Skip to main content

How To: Bash Script to add AD User & Group to SSH in Mac

Today morning I got a request from Green IT folks to enabled SSH on all the Macs that we have in Enterprise. Currently SSH is not enabled on clients and not even the Admins are allowed to do so. As it was against InfoSec policy of the client, they needed a solution that ensures SSH is not enabled for anyone except couple of Service Accounts that does background job.

So what I proposed was simple, to create a Security Group in AD and add all Service Accounts to that Group and grant SSH access to that group. Now, no one else will be able to access via SSH except the members of this group.
So here is what I wrote for them. In this script Joulix is the AD account and HM Admin Mac SSH is the AD group that needs SSH access.:

 

#!/bin/bash
 
# To add the User / Group to be able to do ssh.
# Created by Laeeq Humam | 10.10.2014 | for HCL
# Wrote for Green IT via Cisco Joulix.

UN="Joulix"
MACSSHGROUP="Admin Mac SSH"

# Will use this group and user probably once or twice. Variable might not be required at this moment.
# Keeping it the Variable way for future complex scripting.
 
# Good habit to make Terminal speak loud on Admin's fault :)
if [[ $EUID -ne 0 ]]; then
   echo "Did you forget to become a root user? Lets try again! :) " 1>&2
   exit 1
fi
 
# Keep it simple, Turn Remotelogin OFF, do your thing and rutn it back ON.
systemsetup -setremotelogin OFF

# This is giving Joulix user account ssh access on system
dseditgroup -o create -q com.apple.access_ssh
dseditgroup -o edit -a $UN -t user com.apple.access_ssh # I have added this line for someone who wants to add just one user to grant SSH access and not a group.

# The following line will give access to "Admin Mac SSH" AD group to do SSH in enterprise.
dseditgroup -o edit -a $MACSSHGROUP -t group com.apple.access_ssh

# If you are looking inside this script, try this line to see its done as you wanted it to be :)
dseditgroup -o read -t group com.apple.access_ssh

# Turn SSH ON again
systemsetup -setremotelogin ON
 
exit 0

Obviously, you need to change the group name to your AD group name / path.

Labels:

Comments

Post a Comment

Popular posts from this blog

iPad has decreased lappy sale by 50% – Best Buy

Electronics retailers are revamping their aisles to focus on hand-held gadgets this holiday season to excite consumers who have grown weary of their traditional big-sellers: televisions and personal computers. Handhelds are changing electronics retailing. Above, a Best Buy employee in Chicago delivers iPads in April. Shoppers this Christmas can expect to see more smartphones, electronic readers and touch-screen computers in the most prominent store displays, underscoring a dramatic shift to powerful portable devices that is fast changing the face of consumer electronics retailing. The new priorities are plainly evident in the changing strategy of Best Buy Co., the nation's largest electronics retailer by revenue, which is now morphing into a mobile gadget specialist after decades of promoting the latest in big-screen televisions, desktop computers and high-fidelity stereos. Read more on Wall Street Journal
3 comments
Read more

Welcome the new macOS - Mojave

Apple has released 3rd Beta verion of their macOS Mojave, so we thought to give it a try. What we found is that the product is really promising. They have improved many things that we never realized is actually a need.  Instead of writing what we loved, we prefered to collect posts that include all new features. If anyone needs Mojave Beta release, please send an email to:  Laeeq.Humam@hcl.com , we would be glad to share it.    List of new features: https://gizmodo.com/all-the-new-features-coming-in-macos-10-14-mojave-upda-1826531489 https://appleinsider.com/articles/18/06/09/90-new-changes-features-in-macos-mojave https://fieldguide.gizmodo.com/10-useful-new-features-hidden-in-the-macos-mojave-beta-1826603113
Post a Comment
Read more

MAKING A FILE/FOLDER INVISIBLE

How to hide a file/folder using Terminal This is one of the greatest technique that I ever came across, I had to share my Mac in office and was curious about hiding confidential data. This was when I started exploring and finally came up with this solution. These commands are to be typed in Terminal. To make a file or folder invisible in Mac OS X Finder setfile -a V testfile.txt Here is goes, the file or folder is no longer visible via the Finder GUI, though it will be by Terminal. Your files are still there and you can find them via the command line and will show with an ls command. If you want your files and folders to be visible again, use this command: To make a file or folder visible again in Mac OS X Finder setfile -a v testfile.txt Now the file/folder will be visible again to the Finder, cool isn't it? Please Note: setfile is a command line utility included in Apple’s Developer Tools, which is a highly recommended optional install included on any Mac OS X install
4 comments
Read more