Skip to main content

Is there a way to remove an ACL created by -secureSSH (using jamf createAccount command)?



We are working on a project where we are being asked to create a local hidden admin account with ACL to lock down SSH.



The final part of the project will be to remove the ACL imposed by the -secureSSH option.



The jamf binary help appears a bit outdated, and doesn't provide an answer:



$ jamf -help createAccount

Usage: jamf createAccount -username <username> -realname <Real Name>
[-password <password>] [-passhash <passhash>] [-home </path/to/home/directory>]
[-hint <hint>] [-shell <shell>] [-picture <picture>]
[-admin] [-secureSSH] [-hiddenUser] [-networkUser]

-username The user's user name

-realname The user's real name

-password The password of the user

-passhash The hashed password of the user

-home The location of the user's home directory

-hint The hint displayed to the user

-shell The user's default shell

-picture The user's picture for the Login window

-admin This flag adds the user to the admin group.

-hiddenUser Creates an account with a UID under 500 and hides it

-networkUser Creates an account with a UID over 1025

-secureSSH Modifies the /etc/sshd_config file to lock out all other users
In Mac OS X 10.5 and later, the group com.apple.ssh_access is modified instead of sshd_config.

$


Neither /etc/sshd_config or com.apple.ssh_access provide any clues...



TIA
Don

I'm not completely certain, but don't you just need to remove the group "com.apple.ssh_access" on the box?

If you want to remove the ACL, this command should do it:



sudo dseditgroup -o delete -n . com.apple.access_ssh



That deletes the com.apple.access_ssh group, which is how Apple sets the ACL. No com.apple.access_ssh, no ACL.

@mm2270 Thanks, that did the trick



sudo dscl . delete /Groups/com.apple.access_ssh


[edit]Rich, I'll try your command too...pays to test them all and get familiar. :)



[EDIT#2]Rich, your command worked too, many thanks!



Don

Terms & ConditionsCookie settings