Lets try this blog thing again…

Shell Script to enable certain users of SSH on OS X

without comments

I recently found the need to be able to turn on SSH access for only a certain user. The idea is to have an unprivileged user enabled for SSH so that Apple Remote Desktop can have its traffic wrapped in an SSH tunnel. For details see the Apple Remote Desktop 3.2 – Administrator’s Guide page 83. Using the unprivileged user is only one small part of trying to make the system reasonably secure while still allowing you to admin the systems remotely. You still need to set firewall rules and a few other things.

At least sense 10.6.8 Apple has been using two access groups in the local LDAP to control access to the SSH service. When you first setup a system and haven’t touched the Remote Login settings there are no access control groups for SSH in /Local/Default/Groups. If you turn on SSH you will get If you limit who can login to SSH those users are added to the access group by the system. To enable SSH with a single user you would thing you can create the access group and add users using dseditgroup. That would work for a fresh system but if you have ever enabled then disabled SSH you will have a group. Changing SSH access in the GUI is easy and the system removes and adds these groups for you and you can watch all of it happen using dscl then list the contents of /Local/Default/Groups as you make changes.

The following is my shell script remove the groups, add the right group, add a user to the to that group and turn on ssh. Maybe this will help someone.


# script to enable a particular user of SSH of OS X systems
# Marc Kerr 5/31/13
# Use this as you like. No guarantees


# Check that root is running the script otherwise nothing works
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1

# Disable SSH to start with regardless of if it's on.
systemsetup -setremotelogin off

# Delete all associated SSH groups to start fresh. 
# Whether the groups exist or not they will be removed.
for group in
	dseditgroup -o delete -q $group

# now we can create the access group and add the user(s)
dseditgroup -o create -q
deseditgroup -o create -q $USERNAME -t user

# Turn SSH back on
systemsetup -setremotelogin on

exit 0

Written by Marc Kerr

May 31st, 2013 at 2:59 pm

Posted in Apple,Shell Scripts,Work

Tagged with ,