Home > Mac administration, Mac OS X > Setting access controls for SSH Part 2

Setting access controls for SSH Part 2

As a follow-up to my earlier blog entry on setting SSH access controls, here’s how you can add groups to your SSH SACL:

Command to create the SACL (if it doesn’t already exist):

dseditgroup -o create -q com.apple.access_ssh

Add your group as a nested group inside the SACL group:

dseditgroup -o edit -a “group name” -t group com.apple.access_ssh

If you’re adding an AD group, you may need to add the AD domain’s name:

dseditgroup -o edit -a “DOMAIN\group name” -t group com.apple.access_ssh

  1. June 11, 2012 at 8:45 pm

    Thanks for all the information. Your site is always informative, inspiring and insightful.

    Any advice for adding a NIS group with dseditgroup for use with ssh?

  2. March 5, 2015 at 8:58 pm

    So let’s say you’d like only a particular user (say, a local-admin) to have SSH access, but no one else. One of the things you’d have to do is disable anyone in the “Administrators” group from connecting via SSH. You can do this with the command:

    dseditgroup -o edit -n /Local/Default -d admin -t group com.apple.access_ssh

    This works properly with 10.9.5.

    Note that the name of the group is ‘admin’, and *not* ‘administrators’ nor ‘Administrators’.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 227 other followers

%d bloggers like this: