Posted on 10-16-2023 06:36 AM
Hi there,
We seem to be having issues trying to SSH into devices with SSH enabled on a backdoor local admin account. This issue is only apparent when trying to connect over the internet to a host with SSH enabled. When that device is on the same local network I'm able to SSH fine without issue.
I've tested multiple machines in the environment and issue is exactly the same on all machines.
This is the script used to enable SSH on the target device:
#!/bin/sh
ssh_user="THE_USERNAME_OF_THE_ADMIN_USER_ACCOUNT"
# turn ssh on
systemsetup -setremotelogin on
# append user to ssh group
dseditgroup -o edit -a $ssh_user -t user com.apple.access_ssh
# restart ssh
launchctl unload /System/Library/LaunchDaemons/ssh.plist
sleep 5
launchctl load -w /System/Library/LaunchDaemons/ssh.plist
exit 0
And connect in Terminal using 'ssh THE_NAME_OF_THE_ADMIN_USER_ACCOUNT@targetIp'
Solved! Go to Solution.
Posted on 10-16-2023 06:46 AM
SSH over the internet would more then likely be blocked by the WAN firewall of the remote internet connection; as it should be
Posted on 10-16-2023 06:46 AM
SSH over the internet would more then likely be blocked by the WAN firewall of the remote internet connection; as it should be
10-16-2023 07:55 AM - edited 10-16-2023 07:56 AM
It's not so much that it would be blocked by a firewall, but that there's no automatic process in macOS or the Jamf Pro agent to configure the local router to do port forwarding of SSH traffic to a Mac (and that's a good thing). Macs on VPN connections have similar issues. Direct SSH access really isn't going to work for Macs not on the same network, and you may want to investigate tools that offer remote access options that will. I don't know if Jamf Connect offers that, but tools I've seen with that capability include CrowdStrike and Tanium.
Posted on 10-16-2023 10:18 AM
Generally speaking, unless you use a VPN this is not possible as device A cannot address device B to route traffic.