In the never-ending search to work smarter, not harder, few things can be simpler than entering commands on one Mac and having them pushed out across the entire LAN to multiple nodes.
One of these perks comes natively to OS X by way of SSH—the remote access network protocol that encrypts communication from end-to-end between server and client machine.
Unfortunately (for Mac sysadmins), Remote Login—as Apple refers to it—comes turned off, by default (fortunate for security admins). Turning the service on involves very little manual intervention, but when you multiply that by the number of Macs to administer, the task becomes incredulously time-intensive.
On the plus side, there is a command that can be executed to turn on the SSH service, and another couple of commands can optionally configure the service and secure it so that only those requiring secure access will be authorized to do so. Let's take a closer look.
To enable SSH, enter the command below into Terminal.app, and press Enter to execute it. Once completed, the SSH service will be enabled for all users on that authenticate on that Mac.
systemsetup -setremotelogin on
Creating an SSH access group
With SSH enabled, secure access is provided to the Mac. However, if anyone can access your computer remotely, how secure is it? Not very, I'm afraid. Fortunately, this too can be changed by creating an SSH access group, where members will be provided exclusive authorization to remotely access your Mac.
dseditgroup -o create -q com.apple.access_ssh
Add users (or groups) to the SSH access group
By running this command, users and/or groups that are to be granted SSH access to machines will be allowed to do so, while all other users will be expressly denied access to connect or login remotely. In the example below, the admin group has been granted SSH access.
dseditgroup -o edit -a admin -t group com.apple.access_ssh
Since this is a command to be executed remotely, it requires some way to be executed or kicked off in order for it to process on multiple computers. While each organization may have different management suites in place, Apple Remote Desktop, DeployStudio tasks, OS X Server custom configurations, or traditional scripts will all equally get the job done and secure access to SSH.
- Pro tip: Five commands Mac admins should know
- Remotely administer Macs using Terminal
- Pro tip: Three ways to gain (or prevent) admin access to OS X
- ZDNet: Serious security flaw in OS X Yosemite 'Rootpipe'
Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from several vendors, including Apple and CompTIA.