- Jamf Nation Community
- Products
- Jamf Pro
- How to revert effect of "-secureSSH"?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-15-2013 12:09 PM
Is there a way to remove an ACL created by -secureSSH (using jamf createAccount command)?
We are working on a project where we are being asked to create a local hidden admin account with ACL to lock down SSH.
The final part of the project will be to remove the ACL imposed by the -secureSSH option.
The jamf binary help appears a bit outdated, and doesn't provide an answer:
$ jamf -help createAccount Usage: jamf createAccount -username <username> -realname <Real Name> [-password <password>] [-passhash <passhash>] [-home </path/to/home/directory>] [-hint <hint>] [-shell <shell>] [-picture <picture>] [-admin] [-secureSSH] [-hiddenUser] [-networkUser] -username The user's user name -realname The user's real name -password The password of the user -passhash The hashed password of the user -home The location of the user's home directory -hint The hint displayed to the user -shell The user's default shell -picture The user's picture for the Login window -admin This flag adds the user to the admin group. -hiddenUser Creates an account with a UID under 500 and hides it -networkUser Creates an account with a UID over 1025 -secureSSH Modifies the /etc/sshd_config file to lock out all other users In Mac OS X 10.5 and later, the group com.apple.ssh_access is modified instead of sshd_config. $
Neither /etc/sshd_config or com.apple.ssh_access provide any clues...
TIA
Don
--
https://donmontalvo.com
https://donmontalvo.com
Solved! Go to Solution.
2 ACCEPTED SOLUTIONS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-15-2013 12:18 PM
I'm not completely certain, but don't you just need to remove the group "com.apple.ssh_access" on the box?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-15-2013 12:23 PM
If you want to remove the ACL, this command should do it:
sudo dseditgroup -o delete -n . com.apple.access_ssh
That deletes the com.apple.access_ssh group, which is how Apple sets the ACL. No com.apple.access_ssh, no ACL.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-15-2013 12:18 PM
I'm not completely certain, but don't you just need to remove the group "com.apple.ssh_access" on the box?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-15-2013 12:23 PM
If you want to remove the ACL, this command should do it:
sudo dseditgroup -o delete -n . com.apple.access_ssh
That deletes the com.apple.access_ssh group, which is how Apple sets the ACL. No com.apple.access_ssh, no ACL.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-15-2013 12:28 PM
@mm2270 Thanks, that did the trick
sudo dscl . delete /Groups/com.apple.access_ssh[EDIT]Rich, I'll try your command too...pays to test them all and get familiar. :)
[EDIT#2]Rich, your command worked too, many thanks!
Don
--
https://donmontalvo.com
https://donmontalvo.com
