Shell Script to enable certain users of SSH on OS X
I recently found the need to be able to turn on SSH access for only a certain user. The idea is to have an unprivileged user enabled for SSH so that Apple Remote Desktop can have its traffic wrapped in an SSH tunnel. For details see the Apple Remote Desktop 3.2 – Administrator’s Guide page 83. Using the unprivileged user is only one small part of trying to make the system reasonably secure while still allowing you to admin the systems remotely. You still need to set firewall rules and a few other things.
At least sense 10.6.8 Apple has been using two access groups in the local LDAP to control access to the SSH service. When you first setup a system and haven’t touched the Remote Login settings there are no access control groups for SSH in /Local/Default/Groups. If you turn on SSH you will get com.apple.access_ssh. If you limit who can login to SSH those users are added to the access group by the system. To enable SSH with a single user you would thing you can create the access group and add users using dseditgroup. That would work for a fresh system but if you have ever enabled then disabled SSH you will have a com.apple.access_ssh-disabled group. Changing SSH access in the GUI is easy and the system removes and adds these groups for you and you can watch all of it happen using dscl then list the contents of /Local/Default/Groups as you make changes.
The following is my shell script remove the groups, add the right group, add a user to the to that group and turn on ssh. Maybe this will help someone.
#!/bin/sh # script to enable a particular user of SSH of OS X systems # Marc Kerr https://marckerr.com 5/31/13 # Use this as you like. No guarantees USERNAME="somebody" # Check that root is running the script otherwise nothing works if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" 1>&2 exit 1 fi # Disable SSH to start with regardless of if it's on. systemsetup -setremotelogin off # Delete all associated SSH groups to start fresh. # Whether the groups exist or not they will be removed. for group in com.apple.access_ssh-disabled com.apple.access_ssh do dseditgroup -o delete -q $group done # now we can create the access group and add the user(s) dseditgroup -o create -q com.apple.access_ssh deseditgroup -o create -q $USERNAME -t user com.apple.access_ssh # Turn SSH back on systemsetup -setremotelogin on exit 0