+3Hi All ,
very new to this and really trying to get my head around stuff.it doesnt helping that I get to work on it for 1 day a month.
Anyhow, i need to enable ssh for all user, all the computers have ssh enabled but for some reason, it changed to only this users.
can someone explain step by step how to create a policy for it to change to all users or to add the local admin account to the list?
Best answer by Chris
The group "com.apple.access_ssh" is what limits SSH access to specified users/groups.
To grant SSH access to all users, run
dscl . change /Groups/com.apple.access_ssh RecordName com.apple.access_ssh com.apple.access_ssh-disabledIf you prefer to keep SSH access limited to certain users and just add your local admin account, run
/usr/sbin/dseditgroup -o edit -a "$4" -t user com.apple.access_sshwhere $4 is your local admin account.
You could also use an EA to improve reporting/scoping options, something like this should work
#!/bin/sh
if dscl . list /Groups | grep 'com.apple.access_ssh$'; then
groupmembers=$(dscl . -read /Groups/com.apple.access_ssh | grep GroupMembership | sed 's/.*: //')
echo "<result>$groupmembers</result>"
else
echo "<result>Group does not exist</result>"
fiThe group "com.apple.access_ssh" is what limits SSH access to specified users/groups.
To grant SSH access to all users, run
dscl . change /Groups/com.apple.access_ssh RecordName com.apple.access_ssh com.apple.access_ssh-disabledIf you prefer to keep SSH access limited to certain users and just add your local admin account, run
/usr/sbin/dseditgroup -o edit -a "$4" -t user com.apple.access_sshwhere $4 is your local admin account.
You could also use an EA to improve reporting/scoping options, something like this should work
#!/bin/sh
if dscl . list /Groups | grep 'com.apple.access_ssh$'; then
groupmembers=$(dscl . -read /Groups/com.apple.access_ssh | grep GroupMembership | sed 's/.*: //')
echo "<result>$groupmembers</result>"
else
echo "<result>Group does not exist</result>"
fithanks for the response, how can I make this into a policy? I Always have issue making scripts for policies
+15@pacolira Can I ask why you are trying to give all users SSH access? This would mean that any user would have direct backdoor access to your machines. Definitely not an advisable security practice.
+3at the moment we are just testing a new filtering system so we are kind of troubleshooting - if i can make a policy that can allow all user and then change that to allow certain users then everything will be great
+3The group "com.apple.access_ssh" is what limits SSH access to specified users/groups.
To grant SSH access to all users, run
dscl . change /Groups/com.apple.access_ssh RecordName com.apple.access_ssh com.apple.access_ssh-disabledIf you prefer to keep SSH access limited to certain users and just add your local admin account, run
/usr/sbin/dseditgroup -o edit -a "$4" -t user com.apple.access_sshwhere $4 is your local admin account.
You could also use an EA to improve reporting/scoping options, something like this should work
#!/bin/sh
if dscl . list /Groups | grep 'com.apple.access_ssh$'; then
groupmembers=$(dscl . -read /Groups/com.apple.access_ssh | grep GroupMembership | sed 's/.*: //')
echo "<result>$groupmembers</result>"
else
echo "<result>Group does not exist</result>"
fiIf I wanted to just add a local admin to the list of people who can SSH in to a given machine; the same as adding them to the Remote Login: Allow Access for: Only these users: list, what would the command be?
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
