Centrify DirectControl for all versions of Mac OS XQuestion:
In OS X, SSH access can be managed via the "Allow access for:
" settings in:
- System Preferences > Sharing
Is it possible to manage these access restrictions via Centrify? Answer:
There are two options for remotely managing SSH access in OS X:
Option A: Group Policy
- Option A: Via group policies
- Option B: Manually editing the /etc/sshd_config file
Option B: Manually edit the /etc/sshd_config file:
- SSH access can be managed via the group policies at:
- Computer Configuration / Centrify Settings / SSH Settings / ...
- (In order for this GP folder to be visible, the centrify_unix_settings.xml template needs to have been added into the GPO)
- These SSH settings are a separate set of rules to the options set in the "Allow access for:" GUI in OS X.
- A user connecting via SSH will need to be allowed through both the GP rules and the OS X rules to be allowed in.
- To manage SSH access via the group policies only, add the following command into the GP at:
- Computer Configuration / Centrify Settings / Common UNIX Settings / "Specify commands to run"
- Run Command: sudo dseditgroup -o delete -T group com.apple.access_ssh
- This will ensure that "Allow access for: All users" is set in the GUI, and thus only the SSH Settings GP rules will be followed.
- SSH policy options can be directly saved in /etc/sshd_config and updated as needed.
- Replace 'username' and 'groupname' with the actual AD user or group name
- DenyUsers username
- AllowUsers username
- DenyGroups groupname
- Alowgroups groupname
- It is also possible to push this file out via the GP at:
- Computer Configuration / Centrify Settings / Common UNIX Settings / "Copy files"
- For both the above options, make sure to use the UNIX name of the AD groups being added:
- In Zone Mode, this is the name of the group as added into the Zone
- In Auto Zone mode, a user's list of group memberships can be found in UNIX format by running the Terminal command:
- adquery user -G ad_username
- (Replace "ad_username" with the actual username of an AD user)
- Group names are entered on a single row and space delimited. If the UNIX group name itself contains a space, then it will need to be enclosed in quotes, e.g.:
- "domain admins" admin "it department" execs