Jamf Nation Community

Here are the basic commands that you could make a script out of. Please test this before deployment.

#!/bin/sh
ssh_user="username_here"

# turn ssh on
systemsetup -setremotelogin on

# append user to ssh group
dseditgroup -o edit -a $ssh_user -t user com.apple.access_ssh

# restart ssh
launchctl unload /System/Library/LaunchDaemons/ssh.plist
sleep 5
launchctl load -w /System/Library/LaunchDaemons/ssh.plist

exit 0

You could add some additional error handling like checking the membership of the ssh group by using something like:

check_ssh_group=$(dscl . -read /Groups/com.apple.access_ssh | grep GroupMembership | grep -o $ssh_user)
if [[ ! $check_ssh_group ]]; then
   echo "$ssh_user was not added to group"
   exit 1
fi

Hopefully this will give you a head start in building your own script for your Macs. You might want to also reach out to the MacAdmins on Slack for more advice.

As @ssrussell recommended, some additional logic can help. Here's the script we use in Self Service:

#!/bin/bash
# Confirm SSH is enabled, and that an ACL exists, and that $CURRENT_USER is allowed.
# 20200106 DM

# Variables

CURRENT_USER=$(python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')

# Functions

ENABLE_REMOTE_LOGIN()
{
    systemsetup -setremotelogin on
}

CHECK_REMOTE_LOGIN()
{
    systemsetup -getremotelogin
}

CREATE_ACL()
{
    dseditgroup -o create -q com.apple.access_ssh && dseditgroup -o edit -a "$CURRENT_USER" -t user com.apple.access_ssh
}

BOUNCE_REMOTE_LOGIN()
{
    launchctl unload -w /System/Library/LaunchDaemons/ssh.plist && launchctl load -w /System/Library/LaunchDaemons/ssh.plist
}

CHECK_MEMBERSHIP()
{
    dseditgroup -o checkmember -m "$CURRENT_USER" com.apple.access_ssh
}

# Commands

if [[ "CHECK_REMOTE_LOGIN" == "Remote Login: On" ]]
then
    echo "Remote Login is enabled, allowing $CURRENT_USER."
    CREATE_ACL
    echo "Bouncing Remote Login."
    BOUNCE_REMOTE_LOGIN
    sleep 5
    echo "Confirming Remote Login is enabled."
    CHECK_REMOTE_LOGIN
    echo "Confirming ACL membership."
    CHECK_MEMBERSHIP
else
    echo "Remote Login is disabled, enabling."
    ENABLE_REMOTE_LOGIN
    sleep 5
    if [[ CHECK_REMOTE_LOGIN = "Remote Login: On" ]]
    then
        echo "Remote Login is enabled, allowing $CURRENT_USER."
        CREATE_ACL
        echo "Bouncing Remote Login."
        BOUNCE_REMOTE_LOGIN
        sleep 5
        echo "Confirming Remote Login is enabled."
        CHECK_REMOTE_LOGIN
        echo "Confirming $CURRENT_USER is allowed."
        CHECK_MEMBERSHIP
    else
        echo "There was a problem enabling Remote Login."
        exit 1
    fi
fi

exit 0

Does anyone know off hand if an SSH user is added to a computer if it will wipe any users that are on there already? In my environment (HigherEd) we have Computer Science folks that may already have an SSH connection to a machine. I want to make sure it won't break that connection off.

The dseditgroup -o edit -a "$CURRENT_USER" -t user com.apple.access_ssh command appends to the ACL.

Would test of course.

@joethedsa all you're doing is allowing or preventing a user from logging in via SSH. You're not actively adding or removing user accounts.

com.apple.access_ssh has changed to com.apple.access_remote_ae

SSH ACL on 10.14 - 10.16:
dseditgroup -o edit -a "USER" -t user com.apple.access_ssh

Restart the ssh daemon:

launchctl kickstart -k system/com.openssh.sshd

com.apple.access_remote_ae is the ACL for Remote Apple Events (not needed).