I’m always looking for ways to get to zero-touch deployment with less effort. In that vein, I threw together this script which can be deployed as an “at reboot” script in a Casper configuration. Using this prevents you from having to go into your base image and manually configure ssh. The script can also be run locally on an existing machine that doesn’t have ssh enabled or limited to the admin group. It may work with other imaging tools, but remember to test thoroughly. This script has only been tested with Mac OS X version 10.5.6.
#!/bin/bash ##### HEADER BEGINS ##### # scr_sys_turnOnSshLimitToAdmin.bash # # Created 20090320 by Miles A. Leacy IV # email@example.com # Modified 20090320 by Miles A. Leacy IV # Copyright 2009 Miles A. Leacy IV # # This script may be copied and distributed freely # as long as this header remains intact. # # This script is provided "as is". The author offers no warranty # or guarantee of any kind. # Use of this script is at your own risk. The author takes no # responsibility for loss of use, loss of data, loss of job, # loss of socks, the onset of armageddon, or any other negative effects. # # Test thoroughly in a lab environment before use on production systems. # When you think it's ok, test again. When you're certain it's ok, # test twice more. # # This script turns on remote login (ssh) and activates a SACL to # limit access to members of the admin group. It is intended to be used # on a fresh image where ssh has not been enabled or limited previously. # # Run as an "at reboot" script when imaging with Casper. # ##### HEADER ENDS ##### # Turn on remote login systemsetup -setremotelogin on # Create the com.apple.access_ssh group dseditgroup -o create -q com.apple.access_ssh # Add the admin group to com.apple.access_ssh dseditgroup -o edit -a admin -t group com.apple.access_ssh
Expect more scripts and tips on building a zero-touch deployment in the future.
12 thoughts on “Script: Enable SSH & Limit to Admin Group”
This script is very helpful in helping us keep from touching machines in our school district. So you work for Jamf, I’m attending a CCA training in Dallas this April, hopefully we’ll see you there. Thanks
I really like this script. Good work! You should only fix the broken link here: https://discussions.apple.com/thread/1947950?start=0&tstart=0
@Anonymous I appreciate the comment. Unfortunately that’s an archived discussion and I can’t modify it.
Maybe Mr Anonymous is suggesting a redirect from the original link to this page. You might not be able to edits Apple’s site, but maybe you can edit your own site.
Just saying, like.
You’re absolutely correct, however web design isn’t my thing. If anyone can send me a link that explains how I could setup some sort of automated redirect from the old url: https://themacadmin.com/2009/03/20/script-enable-ssh-limit-to-admin-group/ to the new one: https://themacadmin.com/?p=49 I’d be greatly appreciative.
If you are able to create a directory at the root of your site, named “2009”, and place within it a directory named “03”, then within that, a directory named “20”, and finally create a directory within *that* named “script-enable-ssh-limit-to-admin-group”, you could park an index.html file in there with a meta-refresh tag in its element.
Example code here: http://www.w3.org/TR/WCAG20-TECHS/H76
Thanks! I’ve finally got it sorted.
Oh, and thanks for the script. 🙂 Looks like JSS isn’t doing the “Enable SSH for this user” thing in a 10.8.x configuration I’m testing.
I want to do similar thing, but instead of group, I just want to enable ssh for a particular user.
Any idea on how can I do that from command line. I am looking for a solution for 10.6 and above.
Replace the last command in the script with…
# Add user with the shortname “fred” to com.apple.access_ssh
dseditgroup -o edit -a fred -t user com.apple.access_ssh
…of course substitute your desired user for “fred”.
If this script executes correctly, are the changes visible in System Preferences -> Sharing, i.e is Remote Login checked and set to the “admin” group? I can run the script without errors but I can’t tell if it took or not.
It should, but will not do so spontaneously. System Preference panes generally read the system state when you launch them. If System Preferences was running when you executed the script, the change may not be reflected in the GUI until you quit and relaunch System Preferences.