Locking down Ssh

nhubbard
New Contributor III

Hello, I have come across a situation on our district macbook airs where students were able to access Terminal and ssh into other machines. I blocked access for Terminal. However, this would not prevent them from using other tools to use ssh. I have found a few commands, such as (launchctl unload /System/Library/LaunchDaemons/ssh.plist), however this doesn't work as that plist is not under LaunchDaemons and I can't find it altogether. Does someone have knowledge how to lock these creative users out of launching any ssh command?

Thanks so much in advance.

2 ACCEPTED SOLUTIONS

Hugonaut
Valued Contributor II

you can set up a policy in jamf containing a script with this command to disable it & set the execution frequency to ongoing at login

sudo systemsetup -f -setremotelogin off

then if you ever need to remote in, simply have another policy for turning it back on

sudo systemsetup -f -setremotelogin on
________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

View solution in original post

DBrowning
Valued Contributor II

script pushed out via jamf.....

#!/bin/sh
systemsetup -f -setremotelogin off

View solution in original post

9 REPLIES 9

Hugonaut
Valued Contributor II

you can set up a policy in jamf containing a script with this command to disable it & set the execution frequency to ongoing at login

sudo systemsetup -f -setremotelogin off

then if you ever need to remote in, simply have another policy for turning it back on

sudo systemsetup -f -setremotelogin on
________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

nhubbard
New Contributor III

That's what I was curious about, as I actively use remote desktop to see if students are on task or not. If I set remote login as off, that would disable it for the remote desktop correct?

Hugonaut
Valued Contributor II

That is correct, another option would be to only enable ssh for an administrator account that you use to access the machine.
* @ddcdennisb Thank you correcting this statement, please see post below (regarding remotelogin, remotemanagement)

in /etc/ssh/ you can modify the file 'ssh_config' and allow your Admin User with the AllowUsers flag below Host*, the addition of this line will look like the following

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

# Host *
#   AllowUsers ADMINACCOUNTHERE
________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

DBrowning
Valued Contributor II

There is a difference between Remote Login and Remote Management. ARD uses the Remote Management settings. Disabling Remote Login would turn off SSH access, but you would still be able to use ARD to Remote in to Control/Observe the machines.

nhubbard
New Contributor III

@ddcdennisb that was the key to shutting it down. I am no longer able to access the testing device. Now to figure out how to remotely uncheck that option for all 330 devices.....

DBrowning
Valued Contributor II

script pushed out via jamf.....

#!/bin/sh
systemsetup -f -setremotelogin off

daworley
Contributor II

In a similar vein to @Hugonaut's comment above, there is a macOS local directory group you can modify membership over.

The guts of the command are:

dseditgroup -o edit -n /Local/Default -a "$sshUser" -t user com.apple.access_ssh

In addition to the other great ideas above, you could lock the user permission down to a white list of users/groups. Maybe one that does not exist on the computer?

I wrote a Jamf compatible script you can use to run in a policy with parameters here: https://github.com/fauxserve/Casper-Scripts/blob/master/Policy%20Scripts/sshUsersByPolicy.sh

nhubbard
New Contributor III

@Hugonaut , although the sudo systemsetup -f -setremotelogin off script worked great, completely turned off the remote option, I set up a policy for ongoing and login through jamf, I can not access the device through terminal, hyper, etc. (perfect) the minute the device is restarted that policy is no longer in effect. Which is strange because I have the policy set to login, ongoing.????

Hugonaut
Valued Contributor II

@nhubbard

instead of running the disable script itself as a policy, have you considered running the disable remote login script locally from a launchagent plist? This way if you need to enable you can always run that from a policy, then if the computer boots, upon logging in, regardless of policy, it will guarantee login is off.

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month