- Jamf Nation Community
- Products
- Jamf Pro
- Secure SSH - by Directory Group?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-11-2013 03:40 PM
For those of you in environments where your Macs are bound to a central directory service (AD/LDAP/etc) and you've locked down SSH, can you clarify if it possible to lock it down via directory group vs just a single user account (as offered in the initial JAMF QuickAdd package)?
The following script helps automate the secure SSH by user part, but just curious if it's also possible to define by a specific AD management group as well?
https://jamfnation.jamfsoftware.com/viewProductFile.html?id=135&fid=460
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-01-2013 12:25 PM
Nothing stupid franton. Basically just 2 commands, yes. Updated an existing script I found for exactly this purpose. Am sure others have ideas on how to improve, but here's what I pieced together this AM. Basically we're just using Casper's standard variable $4 and $5 to set both primary Casper admin user and domain-based admin group. If anything's unclear just let me know.
#!/bin/sh
# script to enable a particular user of SSH of OS X systems
# Marc Kerr http://marckerr.com 5/31/13
# http://marckerr.com/?tag=shell-scripts
# Updated by C. Hirtle on 8/1/13 for Casper
USERNAME="$4"
ADMINGROUP="$5"
# check that root is running the script otherwise nothing works
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root" 1>&2
exit 1
fi
# disable SSH to start with regardless of if it's on (off to prevent nixing remote execution)
# systemsetup -setremotelogin off
# remove the existing SSH access group (revert to all user access)
dseditgroup -o delete -t group com.apple.access_ssh
# create the access group and add the user(s)
dseditgroup -o create -q com.apple.access_ssh
dseditgroup -o edit -a $USERNAME -t user com.apple.access_ssh
# add our standard AD computer admins group as subgroup
dseditgroup -o edit -a $ADMINGROUP -t group com.apple.access_ssh
# finally confirm who's in the group before we quit
dseditgroup -o read -t group com.apple.access_ssh
# ensure SSH is back on
systemsetup -setremotelogin on
exit 0
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-11-2013 04:05 PM
Silly rabbit, always check the Stack (yes and easier than I thought):
http://apple.stackexchange.com/questions/86746/enable-ssh-access-for-ad-admin-accounts
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-24-2013 09:16 AM
Don't use "dscl" to add/delete members to a group, this is a common mistake : one day, you will end up with a messed/corrupted OSX database, or inconsistencies between the GUI and command-line tools, so always use "dseditgroup" (this if the only official supported way, and I think it is mentionned in the 10.7 OSX Server Admin book).
dseditgroup command takes care about adding the UUID of the group, the name of the group...and update the "dslocal" cache (according to Apple Tech Support).
For example, to add a member to the "com.apple.access_ssh" group, we use :
# sudo dseditgroup -o edit -a billgatesADaccount -t group com.apple.access_ssh
billgatesADaccount can be probably replaced by an AD group, although I never tested it myself.
Sidenote : jamf binary also uses "dscl . -append xxxxxxxxx" when it has to add a user to local admin group (at least in 8.6) : this should not be done this way, as this is not the proper way to do it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-01-2013 09:21 AM
Thanks for clarifying Olivier. Don't have that book, but working through the usual man file for dseditgroup to make sense. Command you have above generates a record not found error so I must still be doing something wrong.
UPDATE: confirmed adding the restricted ssh group, adding our AD admin group, then checking access for user within that group all work by following 3 commands:
- dseditgroup -o create -q com.apple.access_ssh
- dseditgroup -o edit -a YourADAdminGroup -t group com.apple.access_ssh
- dseditgroup -o checkmember -m YourAdminUser com.apple.access_ssh
Works great! And much easier than manually specifying the UUID via dscl.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-01-2013 11:06 AM
Stupid question but how do I do this AND keep/re-add our casper management account with this method. Do I execute the command again and it appends the correct user to it?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-01-2013 12:25 PM
Nothing stupid franton. Basically just 2 commands, yes. Updated an existing script I found for exactly this purpose. Am sure others have ideas on how to improve, but here's what I pieced together this AM. Basically we're just using Casper's standard variable $4 and $5 to set both primary Casper admin user and domain-based admin group. If anything's unclear just let me know.
#!/bin/sh
# script to enable a particular user of SSH of OS X systems
# Marc Kerr http://marckerr.com 5/31/13
# http://marckerr.com/?tag=shell-scripts
# Updated by C. Hirtle on 8/1/13 for Casper
USERNAME="$4"
ADMINGROUP="$5"
# check that root is running the script otherwise nothing works
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root" 1>&2
exit 1
fi
# disable SSH to start with regardless of if it's on (off to prevent nixing remote execution)
# systemsetup -setremotelogin off
# remove the existing SSH access group (revert to all user access)
dseditgroup -o delete -t group com.apple.access_ssh
# create the access group and add the user(s)
dseditgroup -o create -q com.apple.access_ssh
dseditgroup -o edit -a $USERNAME -t user com.apple.access_ssh
# add our standard AD computer admins group as subgroup
dseditgroup -o edit -a $ADMINGROUP -t group com.apple.access_ssh
# finally confirm who's in the group before we quit
dseditgroup -o read -t group com.apple.access_ssh
# ensure SSH is back on
systemsetup -setremotelogin on
exit 0Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-01-2013 01:22 PM
Brilliant! I shall modify for my own needs and test.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-01-2013 01:29 PM
Ick. Another stupid question. The AD group name ... how exactly should it be specified? domaingroupname or just groupname?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-01-2013 01:34 PM
May depend on your infrastructure, but in our case it is just group name. No domain necessary.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-01-2013 01:37 PM
Thanks! I'm going to give that a try tomorrow.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-01-2013 01:58 PM
I have a couple of posts showing how to using dseditgroup to set access controls with SSH. The second post listed references how to reference AD group names by domain:
http://derflounder.wordpress.com/2011/02/03/setting-access-controls-on-ssh/
http://derflounder.wordpress.com/2011/05/02/setting-access-controls-for-ssh-part-2/
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-02-2013 02:11 AM
That has worked beautifully! I've made some changes as we have more than one AD group to allow. Thanks!
