Help

enabling ssh for all users

Go to solution
dlondon
Valued Contributor

Posted on ‎08-21-2012 06:32 PM

Hi,

Our deployments are set so that only the Management account can use SSH. I'm trying to work through how to change that to All Users because of a request for one of the labs that is for computer science students. As the machines are already imaged, I'm trying to do this via the command line.

From various posts I've read it seems like the right way to change this is to rename the com.apple.access_ssh group to com.apple.access_ssh-disabled but I don't know how to do this in the command line. Maybe with dscl or dseditgroup? I just can't seem to find an example or documentation on how this might be done.

Has anyone got any suggestions on how to go about doing this? Am I missing some setting in the JSS that would do this for me?

Regards,

David

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
talkingmoose
Moderator
Moderator

Posted on ‎08-22-2012 08:41 AM

Now I understand why you were asking about dscl and dseditgroup.

I did find a page that offers this command:

dscl . change /Groups/com.apple.access_ssh RecordName com.apple.access_ssh com.apple.access_ssh-disabled

Sounds like what you're needing but I haven't tested.

View solution in original post

0 Kudos
Reply
6 REPLIES 6

Go to solution
talkingmoose
Moderator
Moderator

Posted on ‎08-21-2012 07:31 PM

To rename a file you'll use the mv (move) command. It's pretty straight-forward:

mv com.apple.access_ssh com.apple.access_ssh-disabled
0 Kudos
Reply

Go to solution
dlondon
Valued Contributor

Posted on ‎08-22-2012 07:01 AM

Thanks Mooose ... but it's a group not a file :)

0 Kudos
Reply

Go to solution
talkingmoose
Moderator
Moderator

Posted on ‎08-22-2012 08:41 AM

Now I understand why you were asking about dscl and dseditgroup.

I did find a page that offers this command:

dscl . change /Groups/com.apple.access_ssh RecordName com.apple.access_ssh com.apple.access_ssh-disabled

Sounds like what you're needing but I haven't tested.

0 Kudos
Reply

Go to solution
dlondon
Valued Contributor

Posted on ‎08-22-2012 05:59 PM

Thanks! I think I read the same page you found but missed that snippet.

It works fine. I did notice that the settings in Sharing stayed the same even though the group was renamed so I forced the sshd to reread it's config using:

ps -ef | grep sshd | awk {'print $2'} | sudo xargs kill -HUP

That seems to kill any active connections so I will need to test to see if that's a problem - probably not. Otherwise a restart will do the same thing.

Hmmm - and now when I try that command to HUP sshd it doesn't seem to reread the file :( more investigation required ...

Restarting works though.

0 Kudos
Reply

Go to solution
russeller
Contributor III

Posted on ‎05-15-2016 04:30 PM

Stumbled upon this old post. Since I'm resurrecting this post, it'll take −1 to all attack rolls, skill checks, saving throws, and ability checks. I'm sorry. Anyway...

I think @dlondon was looking to run something like this:

launchctl unload /System/Library/LaunchDaemons/ssh.plist
launchctl load -w /System/Library/LaunchDaemons/ssh.plist

This should reload SSH with the new settings without requiring a reboot. At least its been working for me on 10.9 and newer when I was trying to lock SSH down to 2 specific accounts.

Reply

Go to solution
dlondon
Valued Contributor

Posted on ‎05-15-2016 06:14 PM

Thanks Steven,

Sometimes my Linux/Unix/Mac stills are found wanting. Apppreciate your correction

Regards,

David

0 Kudos
Reply