@scalar-its, I'm looking to do the same thing. Did you find out a way to do this?

Here are the basic commands that you could make a script out of. Please test this before deployment.

#!/bin/sh

ssh_user="username_here"



# turn ssh on

systemsetup -setremotelogin on



# append user to ssh group

dseditgroup -o edit -a $ssh_user -t user com.apple.access_ssh



# restart ssh

launchctl unload /System/Library/LaunchDaemons/ssh.plist

sleep 5

launchctl load -w /System/Library/LaunchDaemons/ssh.plist



exit 0

You could add some additional error handling like checking the membership of the ssh group by using something like:

check_ssh_group=$(dscl . -read /Groups/com.apple.access_ssh | grep GroupMembership | grep -o $ssh_user)

if [[ ! $check_ssh_group ]]; then

   echo "$ssh_user was not added to group"

   exit 1

fi

Hopefully this will give you a head start in building your own script for your Macs. You might want to also reach out to the MacAdmins on Slack for more advice.

As @ssrussell recommended, some additional logic can help. Here's the script we use in Self Service:

#!/bin/bash

# Confirm SSH is enabled, and that an ACL exists, and that $CURRENT_USER is allowed.

# 20200106 DM



# Variables



CURRENT_USER=$(python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "

");')



# Functions



ENABLE_REMOTE_LOGIN()

{

    systemsetup -setremotelogin on

}



CHECK_REMOTE_LOGIN()

{

    systemsetup -getremotelogin

}



CREATE_ACL()

{

    dseditgroup -o create -q com.apple.access_ssh && dseditgroup -o edit -a "$CURRENT_USER" -t user com.apple.access_ssh

}



BOUNCE_REMOTE_LOGIN()

{

    launchctl unload -w /System/Library/LaunchDaemons/ssh.plist && launchctl load -w /System/Library/LaunchDaemons/ssh.plist

}



CHECK_MEMBERSHIP()

{

    dseditgroup -o checkmember -m "$CURRENT_USER" com.apple.access_ssh

}



# Commands



if [[ "CHECK_REMOTE_LOGIN" == "Remote Login: On" ]]

then

    echo "Remote Login is enabled, allowing $CURRENT_USER."

    CREATE_ACL

    echo "Bouncing Remote Login."

    BOUNCE_REMOTE_LOGIN

    sleep 5

    echo "Confirming Remote Login is enabled."

    CHECK_REMOTE_LOGIN

    echo "Confirming ACL membership."

    CHECK_MEMBERSHIP

else

    echo "Remote Login is disabled, enabling."

    ENABLE_REMOTE_LOGIN

    sleep 5

    if [[ CHECK_REMOTE_LOGIN = "Remote Login: On" ]]

    then

        echo "Remote Login is enabled, allowing $CURRENT_USER."

        CREATE_ACL

        echo "Bouncing Remote Login."

        BOUNCE_REMOTE_LOGIN

        sleep 5

        echo "Confirming Remote Login is enabled."

        CHECK_REMOTE_LOGIN

        echo "Confirming $CURRENT_USER is allowed."

        CHECK_MEMBERSHIP

    else

        echo "There was a problem enabling Remote Login."

        exit 1

    fi

fi



exit 0

Does anyone know off hand if an SSH user is added to a computer if it will wipe any users that are on there already? In my environment (HigherEd) we have Computer Science folks that may already have an SSH connection to a machine. I want to make sure it won't break that connection off.

The dseditgroup -o edit -a "$CURRENT_USER" -t user com.apple.access_ssh command appends to the ACL.

Would test of course.

@joethedsa all you're doing is allowing or preventing a user from logging in via SSH. You're not actively adding or removing user accounts.

com.apple.access_ssh has changed to com.apple.access_remote_ae

SSH ACL on 10.14 - 10.16:
dseditgroup -o edit -a "USER" -t user com.apple.access_ssh

Restart the ssh daemon:

launchctl kickstart -k system/com.openssh.sshd

com.apple.access_remote_ae is the ACL for Remote Apple Events (not needed).

The groups com.apple.access_ssh and com.apple.access_remote_ae serve different purposes:

• com.apple.access_ssh: This group is used to manage access to the SSH service on a Mac. Users added to this group are allowed to log in remotely via SSH.


• com.apple.access_remote_ae: This group is used to manage access to Remote Apple Events. Users in this group can send Apple events to the Mac from other computers, which can be useful for remote automation tasks.
  
  If the goal is to enable SSH access, you should use com.apple.access_ssh. If you need to enable remote Apple events for automation purposes, then com.apple.access_remote_ae is the appropriate group.