Skip to main content

Is there a way to remove an ACL created by -secureSSH (using jamf createAccount command)?

We are working on a project where we are being asked to create a local hidden admin account with ACL to lock down SSH.

The final part of the project will be to remove the ACL imposed by the -secureSSH option.

The jamf binary help appears a bit outdated, and doesn't provide an answer:

$ jamf -help createAccount Usage: jamf createAccount -username <username> -realname <Real Name> [-password <password>] [-passhash <passhash>] [-home </path/to/home/directory>] [-hint <hint>] [-shell <shell>] [-picture <picture>] [-admin] [-secureSSH] [-hiddenUser] [-networkUser] -username The user's user name -realname The user's real name -password The password of the user -passhash The hashed password of the user -home The location of the user's home directory -hint The hint displayed to the user -shell The user's default shell -picture The user's picture for the Login window -admin This flag adds the user to the admin group. -hiddenUser Creates an account with a UID under 500 and hides it -networkUser Creates an account with a UID over 1025 -secureSSH Modifies the /etc/sshd_config file to lock out all other users In Mac OS X 10.5 and later, the group com.apple.ssh_access is modified instead of sshd_config. $

Neither /etc/sshd_config or com.apple.ssh_access provide any clues...

TIA
Don

I'm not completely certain, but don't you just need to remove the group "com.apple.ssh_access" on the box?

If you want to remove the ACL, this command should do it:

sudo dseditgroup -o delete -n . com.apple.access_ssh

That deletes the com.apple.access_ssh group, which is how Apple sets the ACL. No com.apple.access_ssh, no ACL.

@mm2270 Thanks, that did the trick

sudo dscl . delete /Groups/com.apple.access_ssh

[EDIT]Rich, I'll try your command too...pays to test them all and get familiar. :)

[EDIT#2]Rich, your command worked too, many thanks!

Don

Terms & ConditionsCookie settings