Adding a network user to SSH Remote Login

Question

Hello everyone,

I am reaching out to the community to ask if anyone has tried to add a single user account  from AD to ssh access on the Mac?

I have tried the following

Created a policy to run a single terminal command:

dseditgroup -o edit -a “(networkid)” -t group com.apple.access_ssh

Also I have tried scripting this out in case the com.apple.access_ssh group is not there.

!/bin/bash/

dseditgroup -o create -q com.apple.access_ssh

dseditgroup -o edit -a "DOMAIN(networkid)" -t com.apple.access_ssh

Does anyone have any thoughts or have gotten this to work for them.

mschroder · Accepted Answer

Hi,we don't open it for individual users, but rather groups of users. Here is a script that adds groups to ssh,  screen-sharing, and admin:#!/bin/sh## set access permissions for the AD network groups (e-groups) passed in $4 to $11 # # The initial idea was to accept one group name (in $4) and call the same script several times. # But Jamf does not allow this. In 9.101 it calls the script twice, but both times with # the argument passed in the first case listed :(## check if Mac is bound to domaindomain=$(dsconfigad -show | awk '/Active Directory Domain/{print $NF}')if [ &#034;$domain&#034; != &#034;Your.Domain&#034; ]; then    echo &#034;Problem with AD binding, domain = $domain&#034;    exit 2fi# global settings# enable sshd (&#034;remote login&#034;)echo &#034;Enabling 'Remote Login'&#034;systemsetup -f -setremotelogin on# enable screen sharingecho &#034;Enabling 'Screen Sharing'&#034;defaults write /var/db/launchd.db/com.apple.launchd/overrides.plist com.apple.screensharing -dict Disabled -bool falselaunchctl load -w /System/Library/LaunchDaemons/com.apple.screensharing.plisti=4# treat all arguments from $4 on...for userGroup in &#034;${@:4}&#034;; do    # make sure we have a value    if [ &#034;$userGroup&#034; != &#034;&#034; ]; then        echo &#034;handling parameter $i,  $userGroup&#034;        for accessGroup in &#034;com.apple.loginwindow.netaccounts&#034; &#034;com.apple.access_ssh&#034; &#034;com.apple.access_screensharing&#034; &#034;admin&#034;; do            echo &#034;Adding group $userGroup to $accessGroup&#034;            # check whether group exists, if not create it            /usr/bin/dscl . -read /Groups/${accessGroup} > /dev/null 2>&1 || /usr/sbin/dseditgroup -o create -q ${accessGroup}            /usr/sbin/dseditgroup -o edit -a ${userGroup} -t group ${accessGroup}        done        # And now we still have to add this        userGroup=&#034;com.apple.loginwindow.netaccounts&#034;        accessGroup=&#034;com.apple.access_loginwindow&#034;        echo &#034;Adding group $userGroup to $accessGroup&#034;        # would be surprising i it did not exist, but...        /usr/bin/dscl . -read /Groups/${accessGroup} > /dev/null 2>&1 || /usr/sbin/dseditgroup -o create -q ${accessGroup}        /usr/sbin/dseditgroup -o edit -n /Local/Default -a ${userGroup} -t group ${accessGroup}    fi    i=$(($i+1))doneexitHope this helps.

santoroj · Answer

mschroder thank you for the response and your feedback,

I will have a group created in AD, add it to the $4 - $11 and test this out. I will get back to you and let you know how I make out.

Thankfully,

Jason S

!/bin/bash/

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded