Script to allow Administrators sec group to Remote Login

dsmetham
New Contributor

Just wondering if anyone knows the command to add the Administrators group for Remote Login

I've googled my pants off, I can allow the Admin but can't allow the Administrators group.

Any input would be greatly appreciated.

16 REPLIES 16

pblake
Contributor III

@dsmetham I believe you just need to add them to the ard access group. A simple Google search on adding a group to ard access should do it.

dmw3
Contributor III

@dsmetham You will need to create the group first, then you will be able to add users to the group.

You can create the group either from the GUI or command line.

davidacland
Honored Contributor II
Honored Contributor II

Are you talking about SSH access?

If it is SSH, you used to use a group called com.apple.access_ssh. Not sure if thats still the case but if it is you should be able to use

dseditgroup -o create -q com.apple.access_ssh
  # Create the group

dseditgroup -o edit -a admin -t group com.apple.access_ssh
  # Add the admin group to it

apizz
Valued Contributor

Thanks for this @davidacland !

apizz
Valued Contributor

@davidacland your Terminal commands worked for me on a Yosemite test machine, but doesn't seem to work on my machine running 10.11.4. The first command does create the com.apple.access_ssh group, but then does not add the local Administrators group to the remote login panel like I was seeing on Yosemite.

davidacland
Honored Contributor II
Honored Contributor II

I just double checked the commands and the man pages. All the options look to be the same so I'm not sure why they wouldn't be working.

When I tried them, creating the groups was fine, and adding a user to a group seemed to work intermittently.

apizz
Valued Contributor

Thanks for checking @davidacland . Looking at things more closely, it seems that the commands are working in that the com.apple.access_ssh group gets created, enables remote login (systemsetup -setremote login on), and sets remote login to "only these users". But no users or user groups are listed.

When I try and manually add the Administrators group it appears as added, but when I quit Sys Prefs and reopen it it no longer is shown as listed.

If confirmed that I can ssh into the machine from different accounts with admin privileges but cannot connect with standard users.

So, it appears to be working but not properly showing the Administrators group as the user group with privileges to ssh.

apizz
Valued Contributor

I can confirm the above is happening on both 10.10.4 and 10.11.4

tony_schaps
Contributor

@aporlebeke Even though nothing shows in the "remote login" list, try running in the Terminal:

/usr/bin/dscl . -read /Groups/com.apple.access_ssh

If your user shows there, you're golden. My JAMF management user does not show in the remote login list but it shows in that command. Also showing are "nested groups," one of which should be "ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000050", the admin group.

apizz
Valued Contributor

Something I realized, I was misentering the command posted further up the thread, the "T" needs to be capitalized, not lowercase:

dseditgroup -o create -q com.apple.access_ssh
  # Create the group

dseditgroup -o edit -a admin -T group com.apple.access_ssh
  # Add the admin group to it

However, when I do these commands together now, it adds just the local admin user to the Remote Login specified users rather than the Administrators group ... Any other thoughts?

tony_schaps
Contributor

Did you run /usr/bin/dscl . -read /Groups/com.apple.access_ssh ?
Anything under "NestedGroups"?

apizz
Valued Contributor

@tony.schaps Nothing about nested groups after running the command. As I mentioned in my post above, the command changed from a lowercase "t" to an uppercase in the second command, but that change just adds our local admin user to the remote login user list, not the Administrators group.

apizz
Valued Contributor

OK - so I started from scratch again. Running the original commands (with lowercase t) and then doing the dscl . read /Groups/com.apple.access_ssh reveals that there is in fact a nested group - the admin group with the UID you specified previously in the com.apple.access_ssh group.

Although the Administrators group is still not showing up in the listed remote login account list.

jamaya77
New Contributor II

Just in case anyone is browsing for other solutions. This my script for granting the local "Administrators" group ssh access. Jamf removes the "Administrators" group from the Remote Login list when a machine is enrolled and replaced with the jamfadmin account. The script below grants the local "Administrators" group ssh access and it will show in the list again after you logoff and log back in:

#!/bin/sh

#Add Administrators group to Remote Login access list
dseditgroup -o edit -n /Local/Default -a admin -t group com.apple.access_ssh

exit 0

clint_arndt
New Contributor II

@jamaya77 is this a one time fix or does it need to be run from time to time?

apizz
Valued Contributor

@clint.arndt We've always enabled remote login as part of a series of post-enrollment policies and never had to rerun / reactivate.