Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2834: How to restrict SSH access for OS X

Mac & PC Management Service ,  

12 April,16 at 11:40 AM

Applies to: Centrify DirectControl for all versions of Mac OS X


In OS X, SSH access can be managed via the "Allow access for:" settings in:
  • System Preferences > Sharing

Is it possible to manage these access restrictions via Centrify?

There are two options for remotely managing SSH access in OS X:
  • Option A: Via group policies
  • Option B: Manually editing the /etc/sshd_config file
Option A: Group Policy
  • SSH access can be managed via the group policies at:
    • Computer Configuration / Centrify Settings / SSH Settings / ...
  • (In order for this GP folder to be visible, the centrify_unix_settings.xml template needs to have been added into the GPO)
    • Note:
    • These SSH settings are a separate set of rules to the options set in the "Allow access for:" GUI in OS X.
    • A user connecting via SSH will need to be allowed through both the GP rules and the OS X rules to be allowed in.
    • To manage SSH access via the group policies only, add the following command into the GP at:
      • Computer Configuration / Centrify Settings / Common UNIX Settings / "Specify commands to run"
      • Run Command: sudo dseditgroup -o delete -T group
    • This will ensure that "Allow access for: All users" is set in the GUI, and thus only the SSH Settings GP rules will be followed. 

Option B: Manually edit the /etc/sshd_config file:
  • SSH policy options can be directly saved in /etc/sshd_config and updated as needed.
  • Replace 'username' and 'groupname' with the actual AD user or group name 
    • DenyUsers username
    • AllowUsers username
    • DenyGroups groupname
    • Alowgroups groupname
  • It is also possible to push this file out via the GP at:
    • Computer Configuration / Centrify Settings / Common UNIX Settings / "Copy files"

  • For both the above options, make sure to use the UNIX name of the AD groups being added:
    • In Zone Mode, this is the name of the group as added into the Zone
    • In Auto Zone mode, a user's list of group memberships can be found in UNIX format by running the Terminal command:
      • adquery user -G ad_username
    • (Replace "ad_username" with the actual username of an AD user) 
  • Group names are entered on a single row and space delimited. If the UNIX group name itself contains a space, then it will need to be enclosed in quotes, e.g.:
    • "domain admins" admin "it department" execs

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.