From: Brian Inglis <Brian.Inglis@SystematicSw.ab.ca>
To: cygwin@cygwin.com
Subject: Re: Domain User restrictions - Windows server 2012 R2
Date: Wed, 03 Jul 2019 16:24:00 -0000 [thread overview]
Message-ID: <97c5c30b-fe6e-d36f-c9f9-c031b8973362@SystematicSw.ab.ca> (raw)
In-Reply-To: <9e8b10829e18453f9e3af064a0d67c7c@ATGRZSW1694.avl01.avlcorp.lan>
On 2019-07-03 02:41, Bergbauer, Daniel AVL/DE via cygwin wrote:
> I know the user restriction topic with ssh was discussed a lot and there are
> also a few solutions out there but really nothing is working for me (Domain
> Users)...
> In our company we are using cygwin on each of our machines to be able to run
> our projects with GNU make (everyone uses Windows 10)!
> I also developed a tool, with which all employees are able to synchronize
> their projects from their (slow) machines to our server (Windows Server 2012
> R2), run the make on the (fast) server, and synch the output back.
> All that works with a cygwin ssh connection + rsync!
> Informations:
> * Cygwin (also ssh service) on the server is up and running on
> C:\tools\cygwin
> * Added Domain Users group to /etc/group of cygwin installation (means
> everyone can login with their windows password!):
> Domain Users:S-1-5-21-1054012322-559123688-2072061207-513:1049089:
> (Domain Users has a whitespace in it)
> * Added every Domain User to passwd file. ( with mkpasswd -d -u u89x77 )
> After that the user is able to login with ssh to the server with his windows
> password (because of Domain Users of course)
> Looks like this:
> u89x77:*:1441234:1049123:U-OTP01\u89x77,S-1-5-21-1054012322-559123688-
> 2072061207-398637:/home/u89x77:/bin/bash> * Mapped following directories in fstab file:
> 1. C:/tools/cygwin /
> 2. C:/projects /home (because the home folder of every user is:
> C:\projects\username)
> 3. C:/tools/cygwin/bin /usr/bin
> 4. C:/tools/cygwin/lib /usr/lib
> (I cannot remember why I mapped point 3 & 4)
> * Created RSA keys for EVERY user on the user's machine and put it into
> his/her home folder on the server with ssh-copy-id ...
> (/home/u89x77/.ssh == C:\projects\u89x77\.ssh).
> Everyone is now able to connect to his folder on the server without giving
> his/her windows password again (I had to do this because my tool to synch
> works with 'rsync')
> What I want now is, to restrict every user, who connects to the server via
> ssh, to its home folder /home/'username' == C:\projects\'username'
> For example: A user's username in our domain is u89x77. He's able to login
> normally via ssh but is also able to cd for example into C:\Windows or worse
> into C:\projects\'other username'\'absolute secret project'.
> And that is not what I want. The user should be blocked to cd out of
> C:\projects\u89x77 but of course needs to look inside his folder like cd
> C:\projects\'u89x77\'u89x77 project'.
> [X] I tried a lot of things up to now and also made a lot of research. But
> unfortuneatly nothing worked...
> 1) Changed sshd_config file in cygwin/etc to:
> # Subsystem sftp /usr/sbin/sftp-server
> Subsystem sftp internal-sftp
> ChrootDirectory /home
> Match user u89x77
> ChrootDirectory /home/u89x77
> X11Forwarding no
> AllowTcpForwarding no
> ForceCommand internal-sftp
> 2) Tried the same with Match group "Domain Users"...
> 3) Also changed the ID of cyg_server to *:0: in the passwd file.
> 4) Tried to change the owner of the different folders like C:\tools\cygwin to
> Administrator or cyg_server (but only windows/ACL rights...probably trying
> this with chown?...)
> All that did not work.
> I am absolutely clueless right now, read so much in the last months and
> nothing worked and now comes the time where it gets really important,
> because there'll be a few security projects and so on...
> This is the first time for me sending a mail here I don't even know if it is
> the right way, but I did not see any other forum or whatever.
> Thank you very much in advance.
> I am happy about every idea you have!
If there is a solution, it is usually from the creative application of the
explanations given locally in:
/usr/share/doc/cygwin-doc/html/cygwin-ug-net/ntsec.html
remotely at:
https://cygwin.com/cygwin-ug-net/ntsec.html
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
next prev parent reply other threads:[~2019-07-03 16:24 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-03 8:41 Bergbauer, Daniel AVL/DE via cygwin
2019-07-03 16:24 ` Brian Inglis [this message]
2019-07-03 17:01 ` Bill Stewart
2019-07-05 19:31 ` L A Walsh
2019-07-06 19:35 ` Achim Gratz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=97c5c30b-fe6e-d36f-c9f9-c031b8973362@SystematicSw.ab.ca \
--to=brian.inglis@systematicsw.ab.ca \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).