close ssh for local admin account while on public internet

I'd probably run some sort of launchdaemon script that checks the IP address every so often (every minute?). If it's not in the range(s) that you expect for your subnet(s) you can remove the user from the group com.apple.access_ssh with a dscl command. If the machine's IP address is within the acceptable IP ranges, check to see if the user is in that group and if not, add it back in.

10 lines of shell script should do.

j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

This will be sort of annoying if you have multiple macs. Assuming only laptops go off campus and if you have both Macbook Airs and other Mac laptops en0 could be the ethernet or the Airport. I wonder if you can just watch a file path with launchd and when the network preference file gets modified you can trigger the script that detects the IP.

Though I do have to ask why? I mean if they have admin access to the machine they can undo anything you do. They could unload the launch daemon, they could give themselves ssh access again by simply going into the sharing pref pane in System Preferences. Seems to me like a lot of work for something that really can be bypassed very easily.

-Tom

Hi Tom,

Point of this is to disable SHH for the local admin account while off the company network.

While out local admin password isn't simple, there is the human aspect here, thus I would, if practicable, like to disable SSH for that user account.

If it becomes too much, then we will have to make the admin ssh account password much longer.

Nice idea.. Thanks, though I do have a LOT of subnets… like a LOT..

Thanks!

Consider basing the test on a DNS lookup, of a hostname you control both internally & externally.
On Oct 11, 2011, at 8:57 AM, Jak Piper wrote:

then have the script triggered by launchd based on network change

--

Mac Consulting Group, Inc. - 225-933-5311 - Baton Rouge, Louisiana

Apple Support, Service, Sales, and Training http://macconsultinggroup.com/training

Hi Allen,

Just my thoughts, won't resolve an internal dns name externally, thus BINGO!

Thanks.

Careful tho, so many ISP's DNS will give a fake result for lookups they can't resolve.

So, test for the right answer (probably an internal IP) and treat anything else as a failure (vs hoping it wont' resolve)

Create a policy that will run offline.

That policy contains a script

The script would be something like:

If I can connect to jss then exit, else disable ssh for account <accountname>.

There's a verb for the Jamf binary called checkJSSConnection, which will report back if it can connect to the jss.

Regards,

Ben.

To me, if you're looking to be *most* secure, I'd set up ipfw to deny SSH access unless it's coming from a specific IP range. So for instance, if your user is in a Starbucks and someone's trying to knock on the SSH door, ipfw will tell them to go the hell away. However, if they establish VPN connectivity, SSH coming from your corporate network would be allowed through.

This seems to be the most simple option and would require the least mucking about.

j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

why don't you disable password logins and only use keys for ssh access?

it would save you the trouble of having to write some routine to disable when off your subnets.

If you are going to go down the route of making a launchd, then I would suggest using WatchPaths in a launchd on /Library/Preferences/SystemConfiguration/com.apple.network.identification.plist instead of running small periodicals.

This file will update every time the machine receives a new ip.

Next, in the script, run hostname (yup, I'm gonna suggest cut again!!)

hostname | cut -d "." -f 2-

or maybe

hostname | cut -d "." -f 3-

you get the idea!

This will give the domain that the machine is connected to. Now you could look at removing the user from the ssh group if the domain doesn't equal your domain, preventing you from listing however many ip ranges.

You could also add a jamf recon to your script if domain is your domain to get an immediate update. Add some extension attributes to catch anything that you are looking for and create appropriate smart groups!

Saying that, Thomas makes a good point. Any admin can do anything they want and can undo everything that you do. Dare I say.....this is one of the many reasons why users shouldn't have admin rights! I'll go and put my head in front of another firing squad now.

Sean

Thanks Sean and everyone, excellent suggestions.

Just to clarify, this is so local admin ssh is disabled externally on that account. Standard users don't have admin.

The Casper admin account will have a proper password and communicate over ssl ( for what's that's worth these days )

Thanks again folks, I'll report back once I have a working script.