QuickAdd and SSH enabling bug?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-14-2011 06:51 AM
Has anyone noticed that despite the checkbox for 'Configure SSH to only allow access for this user' in a QuickAdd package, SSH gets turned on for all users if 'Enable SSH' is chosen, and not enabled for any user (even the hidden casper management user) if the 'Enable SSH' checkbox is unchecked?
This is what I seem to be seeing with my QuickAdd packages (version 8.21). First noticed it on 10.7.2, but seems to be the same on 10.7.1. Haven't checked back into older OS versions yet.
It looks like the /var/db/dslocal/node/Default/groups/com.apple.access_ssh.plist is not getting created at all, which as far as I know should be there in order to have the 'only allow certain users Remote Login' setting in Sharing preferences.
-R
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-14-2011 07:05 AM
It isn't a bug. Most likely you have ssh enabled for all users. If you go into your sharing pref pane in system preferences you can enable remote log in. If you select it for all users you will get these results:
bash-3.2# dscl . list /Groups | grep ssh _sshd
bash-3.2# dscl . list /Groups | grep ssh _sshd com.apple.access_ssh
the first results is when I had it enabled for all users. Once I went into sharing preferences and enabled it only for the admin group it then created the com.apple.access_ssh group in directory services.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-14-2011 07:31 AM
Hi Thomas,
This is happening on a brand new builds, with the default setting from Apple of "Remote Login off, but allow all users when it's turned on". We have scripts to run on first boot to download and run the QuickAdd package.
It looks like the group com.apple.access_ssh is created when you set Remote Login to only allow listed users, and if you subsequently switch it back to enable all users, that group is renamed com.apple.access_ssh-disabled.plist
What I'm not sure is if this is the only setting that is looked at, but it does seem like a bug here, as the QuickAdd should be creating that com.apple.access_ssh.plist group…
-Robin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-14-2011 07:58 AM
If you enable remote log in for every user, the com.apple.access_ssh
and the disabled one do not exist, because there is no need to check to
see who has access.
In the quick add you can enable ssh and have it only enable it for the
Casper management account. You can use launchctl to load/unload the
ssh daemon and then enable it that way with those ssh groups created.
Whenever you enable ssh for all users those access groups no longer
exist. Once ssh is enabled for at least one user or group they do
exist and then you can add users to the group via dscl command line.
Is this happening on Lion? I am not running any 10.7 machines just yet
so I cannot verify, but this is most definitely how it works on 10.6.8.
thanks, Tom
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-14-2011 04:58 PM
Hmm. I feel like maybe we're not understanding each other here… I understand what groups are created and when. My point is that the 'create QuickAdd package' function in Recon has options to:
'Configure SSH (Remote Login) to only allow access for this user'
'Enable SSH'
#1 is apparently not working: it doesn't actually seem to change anything. The setting in the Sharing prefpane (a choice between 'allow everyone' and 'allow only listed users') is left as it was before QuickAdd was run. By default, on new Macs, this is set to allow 'All users', even though the SSH service itself is off. If it was working properly, it would change the setting to allow 'Only these users:', with no users listed (assuming the Casper managed account is hidden).
#2 is working, in the sense that it seems to toggle the Remote Login (SSH) service on and off, without regard to what users are allowed.
So, to sum up, my issue is that choice #1 in the QuickAdd does not appear to cause any changes on the system.
-Robin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-17-2011 12:40 AM
Sorry,
This email got caught up in my spam filter and I just went through it. I think you must do two things to enable ssh (remote log in)
1) load the ssh launch daemon
2) set ssh permissions
I am running Casper 8.1 and OS X 10.6.8 across the board and it works
as intended for me. This must be a difference in OS version and I
cannot test it further since I don't really have a 10.7 machine in my
office right now.
The quickadd actually doesn't create anything at all in directory
services, once ssh is enabled and permissions are set directory services
creates the groups. If you enable/disable all users from the sharing
pref pane, then you see the ssh access and ssh disabled groups in
directory services.
Did you contact Jamf about it yet?
Thanks, Tom