Programmatically specifying SSH access

[Allister Banks]

This is how I’m turning ssh on, as part of a first-boot launchd that srm’s:
[code]launchctl load -w /System/Library/LaunchDaemons/ssh.plist[/code]
My question comes in when I look at the new restrictions available since Leopard for specifying access to users/groups. The only restriction I need at this point is only admins are allowed access, and as far as I can tell, that’s setting dslocal’s /Group/com.apple.access_ssh plist with the appropriate GUID of /Group/admin as a nested group. The dscl command may look something like this(whole-heartedly cribbed from createUser): [code]dscl -f “$3/var/db/dslocal/nodes/Default” localonly -create Local/Target/Groups/com.apple.access_ssh
[/code]
And if successful, creating the other keys and appropriate or freshly-generated values(like RealName “Remote Login Group”, etc.), with the important last step to search for the admin group’s GenUID and assign it to a NestedGroup key as mentioned above, which I imagine would be a dscl -search piped to another -create.

Taking a step back, I’m not sure if loading the ssh.plist into launchd is the only way to get it started, since I think can turn the service on with defaults [code]defaults write “$3/System/Library/LaunchDaemons/ssh.plist” Disabled -bool False
[/code]Would that for whatever reason not be safe, besides the fact I’m still(at this point)leaving the default port setting intact?

If anyone is doing it like this or via some other method, and/or you’re changing the default ssh port via plistBuddy on /System/LaunchDaemons/ssh.plist(as described here: [url]http://serverfault.com/questions/18761/how-to-change-sshd-port-on-mac-os-x[/url] please let me know if it looks like I’m going in the right direction.
Thanks for any and all feedback,

Allister

[foilpan]

i’d probably use dseditgroup to add the local admin group to com.apple.access.ssh.

check here for some pointers: http://blog.macadmincorner.com/securing-ssh/

as far as enabling ssh goes, i’d load the launchd plist like you are but manage the sshd_config file to set options.

here’s an example of a puppet manifest that works for me:

[code]
class ssh {
file { “/System/Library/LaunchDaemons/ssh.plist”:
owner => root,
group => wheel,
mode => 644,
}

service { “com.openssh.sshd”:
enable => true,
ensure => running,
require => File[“/System/Library/LaunchDaemons/ssh.plist”],
}
}
[/code]

[Allister Banks]

Hey (edit)the other nate,

Thanks for reminding me of that, I do appreciate it, especially as a bonus dropping the slick configuration/state management tools into the mix! So dseditgroup works against an unbooted target? The slickest is when it springs forth from the build train fully-formed, although I’m kicking around the idea of asking larkost to bundle launchd templates into the project. People would then(with the possible addition of clearReg as well) have a map of how to do the basics with the supported, apple-recommended, built-in methods.
And how sweet is that there’s no exec’s in your puppet manifest? Slick.

Allister

[foilpan]

i’m not mr. gallagher, but thanks. 😀

dseditgroup might only work on a booted system, as i believe it depends on directoryservice to be running. if you need to do this all pre-boot, you’re going to have to mess with editing plists with whatever method is most convenient.

[Author]

Posts