Help

limitSSHScope.sh script - Is it possible to modify script to limit SSH access to one group?

rtrouton
Release Candidate Programs Tester

Posted on ‎05-24-2011 08:05 AM

In the Casper 8.1 resource kit, I noticed that there was a script in Resource Kit - February 2011/All Tools/Security Scripts called "limitSSHScope.sh". This particular script is scoped to allow one user through. Has anyone modified the script so that it's allowing one group through, instead of one user?

If you have, or have another similar script that you're using, would you please share what you did?

Thanks,
Rich

---
Rich Trouton
troutonr at janelia.hhmi.org

JFRC Help Desk
phone: x4030
email: helpdesk at janelia.hhmi.org

The best way to get in touch with me is through email.

0 Kudos
Reply
2 REPLIES 2

rockpapergoat
Contributor III

Posted on ‎05-24-2011 08:13 AM

You can nest a group.

That script looks like it creates the group, even if it doesn't exist.

You can use dseditgroup to add an existing group to the local com.apple.access_ssh SACL group.

Add the local admin group to it: /usr/sbin/dseditgroup -o edit -a admin -t group -n /Local/Default com.apple.access_ssh

0 Kudos
Reply

rtrouton
Release Candidate Programs Tester

Posted on ‎05-24-2011 10:29 AM

Thanks, Nate. I was thinking about using dseditgroup for this, so I'll make some edits to the script to use that command like you've laid out below, instead of the dscl commands included with the script.

Rich

0 Kudos
Reply