This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: sshd_conf and local groups
- From: "Larry Hall (Cygwin)" <reply-to-list-only-lh at cygwin dot com>
- To: Wes S <wess at acegroup dot cc>
- Cc: cygwin at cygwin dot com
- Date: Sat, 31 Dec 2005 18:05:35 -0500
- Subject: Re: sshd_conf and local groups
- References: <43B6BFC9.4630.2942A6@localhost>
- Reply-to: cygwin at cygwin dot com
Wes S wrote:
I'm trying to lock down ssh access. I use exim for a mail server so
I have a bunch of accounts on my w2k box. I don't want most to be
able to use ssh.
So reading the man file for sshd_config I added to the following
entry to sshd_config:
#wrs 20051231 restrict email only nt accounts from ssh
AllowGroups ssh_allow
I added a local group using administration / computer management
I imported into my /etc/group file:
ssh_allow:S-1-5-21-1801674531-688789844-1060284298-1007:1007:
Windows shows it as:
C:\Documents and Settings\Administrator>net localgroup
Aliases for \\BAREFOOT
-------------------------------------------------------------------------------
*Administrators *Backup Operators *Guests
*Power Users *Replicator *ssh_allow
*Test *Users
The command completed successfully.
Attempting to ssh into my pc:
Administrator@barefoot ~
$ ssh -l administrator 127.0.0.1
administrator@127.0.0.1's password:
Permission denied, please try again.
administrator@127.0.0.1's password:
Commenting out AllowGroups ssh_allow and restarting sshd lets me log
in just fine.
A clue would be welcome. The install was updated after I ran into
these problems at 14:30 Eastern today.
I'm confused by your apparent confusion of the above. If you read the
man page for sshd_config as you suggested you did, you should understand
that any account that doesn't belong to the ssh_allow group will be
denied access. Presumably, you didn't add "administrator" to this
group. Also make sure you have an "administrator" account ("Administrator"
is the default account and isn't the same).
--
Larry Hall http://www.rfk.com
RFK Partners, Inc. (508) 893-9779 - RFK Office
838 Washington Street (508) 893-9889 - FAX
Holliston, MA 01746
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/