public inbox for cygwin@cygwin.com
 help / color / mirror / Atom feed
* Restrict active directory logins
@ 2015-09-01  3:39 E. Winston
  2015-09-01  7:13 ` Achim Gratz
  2015-09-01 10:59 ` Bryan Berns
  0 siblings, 2 replies; 3+ messages in thread
From: E. Winston @ 2015-09-01  3:39 UTC (permalink / raw)
  To: cygwin

Hi all,

I am running cygwin 2.2.1(0.289/5/3) and OpenSSH_7.1p1, OpenSSL 1.0.2d 9 Jul 2015 on a domain joined Windows 2012 R2 server. I am not using /etc/passwd or /etc/group and I would prefer not to use theses files as I anticipate a large number of accounts needing to be configured. As part of our group policy, NT AUTHORITY\Authenticated Users and NT AUTHORITY\Interactive are both part of the local Users group. The group policy also places  NT AUTHORITY\Authenticated Users into "Log on Locally"  security policy. My primary purpose is to use this as an SFTP server. I have been able to deny SSH logins and limit access to on SFTP. 

What I would like to know is with this setup, is if there is a way to prevent any user in our domain from logging into the server? 

Currently I have directory permissions set so they cannot see anything, but I'd rather not allow them to login at all.

I have a local group created with only the domain accounts I want to be able to explicitly login but thus far I have not been able to determine how to limit logins to just the members of this group. 

Thanks in advance,

-Ed 		 	   		  
--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Restrict active directory logins
  2015-09-01  3:39 Restrict active directory logins E. Winston
@ 2015-09-01  7:13 ` Achim Gratz
  2015-09-01 10:59 ` Bryan Berns
  1 sibling, 0 replies; 3+ messages in thread
From: Achim Gratz @ 2015-09-01  7:13 UTC (permalink / raw)
  To: cygwin

E. Winston <craddle2grave <at> hotmail.com> writes:
> I am running cygwin 2.2.1(0.289/5/3) and OpenSSH_7.1p1, OpenSSL 1.0.2d 9
Jul 2015 on a domain
> joined Windows 2012 R2 server. I am not using /etc/passwd or /etc/group
and I would prefer not to use theses
> files as I anticipate a large number of accounts needing to be configured.
As part of our group policy, NT
> AUTHORITY\Authenticated Users and NT AUTHORITY\Interactive are both part
of the local Users group. The
> group policy also places  NT AUTHORITY\Authenticated Users into "Log on
Locally"  security
> policy. My primary purpose is to use this as an SFTP server. I have been
able to deny SSH logins and limit
> access to on SFTP. 

Why can't you just override the group policy and forbid local logins (except
for another AD group that you explicitly allow)?


Regards,
Achim.


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Restrict active directory logins
  2015-09-01  3:39 Restrict active directory logins E. Winston
  2015-09-01  7:13 ` Achim Gratz
@ 2015-09-01 10:59 ` Bryan Berns
  1 sibling, 0 replies; 3+ messages in thread
From: Bryan Berns @ 2015-09-01 10:59 UTC (permalink / raw)
  To: cygwin

On Mon, Aug 31, 2015 at 11:39 PM, E. Winston <craddle2grave@hotmail.com> wrote:
> Hi all,
>
> I am running cygwin 2.2.1(0.289/5/3) and OpenSSH_7.1p1, OpenSSL 1.0.2d 9 Jul 2015 on a domain joined Windows 2012 R2 server. I am not using /etc/passwd or /etc/group and I would prefer not to use theses files as I anticipate a large number of accounts needing to be configured. As part of our group policy, NT AUTHORITY\Authenticated Users and NT AUTHORITY\Interactive are both part of the local Users group. The group policy also places  NT AUTHORITY\Authenticated Users into "Log on Locally"  security policy. My primary purpose is to use this as an SFTP server. I have been able to deny SSH logins and limit access to on SFTP.
>
> What I would like to know is with this setup, is if there is a way to prevent any user in our domain from logging into the server?
>
> Currently I have directory permissions set so they cannot see anything, but I'd rather not allow them to login at all.
>
> I have a local group created with only the domain accounts I want to be able to explicitly login but thus far I have not been able to determine how to limit logins to just the members of this group.
>
> Thanks in advance,
>
> -Ed
> --
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>

Ed,

I have a similar arrangement.  Short of reprogramming Cygwin to *not*
do an interactive logon (i.e. do a network logon instead), I think
you're out of luck.  A network logon would work for what an SFTP
server needs to do, but probably isn't right for other purposes such
as a full SSH terminal session -- and unfortunately both
authentication process goes through the same function in Cygwin.  I
thought about proposing some configurable setting in Cygwin on the
mailing list, but the need is really too nuanced to merit
implementation (in my opinion).  If the users don't have access to the
console, just make sure that you're not also allowing "Allow log on
through Remote Desktop Services" -- that should prevent a user from
being logged into via Remote Desktop.

That said, the problem may actually be worse than you think.  If you
have roaming profiles enabled, they may be getting synced every time a
user logs in via SFTP.  If this isn't desired, you'll want to enable
user profile cleanup and disable roaming profiles to that system, in
general.  It'll slow down the login in addition to bloat the profile
directory.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2015-09-01 10:59 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-09-01  3:39 Restrict active directory logins E. Winston
2015-09-01  7:13 ` Achim Gratz
2015-09-01 10:59 ` Bryan Berns

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).