Skip to content

Secure Shell (SSH) or Remote Login

scriptingosx edited this page Aug 26, 2015 · 2 revisions

SSH (secure shell) access is important for administrators as it provides a secure and encrypted remote access to a client. There are SSH clients on any platform, including iOS, so this is a flexible way remote control a Mac.

However, since there is potential to abuse ssh, we should restrict ssh access to a subset of users. The OS X UI allows you restrict ssh access to a list of users or groups. In our example we will enable Remote Login and give access to any user with administrative privileges, i.e. the admin group.

Check and change status of SSH

First thing we want to test for is wether Remote Login/ssh is enabled. The CLI tool systemsetup has a command for that:

systemsetup -getremotelogin

Will return Remote Login: On/Off depending on the status. Testing for this in a script is easy enough:

# Is SSH enabled
if [[ $(systemsetup -getremotelogin) = 'Remote Login: Off' ]]; then
    echo "SSH is off!"
else
    echo "SSH is on!"
fi

To change the status, you also use systemsetup:

systemsetup -setremotelogin On

or a bit more elaborate:

# enable ssh
if [[ $(systemsetup -getremotelogin) = 'Remote Login: Off' ]]; then
	echo "turning on Remote Login/SSH"
	systemsetup -setremotelogin On
fi

Controlling user access to SSH

In the UI you can go to System Preferences > Sharing > Remote Login to controll access.

Access to SSH is controlled by a local group called com.apple.access_ssh. Users that are a member of this group or nested in a group which is a member of this group get access to SSH. To manipulate groups you should use the dseditgroup command:

Note: if you use the Preference Pane to allow access to all users, then the group com.apple.access_ssh will be renamed to com.apple.access_ssh-disabled. So you should look for a group named that as well. On a freshly installed system where SSH has never been enabled neither group may exist.

# Does a group named "com.apple.access_ssh" exist?
if [[ $(dscl /Local/Default list /Groups | grep "${ssh_group}-disabled" | wc -l) -eq 1 ]]; then
	#rename this group
	echo "renaming group '${ssh_group}-disabled'"
	dscl localhost change /Local/Default/Groups/${ssh_group}-disabled RecordName ${ssh_group}-disabled $ssh_group
elif [[ $(dscl /Local/Default list /Groups | grep "$ssh_group" | wc -l) -eq 0 ]]; then
	# create group
	echo "creating group $ssh_group"
    dseditgroup -o create -n "/Local/Default" -r "Remote Login Group" -T group $ssh_group
fi

# does the group contain the admin group?
admin_uuid=$(dsmemberutil getuuid -G admin)
if [[ $(dscl /Local/Default read Groups/$ssh_group NestedGroups | grep "$admin_uuid" | wc -l) -eq 0 ]]; then
	echo "adding admin group to $ssh_group"
	dseditgroup -o edit -n "/Local/Default" -a admin -t group $ssh_group
fi
You can’t perform that action at this time.