Domain User restrictions - Windows server 2012 R2

["Bergbauer, Daniel AVL/DE via cygwin" <cygwin@cygwin.com>]

Hi everyone,
I know the user restriction topic with ssh was discussed a lot and there are also a few solutions out there but really nothing is working
for me (Domain Users)...

In our company we are using cygwin on each of our machines to be able to run our projects with GNU make (everyone uses Windows 10)!
I also developed a tool, with which all employees are able to synchronize their projects from their (slow) machines to our server (Windows Server 2012 R2),
run the make on the (fast) server, and synch the output back.
All that works with a cygwin ssh connection + rsync!
Informations:
*       Cygwin (also ssh service) on the server is up and running on C:\tools\cygwin
*       Added Domain Users group to /etc/group of cygwin installation (means everyone can login with their windows password!):
   Domain Users:S-1-5-21-1054012322-559123688-2072061207-513:1049089:
   (Domain Users has a whitespace in it)

*       Added every Domain User to passwd file. ( with mkpasswd -d -u u89x77 )
   After that the user is able to login with ssh to the server with his windows password (because of Domain Users of course)
   Looks like this:
   u89x77:*:1441234:1049123:U-OTP01\u89x77,S-1-5-21-1054012322-559123688-2072061207-398637:/home/u89x77:/bin/bash
*       Mapped following directories in fstab file:
1.      C:/tools/cygwin /
2.      C:/projects /home (because the home folder of every user is: C:\projects\username)
3.      C:/tools/cygwin/bin /usr/bin
4.      C:/tools/cygwin/lib /usr/lib (I cannot remember why I mapped point 3 & 4)

*       Created RSA keys for EVERY user on the user's machine and put it into his/her home folder on the server with ssh-copy-id ... (/home/u89x77/.ssh  ==  C:\projects\u89x77\.ssh).
   Everyone is now able to connect to his folder on the server without giving his/her windows password again (I had to do this because my tool to synch works with 'rsync')


What I want now is, to restrict every user, who connects to the server via ssh, to its home folder /home/'username' == C:\projects\'username'
For example: A user's username in our domain is u89x77. He's able to login normally via ssh but is also able to cd for example into C:\Windows or worse into C:\projects\'other username'\'absolute secret project'.
And that is not what I want. The user should be blocked to cd out of C:\projects\u89x77 but of course needs to look inside his folder like cd C:\projects\'u89x77\'u89x77 project'.
[X]
I tried a lot of things up to now and also made a lot of research. But unfortuneatly nothing worked...

1) Changed sshd_config file in cygwin/etc to:
     # Subsystem        sftp    /usr/sbin/sftp-server
     Subsystem   sftp  internal-sftp
     ChrootDirectory   /home
     Match user u89x77
        ChrootDirectory /home/u89x77
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp

2) Tried the same with Match group "Domain Users"...
3) Also changed the ID of cyg_server to *:0:  in the passwd file.
4) Tried to change the owner of the different folders like C:\tools\cygwin to Administrator or cyg_server
    (but only windows/ACL rights...probably trying this with chown?...)

All that did not work.
I am absolutely clueless right now, read so much in the last months and nothing worked and now comes the time where it gets really important, because there'll be
a few security projects and so on...
This is the first time for me sending a mail here I don't even know if it is the right way, but I did not see any other forum or whatever.
Thank you very much in advance.

I am happy about every idea you have!

Best regards
Daniel Bergbauer




--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple