Enable SSH from Jamf for Specific User

@scalar-its, I'm looking to do the same thing. Did you find out a way to do this?

Here are the basic commands that you could make a script out of. Please test this before deployment.

#!/bin/sh
ssh_user="username_here"

# turn ssh on
systemsetup -setremotelogin on

# append user to ssh group
dseditgroup -o edit -a $ssh_user -t user com.apple.access_ssh

# restart ssh
launchctl unload /System/Library/LaunchDaemons/ssh.plist
sleep 5
launchctl load -w /System/Library/LaunchDaemons/ssh.plist

exit 0

You could add some additional error handling like checking the membership of the ssh group by using something like:

check_ssh_group=$(dscl . -read /Groups/com.apple.access_ssh | grep GroupMembership | grep -o $ssh_user)
if [[ ! $check_ssh_group ]]; then
   echo "$ssh_user was not added to group"
   exit 1
fi

Hopefully this will give you a head start in building your own script for your Macs. You might want to also reach out to the MacAdmins on Slack for more advice.

As @ssrussell recommended, some additional logic can help. Here's the script we use in Self Service:

#!/bin/bash
# Confirm SSH is enabled, and that an ACL exists, and that $CURRENT_USER is allowed.
# 20200106 DM

# Variables

CURRENT_USER=$(python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')

# Functions

ENABLE_REMOTE_LOGIN()
{
    systemsetup -setremotelogin on
}

CHECK_REMOTE_LOGIN()
{
    systemsetup -getremotelogin
}

CREATE_ACL()
{
    dseditgroup -o create -q com.apple.access_ssh && dseditgroup -o edit -a "$CURRENT_USER" -t user com.apple.access_ssh
}

BOUNCE_REMOTE_LOGIN()
{
    launchctl unload -w /System/Library/LaunchDaemons/ssh.plist && launchctl load -w /System/Library/LaunchDaemons/ssh.plist
}

CHECK_MEMBERSHIP()
{
    dseditgroup -o checkmember -m "$CURRENT_USER" com.apple.access_ssh
}

# Commands

if [[ "CHECK_REMOTE_LOGIN" == "Remote Login: On" ]]
then
    echo "Remote Login is enabled, allowing $CURRENT_USER."
    CREATE_ACL
    echo "Bouncing Remote Login."
    BOUNCE_REMOTE_LOGIN
    sleep 5
    echo "Confirming Remote Login is enabled."
    CHECK_REMOTE_LOGIN
    echo "Confirming ACL membership."
    CHECK_MEMBERSHIP
else
    echo "Remote Login is disabled, enabling."
    ENABLE_REMOTE_LOGIN
    sleep 5
    if [[ CHECK_REMOTE_LOGIN = "Remote Login: On" ]]
    then
        echo "Remote Login is enabled, allowing $CURRENT_USER."
        CREATE_ACL
        echo "Bouncing Remote Login."
        BOUNCE_REMOTE_LOGIN
        sleep 5
        echo "Confirming Remote Login is enabled."
        CHECK_REMOTE_LOGIN
        echo "Confirming $CURRENT_USER is allowed."
        CHECK_MEMBERSHIP
    else
        echo "There was a problem enabling Remote Login."
        exit 1
    fi
fi

exit 0

Does anyone know off hand if an SSH user is added to a computer if it will wipe any users that are on there already? In my environment (HigherEd) we have Computer Science folks that may already have an SSH connection to a machine. I want to make sure it won't break that connection off.

The dseditgroup -o edit -a "$CURRENT_USER" -t user com.apple.access_ssh command appends to the ACL.

Would test of course.

@joethedsa all you're doing is allowing or preventing a user from logging in via SSH. You're not actively adding or removing user accounts.

com.apple.access_ssh has changed to com.apple.access_remote_ae

SSH ACL on 10.14 - 10.16:
dseditgroup -o edit -a "USER" -t user com.apple.access_ssh

Restart the ssh daemon:

launchctl kickstart -k system/com.openssh.sshd

com.apple.access_remote_ae is the ACL for Remote Apple Events (not needed).

The groups com.apple.access_ssh and com.apple.access_remote_ae serve different purposes:

• com.apple.access_ssh: This group is used to manage access to the SSH service on a Mac. Users added to this group are allowed to log in remotely via SSH.
• com.apple.access_remote_ae: This group is used to manage access to Remote Apple Events. Users in this group can send Apple events to the Mac from other computers, which can be useful for remote automation tasks.
  
  If the goal is to enable SSH access, you should use com.apple.access_ssh. If you need to enable remote Apple events for automation purposes, then com.apple.access_remote_ae is the appropriate group.