x77 project'.
> [X] I tried a lot of things up to now and also made a lot of research. But 
> unfortuneatly nothing worked...
> 1) Changed sshd_config file in cygwin/etc to:
>    # Subsystem        sftp    /usr/sbin/sftp-server
>    Subsystem   sftp  internal-sftp
>    ChrootDirectory   /home
>    Match user u89x77
>      ChrootDirectory /home/u89x77
>      X11Forwarding no
>      AllowTcpForwarding no
>      ForceCommand internal-sftp
> 2) Tried the same with Match group "Domain Users"...
> 3) Also changed the ID of cyg_server to *:0:  in the passwd file.
> 4) Tried to change the owner of the different folders like C:\tools\cygwin to
>    Administrator or cyg_server (but only windows/ACL rights...probably trying
>    this with chown?...)
> All that did not work.
> I am absolutely clueless right now, read so much in the last months and 
> nothing worked and now comes the time where it gets really important,
> because there'll be a few security projects and so on...
> This is the first time for me sending a mail here I don't even know if it is 
> the right way, but I did not see any other forum or whatever.
> Thank you very much in advance.
> I am happy about every idea you have!

If there is a solution, it is usually from the creative application of the
explanations given locally in:

	/usr/share/doc/cygwin-doc/html/cygwin-ug-net/ntsec.html

remotely at:

	https://cygwin.com/cygwin-ug-net/ntsec.html

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Domain User restrictions - Windows server 2012 R2

[Bill Stewart]

On Wed, Jul 3, 2019 at 2:41 AM Bergbauer, Daniel AVL/DE vwrote:

> What I want now is, to restrict every user, who connects to the server via ssh, to its home folder /home/'username' == C:\projects\'username'

If I understand, you are asking if you can restrict the user that
connects to a specific subdirectory structure?

If that's what you are asking, this is possible on POSIX because of
chroot. However chroot is only emulated on Cygwin and is not a true
security control, so this doesn't work on Windows, unfortunately.

The good thing is that Windows permissions still apply, so for example
if the user is only a member of Users, they can do "cd \windows", but
they can't change any files in there.

The ChrootDirectory can be used for sftp-only accounts, however, if
configured correctly.

If you're interested, I created a Windows Cygwin OpenSSH package that
might be useful:

https://github.com/Bill-Stewart/Cygwin-OpenSSH

Bill

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Domain User restrictions - Windows server 2012 R2

[L A Walsh]

On 2019/07/03 10:01, Bill Stewart wrote:
> On Wed, Jul 3, 2019 at 2:41 AM Bergbauer, Daniel AVL/DE vwrote:
>
>   
>> What I want now is, to restrict every user, who connects to the server via ssh, to its home folder /home/'username' == C:\projects\'username'
>>     

I don't know if this would work or be easy, but you could add everyone
to a special group, say 'cygmake', then use windows permission
to disallow access to directories they shouldn't be able to enter
using a windows "deny" entry.

You might have to play with it a bit, since you want them to have execute
access to the windows binaries, but maybe not read(?)  Never tried that
before,
but if that works...might solve your problem.

Also, for their individual directories, you might want them only readable
by the user themselves -- so no other users can read it.

It's not ideal, since it involves changing permissions everywhere you don't
want them going, but at least, it has the benefit of being limited to
the 1 group you'd have to restrict.

I feel like I'm lacking sufficient expertise in windows to come up with a
good solution -- maybe asking the question in a windows forum about how
to do the equivalent of chroot or restricting them to their directory and
some list of windows directories?

good luck!


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Domain User restrictions - Windows server 2012 R2

[Achim Gratz]

Bergbauer, Daniel AVL/DE via cygwin writes:
> Informations:
> *       Cygwin (also ssh service) on the server is up and running on C:\tools\cygwin
> *       Added Domain Users group to /etc/group of cygwin installation (means everyone can login with their windows password!):
> *       Added every Domain User to passwd file.

Lots of cargo-culting there.  Get rid of the group and passwd files and
use AD instead (it's the default anyway).  I'd avoid password-based
logins with SSH and go public key only in your setup (unless the users
need to be able to use their credentials on the network).

> *       Mapped following directories in fstab file:
> 1.      C:/tools/cygwin /
> 2.      C:/projects /home (because the home folder of every user is: C:\projects\username)
> 3.      C:/tools/cygwin/bin /usr/bin
> 4.      C:/tools/cygwin/lib /usr/lib (I cannot remember why I mapped point 3 & 4)

None of this is really needed, but you could keep 2. (it's slightly
better to use /etc/fstab.d/username for that).

> * Created RSA keys for EVERY user on the user's machine and put it
> into his/her home folder on the server with ssh-copy-id
> ... (/home/u89x77/.ssh == C:\projects\u89x77\.ssh).  Everyone is now
> able to connect to his folder on the server without giving his/her
> windows password again (I had to do this because my tool to synch
> works with 'rsync')

So, disallow password-based logins.

> What I want now is, to restrict every user, who connects to the server
> via ssh, to its home folder /home/'username' == C:\projects\'username'
> For example: A user's username in our domain is u89x77. He's able to
> login normally via ssh but is also able to cd for example into
> C:\Windows or worse into C:\projects\'other username'\'absolute secret
> project'.

There is no way to restrict the user from exercising permissions that he
already has.  So you'd need to make sure that the DACL on the user
directories are set up so that nobody can peek into another users
directory.  Pls you must arrange it so that the user can not change the
DACL.  There is no chroot or similar on Windows.  You could perhapos try
if Windows containers or a VM provide enough isolation, but that may not
be a workable option on Server 2012 and eat too many resources depending
on the number of users.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

DIY Stuff:
http://Synth.Stromeko.net/DIY.html

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple