Help

Secure SSH - by Directory Group?

Go to solution
clifhirtle
Contributor II

Posted on ‎07-11-2013 03:40 PM

For those of you in environments where your Macs are bound to a central directory service (AD/LDAP/etc) and you've locked down SSH, can you clarify if it possible to lock it down via directory group vs just a single user account (as offered in the initial JAMF QuickAdd package)?

The following script helps automate the secure SSH by user part, but just curious if it's also possible to define by a specific AD management group as well?

https://jamfnation.jamfsoftware.com/viewProductFile.html?id=135&fid=460

Reply
1 ACCEPTED SOLUTION

Go to solution
clifhirtle
Contributor II

Posted on ‎08-01-2013 12:25 PM

Nothing stupid franton. Basically just 2 commands, yes. Updated an existing script I found for exactly this purpose. Am sure others have ideas on how to improve, but here's what I pieced together this AM. Basically we're just using Casper's standard variable $4 and $5 to set both primary Casper admin user and domain-based admin group. If anything's unclear just let me know. 

#!/bin/sh

# script to enable a particular user of SSH of OS X systems
# Marc Kerr http://marckerr.com 5/31/13
# http://marckerr.com/?tag=shell-scripts
# Updated by C. Hirtle on 8/1/13 for Casper

USERNAME="$4"
ADMINGROUP="$5"

# check that root is running the script otherwise nothing works
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# disable SSH to start with regardless of if it's on (off to prevent nixing remote execution)
# systemsetup -setremotelogin off

# remove the existing SSH access group (revert to all user access)
dseditgroup -o delete -t group com.apple.access_ssh

# create the access group and add the user(s)
dseditgroup -o create -q com.apple.access_ssh
dseditgroup -o edit -a $USERNAME -t user com.apple.access_ssh

# add our standard AD computer admins group as subgroup
dseditgroup -o edit -a $ADMINGROUP -t group com.apple.access_ssh

# finally confirm who's in the group before we quit
dseditgroup -o read -t group com.apple.access_ssh

# ensure SSH is back on
systemsetup -setremotelogin on

exit 0

View solution in original post

0 Kudos
Reply
11 REPLIES 11

Go to solution
clifhirtle
Contributor II

Posted on ‎07-11-2013 04:05 PM

Silly rabbit, always check the Stack (yes and easier than I thought):

http://apple.stackexchange.com/questions/86746/enable-ssh-access-for-ad-admin-accounts

0 Kudos
Reply

Go to solution
Olivier
New Contributor II

Posted on ‎07-24-2013 09:16 AM

Don't use "dscl" to add/delete members to a group, this is a common mistake : one day, you will end up with a messed/corrupted OSX database, or inconsistencies between the GUI and command-line tools, so always use "dseditgroup" (this if the only official supported way, and I think it is mentionned in the 10.7 OSX Server Admin book).

dseditgroup command takes care about adding the UUID of the group, the name of the group...and update the "dslocal" cache (according to Apple Tech Support).

For example, to add a member to the "com.apple.access_ssh" group, we use :
# sudo dseditgroup -o edit -a billgatesADaccount -t group com.apple.access_ssh

billgatesADaccount can be probably replaced by an AD group, although I never tested it myself.

Sidenote : jamf binary also uses "dscl . -append xxxxxxxxx" when it has to add a user to local admin group (at least in 8.6) : this should not be done this way, as this is not the proper way to do it.

0 Kudos
Reply

Go to solution
clifhirtle
Contributor II

Posted on ‎08-01-2013 09:21 AM

Thanks for clarifying Olivier. Don't have that book, but working through the usual man file for dseditgroup to make sense. Command you have above generates a record not found error so I must still be doing something wrong.

UPDATE: confirmed adding the restricted ssh group, adding our AD admin group, then checking access for user within that group all work by following 3 commands:

  • dseditgroup -o create -q com.apple.access_ssh
  • dseditgroup -o edit -a YourADAdminGroup -t group com.apple.access_ssh
  • dseditgroup -o checkmember -m YourAdminUser com.apple.access_ssh

Works great! And much easier than manually specifying the UUID via dscl.

0 Kudos
Reply

Go to solution
franton
Valued Contributor III

Posted on ‎08-01-2013 11:06 AM

Stupid question but how do I do this AND keep/re-add our casper management account with this method. Do I execute the command again and it appends the correct user to it?

0 Kudos
Reply

Go to solution
clifhirtle
Contributor II

Posted on ‎08-01-2013 12:25 PM

Nothing stupid franton. Basically just 2 commands, yes. Updated an existing script I found for exactly this purpose. Am sure others have ideas on how to improve, but here's what I pieced together this AM. Basically we're just using Casper's standard variable $4 and $5 to set both primary Casper admin user and domain-based admin group. If anything's unclear just let me know. 

#!/bin/sh

# script to enable a particular user of SSH of OS X systems
# Marc Kerr http://marckerr.com 5/31/13
# http://marckerr.com/?tag=shell-scripts
# Updated by C. Hirtle on 8/1/13 for Casper

USERNAME="$4"
ADMINGROUP="$5"

# check that root is running the script otherwise nothing works
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# disable SSH to start with regardless of if it's on (off to prevent nixing remote execution)
# systemsetup -setremotelogin off

# remove the existing SSH access group (revert to all user access)
dseditgroup -o delete -t group com.apple.access_ssh

# create the access group and add the user(s)
dseditgroup -o create -q com.apple.access_ssh
dseditgroup -o edit -a $USERNAME -t user com.apple.access_ssh

# add our standard AD computer admins group as subgroup
dseditgroup -o edit -a $ADMINGROUP -t group com.apple.access_ssh

# finally confirm who's in the group before we quit
dseditgroup -o read -t group com.apple.access_ssh

# ensure SSH is back on
systemsetup -setremotelogin on

exit 0
0 Kudos
Reply

Go to solution
franton
Valued Contributor III

Posted on ‎08-01-2013 01:22 PM

Brilliant! I shall modify for my own needs and test.

0 Kudos
Reply

Go to solution
franton
Valued Contributor III

Posted on ‎08-01-2013 01:29 PM

Ick. Another stupid question. The AD group name ... how exactly should it be specified? domaingroupname or just groupname?

0 Kudos
Reply

Go to solution
clifhirtle
Contributor II

Posted on ‎08-01-2013 01:34 PM

May depend on your infrastructure, but in our case it is just group name. No domain necessary.

0 Kudos
Reply

Go to solution
franton
Valued Contributor III

Posted on ‎08-01-2013 01:37 PM

Thanks! I'm going to give that a try tomorrow.

0 Kudos
Reply

Go to solution
rtrouton
Release Candidate Programs Tester

Posted on ‎08-01-2013 01:58 PM

I have a couple of posts showing how to using dseditgroup to set access controls with SSH. The second post listed references how to reference AD group names by domain:

http://derflounder.wordpress.com/2011/02/03/setting-access-controls-on-ssh/

http://derflounder.wordpress.com/2011/05/02/setting-access-controls-for-ssh-part-2/

0 Kudos
Reply

Go to solution
franton
Valued Contributor III

Posted on ‎08-02-2013 02:11 AM

That has worked beautifully! I've made some changes as we have more than one AD group to allow. Thanks!

0 Kudos
Reply