Skip to main content

How To: Bash Script to add AD User & Group to SSH in Mac

Today morning I got a request from Green IT folks to enabled SSH on all the Macs that we have in Enterprise. Currently SSH is not enabled on clients and not even the Admins are allowed to do so. As it was against InfoSec policy of the client, they needed a solution that ensures SSH is not enabled for anyone except couple of Service Accounts that does background job.

So what I proposed was simple, to create a Security Group in AD and add all Service Accounts to that Group and grant SSH access to that group. Now, no one else will be able to access via SSH except the members of this group.
So here is what I wrote for them. In this script Joulix is the AD account and HM Admin Mac SSH is the AD group that needs SSH access.:

 

#!/bin/bash
 
# To add the User / Group to be able to do ssh.
# Created by Laeeq Humam | 10.10.2014 | for HCL
# Wrote for Green IT via Cisco Joulix.

UN="Joulix"
MACSSHGROUP="Admin Mac SSH"

# Will use this group and user probably once or twice. Variable might not be required at this moment.
# Keeping it the Variable way for future complex scripting.
 
# Good habit to make Terminal speak loud on Admin's fault :)
if [[ $EUID -ne 0 ]]; then
   echo "Did you forget to become a root user? Lets try again! :) " 1>&2
   exit 1
fi
 
# Keep it simple, Turn Remotelogin OFF, do your thing and rutn it back ON.
systemsetup -setremotelogin OFF

# This is giving Joulix user account ssh access on system
dseditgroup -o create -q com.apple.access_ssh
dseditgroup -o edit -a $UN -t user com.apple.access_ssh # I have added this line for someone who wants to add just one user to grant SSH access and not a group.

# The following line will give access to "Admin Mac SSH" AD group to do SSH in enterprise.
dseditgroup -o edit -a $MACSSHGROUP -t group com.apple.access_ssh

# If you are looking inside this script, try this line to see its done as you wanted it to be :)
dseditgroup -o read -t group com.apple.access_ssh

# Turn SSH ON again
systemsetup -setremotelogin ON
 
exit 0

Obviously, you need to change the group name to your AD group name / path.

Labels:

Comments

Post a Comment

Popular posts from this blog

MAKING A FILE/FOLDER INVISIBLE

How to hide a file/folder using Terminal This is one of the greatest technique that I ever came across, I had to share my Mac in office and was curious about hiding confidential data. This was when I started exploring and finally came up with this solution. These commands are to be typed in Terminal. To make a file or folder invisible in Mac OS X Finder setfile -a V testfile.txt Here is goes, the file or folder is no longer visible via the Finder GUI, though it will be by Terminal. Your files are still there and you can find them via the command line and will show with an ls command. If you want your files and folders to be visible again, use this command: To make a file or folder visible again in Mac OS X Finder setfile -a v testfile.txt Now the file/folder will be visible again to the Finder, cool isn't it? Please Note: setfile is a command line utility included in Apple’s Developer Tools, which is a highly recommended optional install included on any Mac OS X install...
4 comments
Read more

ENTOURAGE TROUBLESHOOTING: CRASHES WHILE LAUNCHING - II

Entourage Crashing due to Fonts There are two fonts that are known to be one of the most popular reasons of Entourage crashing. The first one is Helvetica Fractions which is majorly responsible to cause problems, the second is Times Phonetic. In order to fix this issue, don't just disable these fonts in Font Book, but physically remove them from your system and try to launch Entourage again. Other discussed reasons are database , schedules and duplicate daemons .
Post a Comment
Read more

An introduction to Mac OS X Server

Mac OS X server is combination of Power and Style. It derives power from its strong UNIX base and the style comes from well known Apple GUI. This combination makes Mac OS X Server one of the robust server available in present time. Mac OS X Server is built on a fully compliant UNIX foundation. This battle-tested core provides the stability, performance, and security that organizations require. And full UNIX conformance ensures compatibility with existing server and application software. Mac OS X Server is the ideal platform for deploying groundbreaking enterprise applications and services. The kernel in Mac OS X Server provides superior thread management and affinity algorithms for efficient handling of multithreaded applications on the latest generation of Intel multicore processors. It also provides precise control of real-time processing requirements, allowing a user-level thread — even an unprivileged one — to precisely specify its requirements for time-sensitive operations...
3 comments
Read more