This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: sshd_conf and local groups

From: "Larry Hall (Cygwin)" <reply-to-list-only-lh at cygwin dot com>
To: Wes S <wess at acegroup dot cc>
Cc: cygwin at cygwin dot com
Date: Sat, 31 Dec 2005 18:05:35 -0500
Subject: Re: sshd_conf and local groups
References: <43B6BFC9.4630.2942A6@localhost>
Reply-to: cygwin at cygwin dot com

Wes S wrote:

I'm trying to lock down ssh access. I use exim for a mail server so I have a bunch of accounts on my w2k box. I don't want most to be able to use ssh.

So reading the man file for sshd_config I added to the following entry to sshd_config:
#wrs 20051231 restrict email only nt accounts from ssh
AllowGroups ssh_allow
I added a local group using administration / computer management
I imported into my /etc/group file:
ssh_allow:S-1-5-21-1801674531-688789844-1060284298-1007:1007:
Windows shows it as:
C:\Documents and Settings\Administrator>net localgroup
Aliases for \\BAREFOOT
-------------------------------------------------------------------------------
*Administrators           *Backup Operators         *Guests
*Power Users              *Replicator               *ssh_allow
*Test                     *Users
The command completed successfully.
Attempting to ssh into my pc:
Administrator@barefoot ~
$ ssh -l administrator 127.0.0.1
administrator@127.0.0.1's password:
Permission denied, please try again.
administrator@127.0.0.1's password:
Commenting out AllowGroups ssh_allow and restarting sshd lets me log in just fine.

A clue would be welcome. The install was updated after I ran into these problems at 14:30 Eastern today.


I'm confused by your apparent confusion of the above.  If you read the
man page for sshd_config as you suggested you did, you should understand
that any account that doesn't belong to the ssh_allow group will be
denied access.  Presumably, you didn't add "administrator" to this
group.  Also make sure you have an "administrator" account ("Administrator"
is the default account and isn't the same).


--
Larry Hall                              http://www.rfk.com
RFK Partners, Inc.                      (508) 893-9779 - RFK Office
838 Washington Street                   (508) 893-9889 - FAX
Holliston, MA 01746


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

References:
- sshd_conf and local groups
  - From: Wes S

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]