Skip to main content
Solved

Locking down Ssh

  • December 11, 2018
  • 9 replies
  • 127 views
N
Forum|alt.badge.img+5

Hello, I have come across a situation on our district macbook airs where students were able to access Terminal and ssh into other machines. I blocked access for Terminal. However, this would not prevent them from using other tools to use ssh. I have found a few commands, such as (launchctl unload /System/Library/LaunchDaemons/ssh.plist), however this doesn't work as that plist is not under LaunchDaemons and I can't find it altogether. Does someone have knowledge how to lock these creative users out of launching any ssh command?

Thanks so much in advance.

Best answer by Hugonaut

you can set up a policy in jamf containing a script with this command to disable it & set the execution frequency to ongoing at login

sudo systemsetup -f -setremotelogin off

then if you ever need to remote in, simply have another policy for turning it back on

sudo systemsetup -f -setremotelogin on

    9 replies

    Hugonaut
    Forum|alt.badge.img+15
    • Hugonaut
    • Esteemed Contributor
    • Answer
    • December 11, 2018

    you can set up a policy in jamf containing a script with this command to disable it & set the execution frequency to ongoing at login

    sudo systemsetup -f -setremotelogin off

    then if you ever need to remote in, simply have another policy for turning it back on

    sudo systemsetup -f -setremotelogin on
    Looking for a Jamf Managed Service Provider? Look no further than Rocketman Tech! Virtual MacAdmins Monthly Meetup - First Friday, Every Month
    S
    N
    R
    N
    Forum|alt.badge.img+5
    • nhubbard
    • Author
    • Contributor
    • December 11, 2018

    That's what I was curious about, as I actively use remote desktop to see if students are on task or not. If I set remote login as off, that would disable it for the remote desktop correct?

    Hugonaut
    Forum|alt.badge.img+15
    • Hugonaut
    • Esteemed Contributor
    • December 11, 2018

    That is correct, another option would be to only enable ssh for an administrator account that you use to access the machine.
    * @ddcdennisb Thank you correcting this statement, please see post below (regarding remotelogin, remotemanagement)

    in /etc/ssh/ you can modify the file 'ssh_config' and allow your Admin User with the AllowUsers flag below Host*, the addition of this line will look like the following

    # This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

# Host *
#   AllowUsers ADMINACCOUNTHERE
    Looking for a Jamf Managed Service Provider? Look no further than Rocketman Tech! Virtual MacAdmins Monthly Meetup - First Friday, Every Month
    N
    DBrowning
    Forum|alt.badge.img+25
    • DBrowning
    • Esteemed Contributor
    • December 11, 2018

    There is a difference between Remote Login and Remote Management. ARD uses the Remote Management settings. Disabling Remote Login would turn off SSH access, but you would still be able to use ARD to Remote in to Control/Observe the machines.

    scottb
    N
    N
    Forum|alt.badge.img+5
    • nhubbard
    • Author
    • Contributor
    • December 11, 2018

    @ddcdennisb that was the key to shutting it down. I am no longer able to access the testing device. Now to figure out how to remotely uncheck that option for all 330 devices.....

    DBrowning
    Forum|alt.badge.img+25
    • DBrowning
    • Esteemed Contributor
    • December 11, 2018

    script pushed out via jamf.....

    #!/bin/sh
systemsetup -f -setremotelogin off
    D
    Forum|alt.badge.img+13
    • daworley
    • Valued Contributor
    • December 12, 2018

    In a similar vein to @Hugonaut's comment above, there is a macOS local directory group you can modify membership over.

    The guts of the command are:

    dseditgroup -o edit -n /Local/Default -a "$sshUser" -t user com.apple.access_ssh

    In addition to the other great ideas above, you could lock the user permission down to a white list of users/groups. Maybe one that does not exist on the computer?

    I wrote a Jamf compatible script you can use to run in a policy with parameters here: https://github.com/fauxserve/Casper-Scripts/blob/master/Policy%20Scripts/sshUsersByPolicy.sh

    Hugonaut
    N
    Forum|alt.badge.img+5
    • nhubbard
    • Author
    • Contributor
    • December 14, 2018

    @Hugonaut , although the sudo systemsetup -f -setremotelogin off script worked great, completely turned off the remote option, I set up a policy for ongoing and login through jamf, I can not access the device through terminal, hyper, etc. (perfect) the minute the device is restarted that policy is no longer in effect. Which is strange because I have the policy set to login, ongoing.????

    Hugonaut
    Forum|alt.badge.img+15
    • Hugonaut
    • Esteemed Contributor
    • December 17, 2018

    @nhubbard

    instead of running the disable script itself as a policy, have you considered running the disable remote login script locally from a launchagent plist? This way if you need to enable you can always run that from a policy, then if the computer boots, upon logging in, regardless of policy, it will guarantee login is off.

    Looking for a Jamf Managed Service Provider? Look no further than Rocketman Tech! Virtual MacAdmins Monthly Meetup - First Friday, Every Month
    Terms & ConditionsCookie settingsAccessibility statement