Skip to main content
Solved

Enable SSH for all users


Forum|alt.badge.img+3

Hi All ,

very new to this and really trying to get my head around stuff.it doesnt helping that I get to work on it for 1 day a month.

Anyhow, i need to enable ssh for all user, all the computers have ssh enabled but for some reason, it changed to only this users.

can someone explain step by step how to create a policy for it to change to all users or to add the local admin account to the list?

Best answer by Chris

The group "com.apple.access_ssh" is what limits SSH access to specified users/groups.
To grant SSH access to all users, run

dscl . change /Groups/com.apple.access_ssh RecordName com.apple.access_ssh com.apple.access_ssh-disabled

If you prefer to keep SSH access limited to certain users and just add your local admin account, run

/usr/sbin/dseditgroup -o edit -a "$4" -t user com.apple.access_ssh

where $4 is your local admin account.
You could also use an EA to improve reporting/scoping options, something like this should work

#!/bin/sh
if dscl . list /Groups | grep 'com.apple.access_ssh$'; then
    groupmembers=$(dscl . -read /Groups/com.apple.access_ssh | grep GroupMembership | sed 's/.*: //')
    echo "<result>$groupmembers</result>"
else
    echo "<result>Group does not exist</result>"
fi
View original
Did this topic help you find an answer to your question?

5 replies

Forum|alt.badge.img+13
  • Valued Contributor
  • 268 replies
  • Answer
  • May 24, 2017

The group "com.apple.access_ssh" is what limits SSH access to specified users/groups.
To grant SSH access to all users, run

dscl . change /Groups/com.apple.access_ssh RecordName com.apple.access_ssh com.apple.access_ssh-disabled

If you prefer to keep SSH access limited to certain users and just add your local admin account, run

/usr/sbin/dseditgroup -o edit -a "$4" -t user com.apple.access_ssh

where $4 is your local admin account.
You could also use an EA to improve reporting/scoping options, something like this should work

#!/bin/sh
if dscl . list /Groups | grep 'com.apple.access_ssh$'; then
    groupmembers=$(dscl . -read /Groups/com.apple.access_ssh | grep GroupMembership | sed 's/.*: //')
    echo "<result>$groupmembers</result>"
else
    echo "<result>Group does not exist</result>"
fi

Forum|alt.badge.img+3
  • Author
  • New Contributor
  • 9 replies
  • May 24, 2017

thanks for the response, how can I make this into a policy? I Always have issue making scripts for policies


apizz
Forum|alt.badge.img+15
  • Honored Contributor
  • 395 replies
  • May 24, 2017

@pacolira Can I ask why you are trying to give all users SSH access? This would mean that any user would have direct backdoor access to your machines. Definitely not an advisable security practice.


Forum|alt.badge.img+3
  • Author
  • New Contributor
  • 9 replies
  • May 24, 2017

at the moment we are just testing a new filtering system so we are kind of troubleshooting - if i can make a policy that can allow all user and then change that to allow certain users then everything will be great


Forum|alt.badge.img+3
  • New Contributor
  • 8 replies
  • October 6, 2022
Chris wrote:

The group "com.apple.access_ssh" is what limits SSH access to specified users/groups.
To grant SSH access to all users, run

dscl . change /Groups/com.apple.access_ssh RecordName com.apple.access_ssh com.apple.access_ssh-disabled

If you prefer to keep SSH access limited to certain users and just add your local admin account, run

/usr/sbin/dseditgroup -o edit -a "$4" -t user com.apple.access_ssh

where $4 is your local admin account.
You could also use an EA to improve reporting/scoping options, something like this should work

#!/bin/sh
if dscl . list /Groups | grep 'com.apple.access_ssh$'; then
    groupmembers=$(dscl . -read /Groups/com.apple.access_ssh | grep GroupMembership | sed 's/.*: //')
    echo "<result>$groupmembers</result>"
else
    echo "<result>Group does not exist</result>"
fi

If I wanted to just add a local admin to the list of people who can SSH in to a given machine; the same as adding them to the Remote Login: Allow Access for: Only these users: list, what would the command be?


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings