Help

Enable SSH for all users

Go to solution
pacolira
New Contributor

Posted on β€Ž05-23-2017 09:13 PM

Hi All ,

very new to this and really trying to get my head around stuff.it doesnt helping that I get to work on it for 1 day a month.

Anyhow, i need to enable ssh for all user, all the computers have ssh enabled but for some reason, it changed to only this users.

can someone explain step by step how to create a policy for it to change to all users or to add the local admin account to the list?

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Chris
Valued Contributor

Posted on β€Ž05-23-2017 11:18 PM

The group "com.apple.access_ssh" is what limits SSH access to specified users/groups.
To grant SSH access to all users, run

dscl . change /Groups/com.apple.access_ssh RecordName com.apple.access_ssh com.apple.access_ssh-disabled

If you prefer to keep SSH access limited to certain users and just add your local admin account, run

/usr/sbin/dseditgroup -o edit -a "$4" -t user com.apple.access_ssh

where $4 is your local admin account.
You could also use an EA to improve reporting/scoping options, something like this should work

#!/bin/sh
if dscl . list /Groups | grep 'com.apple.access_ssh$'; then
    groupmembers=$(dscl . -read /Groups/com.apple.access_ssh | grep GroupMembership | sed 's/.*: //')
    echo "<result>$groupmembers</result>"
else
    echo "<result>Group does not exist</result>"
fi

View solution in original post

0 Kudos
4 REPLIES 4

Go to solution
Chris
Valued Contributor

Posted on β€Ž05-23-2017 11:18 PM

The group "com.apple.access_ssh" is what limits SSH access to specified users/groups.
To grant SSH access to all users, run

dscl . change /Groups/com.apple.access_ssh RecordName com.apple.access_ssh com.apple.access_ssh-disabled

If you prefer to keep SSH access limited to certain users and just add your local admin account, run

/usr/sbin/dseditgroup -o edit -a "$4" -t user com.apple.access_ssh

where $4 is your local admin account.
You could also use an EA to improve reporting/scoping options, something like this should work

#!/bin/sh
if dscl . list /Groups | grep 'com.apple.access_ssh$'; then
    groupmembers=$(dscl . -read /Groups/com.apple.access_ssh | grep GroupMembership | sed 's/.*: //')
    echo "<result>$groupmembers</result>"
else
    echo "<result>Group does not exist</result>"
fi

View solution in original post

0 Kudos

Go to solution
pacolira
New Contributor

Posted on β€Ž05-24-2017 02:56 PM

thanks for the response, how can I make this into a policy? I Always have issue making scripts for policies

0 Kudos

Go to solution
apizz
Valued Contributor

Posted on β€Ž05-24-2017 03:15 PM

@pacolira Can I ask why you are trying to give all users SSH access? This would mean that any user would have direct backdoor access to your machines. Definitely not an advisable security practice.

0 Kudos

Go to solution
pacolira
New Contributor

Posted on β€Ž05-24-2017 04:06 PM

at the moment we are just testing a new filtering system so we are kind of troubleshooting - if i can make a policy that can allow all user and then change that to allow certain users then everything will be great

0 Kudos
Jamf helps organizations succeed with Apple. By enabling IT to empower end users, we bring the legendary Apple experience to businesses, education and government organizations. Learn about Jamf.