- Jamf Nation Community
- Products
- Jamf Pro
- Re: Enable SSH for all users
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-23-2017 09:13 PM
Hi All ,
very new to this and really trying to get my head around stuff.it doesnt helping that I get to work on it for 1 day a month.
Anyhow, i need to enable ssh for all user, all the computers have ssh enabled but for some reason, it changed to only this users.
can someone explain step by step how to create a policy for it to change to all users or to add the local admin account to the list?
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-23-2017 11:18 PM
The group "com.apple.access_ssh" is what limits SSH access to specified users/groups.
To grant SSH access to all users, run
dscl . change /Groups/com.apple.access_ssh RecordName com.apple.access_ssh com.apple.access_ssh-disabledIf you prefer to keep SSH access limited to certain users and just add your local admin account, run
/usr/sbin/dseditgroup -o edit -a "$4" -t user com.apple.access_sshwhere $4 is your local admin account.
You could also use an EA to improve reporting/scoping options, something like this should work
#!/bin/sh
if dscl . list /Groups | grep 'com.apple.access_ssh$'; then
groupmembers=$(dscl . -read /Groups/com.apple.access_ssh | grep GroupMembership | sed 's/.*: //')
echo "<result>$groupmembers</result>"
else
echo "<result>Group does not exist</result>"
fi
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-23-2017 11:18 PM
The group "com.apple.access_ssh" is what limits SSH access to specified users/groups.
To grant SSH access to all users, run
dscl . change /Groups/com.apple.access_ssh RecordName com.apple.access_ssh com.apple.access_ssh-disabledIf you prefer to keep SSH access limited to certain users and just add your local admin account, run
/usr/sbin/dseditgroup -o edit -a "$4" -t user com.apple.access_sshwhere $4 is your local admin account.
You could also use an EA to improve reporting/scoping options, something like this should work
#!/bin/sh
if dscl . list /Groups | grep 'com.apple.access_ssh$'; then
groupmembers=$(dscl . -read /Groups/com.apple.access_ssh | grep GroupMembership | sed 's/.*: //')
echo "<result>$groupmembers</result>"
else
echo "<result>Group does not exist</result>"
fi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-06-2022 12:33 PM
If I wanted to just add a local admin to the list of people who can SSH in to a given machine; the same as adding them to the Remote Login: Allow Access for: Only these users: list, what would the command be?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-24-2017 02:56 PM
thanks for the response, how can I make this into a policy? I Always have issue making scripts for policies
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-24-2017 03:15 PM
@pacolira Can I ask why you are trying to give all users SSH access? This would mean that any user would have direct backdoor access to your machines. Definitely not an advisable security practice.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-24-2017 04:06 PM
at the moment we are just testing a new filtering system so we are kind of troubleshooting - if i can make a policy that can allow all user and then change that to allow certain users then everything will be great
