Locking down SSH

monosodium
Contributor

Hello All,

I am wondering how you all manage SSH. Our machine setup process is supposed to be to only enable SSH for our management account. Of course, this has not been happening on some machines and I need to deploy a policy to only allow SSH for our management account. Any ideas? I've looked around and tried:

#!/bin/sh
systemsetup -setremotelogin off

with a scope set to make an exception for our management account. This doesn't work and just disables SSH entirely.

Thanks!

1 ACCEPTED SOLUTION

maxbehr
Contributor II

You can also add the Allowgroups or Allowusers directive to the /etc/ssh/sshd_config file. I copy this file during imaging. I then check daily to see if the sha256 hash of the file is different than what it should be, and re-install the sshd_config when someone has made changes they were not supposed to make.

View solution in original post

9 REPLIES 9

Sandy
Valued Contributor II

I use the built in jss framework to create my management account, enable SSH and disable SSH for any other user.
I have this set on my base images for imaging, and also in my Enrollment Settings in User Initiated enrollments>Platforms for user enrollment and prestages

SGill
Contributor III

You might try -setremotelogin on and then add this:

sudo dscl . -append /Groups/com.apple.access_ssh GroupMembership YOURADMIN

Not sure if that gives all admins and your account SSH access or just your admin account - you'd have to test it. It might be what you want.

The integrated Casper solution above is also probably better, too.

maxbehr
Contributor II

You can also add the Allowgroups or Allowusers directive to the /etc/ssh/sshd_config file. I copy this file during imaging. I then check daily to see if the sha256 hash of the file is different than what it should be, and re-install the sshd_config when someone has made changes they were not supposed to make.

monosodium
Contributor

Thanks Max! I think I will just deploy this config file through policy and use smart groups to ensure compliance.

ttyler
New Contributor II

Just thought I would post this small script. Its a process I have used for a few years to configure the SSH Access list.

I have also used it in the past to add an AD IT admin group to the com.apple.access_ssh to ensure IT Admins can access the service.

#!/bin/bash
# Tomos Tyler,  2014

ManageAccount="_cadmin"   # Set to your Casper Management User Name

#AdminName="$4"           # Disabled by default, can use a parameter in a script to send preferred account
AdminName="ladmin"        # Set to your administrator name

#Lets Turn off SSH
launchctl unload /System/Library/LaunchDaemons/ssh.plist

# remove the existing SSH access group (revert to all user access)
dseditgroup -o delete -t group com.apple.access_ssh

# Re-Create and add the users
dseditgroup -o create -q com.apple.access_ssh
dseditgroup -o edit -a $ManageAccount -t user com.apple.access_ssh
dseditgroup -o edit -a $AdminName -t user com.apple.access_ssh

# Turn SSH back on
launchctl load /System/Library/LaunchDaemons/ssh.plist

rickwhois
Contributor

Just wanted to add to this discussion of locking down ssh. This article below describes how to utilize pf anchors to lock down your ssh after you have granted appropriate permissions. Article was written in the OS X 10.8 era but still applies in modern macOS. http://blog.scottlowe.org/2013/05/15/using-pf-on-os-x-mountain-lion/

cbrewer
Valued Contributor II

Simplified version of @ttyler 's script. This one just removes the existing users and groups and then adds your admin account. I like doing it this way versus fully deleting the com.apple.access_ssh group.

#!/bin/bash

# Turn SSH off
launchctl unload /System/Library/LaunchDaemons/ssh.plist

# Delete SSH access for existing users and groups
dscl . delete /Groups/com.apple.access_ssh NestedGroups
dscl . delete /Groups/com.apple.access_ssh GroupMembership

# Add SSH access for specific user(s)
dscl . create /Groups/com.apple.access_ssh GroupMembership cadmin

# Turn SSH on
launchctl load /System/Library/LaunchDaemons/ssh.plist

monosodium
Contributor

@cbrewer I might make use of this actually as the config file might be an approach I use moving forward while the script will be used for those that are non-compliant. Do you know if this would be deployable via a policy? Obviously when disabling SSH for certain users I need to make sure I dont cut myself off from the client. Bonus points if you know of an extension attribute method to check for machines that would have unwanted accounts enabled for SSH (EG the user's account).

Thanks all!

cbrewer
Valued Contributor II

@monosodium Yes - it'll work from a policy or from Casper Remote.

The following commands should get you lists of users with SSH access. Roll those into an extension attribute.

dscl . read /Groups/com.apple.access_ssh GroupMembership
dscl . read /Groups/com.apple.access_ssh NestedGroups