Enable SSH for all users

pacolira
New Contributor

Hi All ,

very new to this and really trying to get my head around stuff.it doesnt helping that I get to work on it for 1 day a month.

Anyhow, i need to enable ssh for all user, all the computers have ssh enabled but for some reason, it changed to only this users.

can someone explain step by step how to create a policy for it to change to all users or to add the local admin account to the list?

1 ACCEPTED SOLUTION

Chris
Valued Contributor

The group "com.apple.access_ssh" is what limits SSH access to specified users/groups.
To grant SSH access to all users, run

dscl . change /Groups/com.apple.access_ssh RecordName com.apple.access_ssh com.apple.access_ssh-disabled

If you prefer to keep SSH access limited to certain users and just add your local admin account, run

/usr/sbin/dseditgroup -o edit -a "$4" -t user com.apple.access_ssh

where $4 is your local admin account.
You could also use an EA to improve reporting/scoping options, something like this should work

#!/bin/sh
if dscl . list /Groups | grep 'com.apple.access_ssh$'; then
    groupmembers=$(dscl . -read /Groups/com.apple.access_ssh | grep GroupMembership | sed 's/.*: //')
    echo "<result>$groupmembers</result>"
else
    echo "<result>Group does not exist</result>"
fi

View solution in original post

4 REPLIES 4

Chris
Valued Contributor

The group "com.apple.access_ssh" is what limits SSH access to specified users/groups.
To grant SSH access to all users, run

dscl . change /Groups/com.apple.access_ssh RecordName com.apple.access_ssh com.apple.access_ssh-disabled

If you prefer to keep SSH access limited to certain users and just add your local admin account, run

/usr/sbin/dseditgroup -o edit -a "$4" -t user com.apple.access_ssh

where $4 is your local admin account.
You could also use an EA to improve reporting/scoping options, something like this should work

#!/bin/sh
if dscl . list /Groups | grep 'com.apple.access_ssh$'; then
    groupmembers=$(dscl . -read /Groups/com.apple.access_ssh | grep GroupMembership | sed 's/.*: //')
    echo "<result>$groupmembers</result>"
else
    echo "<result>Group does not exist</result>"
fi

View solution in original post

pacolira
New Contributor

thanks for the response, how can I make this into a policy? I Always have issue making scripts for policies

apizz
Valued Contributor

@pacolira Can I ask why you are trying to give all users SSH access? This would mean that any user would have direct backdoor access to your machines. Definitely not an advisable security practice.

pacolira
New Contributor

at the moment we are just testing a new filtering system so we are kind of troubleshooting - if i can make a policy that can allow all user and then change that to allow certain users then everything will be great