Jamf Nation Community

_aDiedericks · ‎10-16-2023

Hi there,

We seem to be having issues trying to SSH into devices with SSH enabled on a backdoor local admin account. This issue is only apparent when trying to connect over the internet to a host with SSH enabled. When that device is on the same local network I'm able to SSH fine without issue.

I've tested multiple machines in the environment and issue is exactly the same on all machines.

This is the script used to enable SSH on the target device:

#!/bin/sh
ssh_user="THE_USERNAME_OF_THE_ADMIN_USER_ACCOUNT"

# turn ssh on
systemsetup -setremotelogin on

# append user to ssh group
dseditgroup -o edit -a $ssh_user -t user com.apple.access_ssh

# restart ssh
launchctl unload /System/Library/LaunchDaemons/ssh.plist
sleep 5
launchctl load -w /System/Library/LaunchDaemons/ssh.plist

exit 0

And connect in Terminal using 'ssh THE_NAME_OF_THE_ADMIN_USER_ACCOUNT@targetIp'

mschlosser · ‎10-16-2023

SSH over the internet would more then likely be blocked by the WAN firewall of the remote internet connection; as it should be

View solution in original post

mschlosser · ‎10-16-2023

SSH over the internet would more then likely be blocked by the WAN firewall of the remote internet connection; as it should be

sdagley · ‎10-16-2023

It's not so much that it would be blocked by a firewall, but that there's no automatic process in macOS or the Jamf Pro agent to configure the local router to do port forwarding of SSH traffic to a Mac (and that's a good thing). Macs on VPN connections have similar issues. Direct SSH access really isn't going to work for Macs not on the same network, and you may want to investigate tools that offer remote access options that will. I don't know if Jamf Connect offers that, but tools I've seen with that capability include CrowdStrike and Tanium.

AJPinto · ‎10-16-2023

Generally speaking, unless you use a VPN this is not possible as device A cannot address device B to route traffic.

Jamf Nation Community

SSH connection timeout