Jamf Nation Community

Jak · ‎10-11-2011

Hi list,

I'm sure I'll work this out, but just in case someone has already invented this particular wheel..

My casper Macs have two local admin accounts, one used by casper and one used by tech staff

While our password for the tech admin account is not simple, it could be compromised by various means.

That would be bad.

The casper account won't be so easy to compromise.

Thus, what I'd like to achieve is to allow SSH while on the corporate network for the local admin account and then block this when on the public internet.

I'm sure there are a number of ways to achieve this, just wonder what anyone here has done.

Thanks,

Jak.

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the addressee of this e-mail please do not copy or forward it or otherwise use it or any part of it in any form whatsoever. If you have received this email in error please notify the system manager on Information.Security at burberry.com.

References in this Data to "Burberry" are references to Burberry Group
plc, a company incorporated in England and Wales with registered number
03458224 whose registered office is at Horseferry House, Horseferry Road, London, SW1P 2AW
and where the context requires, includes its subsidiaries and
associated undertakings.

jarednichols · ‎10-11-2011

I'd probably run some sort of launchdaemon script that checks the IP address every so often (every minute?). If it's not in the range(s) that you expect for your subnet(s) you can remove the user from the group com.apple.access_ssh with a dscl command. If the machine's IP address is within the acceptable IP ranges, check to see if the user is in that group and if not, add it back in.

10 lines of shell script should do.

j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

tlarkin · ‎10-11-2011

This will be sort of annoying if you have multiple macs. Assuming only laptops go off campus and if you have both Macbook Airs and other Mac laptops en0 could be the ethernet or the Airport. I wonder if you can just watch a file path with launchd and when the network preference file gets modified you can trigger the script that detects the IP.

Though I do have to ask why? I mean if they have admin access to the machine they can undo anything you do. They could unload the launch daemon, they could give themselves ssh access again by simply going into the sharing pref pane in System Preferences. Seems to me like a lot of work for something that really can be bypassed very easily.

-Tom

Jak · ‎10-11-2011

Hi Tom,

Point of this is to disable SHH for the local admin account while off the company network.

While out local admin password isn't simple, there is the human aspect here, thus I would, if practicable, like to disable SSH for that user account.

If it becomes too much, then we will have to make the admin ssh account password much longer.

Jak · ‎10-11-2011

Nice idea.. Thanks, though I do have a LOT of subnets… like a LOT..

Thanks!

ahancock · ‎10-11-2011

Consider basing the test on a DNS lookup, of a hostname you control both internally & externally.
On Oct 11, 2011, at 8:57 AM, Jak Piper wrote:

then have the script triggered by launchd based on network change

--

Mac Consulting Group, Inc. - 225-933-5311 - Baton Rouge, Louisiana

Apple Support, Service, Sales, and Training http://macconsultinggroup.com/training

Jak · ‎10-11-2011

Hi Allen,

Just my thoughts, won't resolve an internal dns name externally, thus BINGO!

Thanks.

ahancock · ‎10-11-2011

Careful tho, so many ISP's DNS will give a fake result for lookups they can't resolve.

So, test for the right answer (probably an internal IP) and treat anything else as a failure (vs hoping it wont' resolve)

bentoms · ‎10-11-2011

Create a policy that will run offline.

That policy contains a script

The script would be something like:

If I can connect to jss then exit, else disable ssh for account <accountname>.

There's a verb for the Jamf binary called checkJSSConnection, which will report back if it can connect to the jss.

Regards,

Ben.

jarednichols · ‎10-11-2011

To me, if you're looking to be *most* secure, I'd set up ipfw to deny SSH access unless it's coming from a specific IP range. So for instance, if your user is in a Starbucks and someone's trying to knock on the SSH door, ipfw will tell them to go the hell away. However, if they establish VPN connectivity, SSH coming from your corporate network would be allowed through.

This seems to be the most simple option and would require the least mucking about.

j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

rockpapergoat · ‎10-11-2011

why don't you disable password logins and only use keys for ssh access?

it would save you the trouble of having to write some routine to disable when off your subnets.

sean · ‎10-11-2011

If you are going to go down the route of making a launchd, then I would suggest using WatchPaths in a launchd on /Library/Preferences/SystemConfiguration/com.apple.network.identification.plist instead of running small periodicals.

This file will update every time the machine receives a new ip.

Next, in the script, run hostname (yup, I'm gonna suggest cut again!!)

hostname | cut -d "." -f 2-

or maybe

hostname | cut -d "." -f 3-

you get the idea!

This will give the domain that the machine is connected to. Now you could look at removing the user from the ssh group if the domain doesn't equal your domain, preventing you from listing however many ip ranges.

You could also add a jamf recon to your script if domain is your domain to get an immediate update. Add some extension attributes to catch anything that you are looking for and create appropriate smart groups!

Saying that, Thomas makes a good point. Any admin can do anything they want and can undo everything that you do. Dare I say.....this is one of the many reasons why users shouldn't have admin rights! I'll go and put my head in front of another firing squad now.

Sean

Jak · ‎10-11-2011

Thanks Sean and everyone, excellent suggestions.

Just to clarify, this is so local admin ssh is disabled externally on that account. Standard users don't have admin.

The Casper admin account will have a proper password and communicate over ssl ( for what's that's worth these days )

Thanks again folks, I'll report back once I have a working script.

Jamf Nation Community

close ssh for local admin account while on public internet