Programmatically specifying SSH access

This is how I'm turning ssh on, as part of a first-boot launchd that srm's: [code]launchctl load -w /System/Library/LaunchDaemons/ssh.plist[/code] My question comes in when I look at the new restrictions available since Leopard for specifying access to users/groups. The only restriction I need at this point is only admins are allowed access, and as far as I can tell, that's setting dslocal's /Group/com.apple.access_ssh plist with the appropriate GUID of /Group/admin as a nested group. The dscl command may look something like this(whole-heartedly cribbed from createUser): [code]dscl -f "$3/var/db/dslocal/nodes/Default" localonly -create Local/Target/Groups/com.apple.access_ssh [/code] And if successful, creating the other keys and appropriate or freshly-generated values(like RealName "Remote Login Group", etc.), with the important last step to search for the admin group's GenUID and assign it to a NestedGroup key as mentioned above, which I imagine would be a dscl -search piped to another -create. Taking a step back, I'm not sure if loading the ssh.plist into launchd is the only way to get it started, since I think can turn the service on with defaults [code]defaults write "$3/System/Library/LaunchDaemons/ssh.plist" Disabled -bool False [/code]Would that for whatever reason not be safe, besides the fact I'm still(at this point)leaving the default port setting intact? If anyone is doing it like this or via some other method, and/or you're changing the default ssh port via plistBuddy on /System/LaunchDaemons/ssh.plist(as described here: [url]http://serverfault.com/questions/18761/how-to-change-sshd-port-on-mac-os-x[/url] please let me know if it looks like I'm going in the right direction. Thanks for any and all feedback, Allister