24
7
I have admin rights at a remote Mac computer. I can access it via SSH. The Mac has another user account, which doesn't have remote access. How can I remotely (via SSH) enable remote access for the other account?
Andrei
Posted 2010-07-21T17:18:26.347
Reputation: 1 164
20
SSH access by users is controlled by the local copy of Directory Services. (Controlled using dscl)
First off run dscl . list /Groups | grep 'access_ssh'. If the returned value says com.apple.access_ssh-disabled then all users have SSH access. If not, then we need to give the user access.
To add the user you need to run:
sudo dscl . append /Groups/com.apple.access_ssh user USERNAME
(replace USERNAME with the short username of the user) as well as:
sudo dscl . append /Groups/com.apple.access_ssh groupmembers `dscl . read /Users/USERNAME GeneratedUID | cut -d " " -f 2`
(replace USERNAME with short username as well)
(The last bit is thanks to Reed Stoner on lists.apple.com)
To add/enable Remote Management for only specific users (Add VNC flags from ghoppe's answer if you want VNC):
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -users short,usernames,seperated,by,commas -access -on -restart -agent -privs -all -allowAccessFor -specifiedUsers
Find out more by running sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -h
Chealion
Posted 2010-07-21T17:18:26.347
Reputation: 22 932
12
Based on Chealion's answer, I came up with this to allow ALL users to ssh in:
dscl . change /Groups/com.apple.access_ssh RecordName com.apple.access_ssh com.apple.access_ssh-disabled
Marmaduke
Posted 2010-07-21T17:18:26.347
Reputation: 121
5
Enable Remote Desktop via command line:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -clientopts -setvnclegacy -vnclegacy yes -clientopts -setvncpw -vncpw mypasswd -restart -agent -privs -all
Turn off screen sharing:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off
EDIT
OK, I may have misunderstood your question. By "Remote Access" I presumed you meant remote desktop, but now I see you just want to enable ssh access for the other account, right?
My answer gets you halfway there. After enabling Remote Desktop as shown, then connect with the remote Mac to change the user's ssh access via System Prefs.
To connect to the remote Mac, go to the Finder and select Connect to Server… under the Go menu. type in the Server Address for your computer:
vnc://x.x.x.x
Where x.x.x.x is the remote computer's IP address or URI. Since you connected with ssh, I presume you already know this.
Now you can use the Remote Desktop to navigate to System Prefs > Accounts and click the box to allow the other account to log in to the computer…
ghoppe
Posted 2010-07-21T17:18:26.347
Reputation: 6 124
Do I need to have Apple Remote Desktop installed on the remote Mac? What should I do after the first command? – Andrei – 2010-07-21T18:10:24.800
1Remote Desktop is already installed in the System. I will edit my answer for Remote Desktop instructions. Oops. I may have misunderstood your question… – ghoppe – 2010-07-21T18:12:50.317
Anyway, what do I need to do after the first command, assuming that I am using another Mac to access the remote one? – Andrei – 2010-07-21T18:19:53.733
2Edited my answer. There may be a way to enable ssh access via command line so you don't have to do it through Remote Desktop, but this method should work too. – ghoppe – 2010-07-21T18:23:41.713
The first command does something suspicious - it changes other accounts, not only my. Can it be modified in such way that other accounts are not affected? – Andrei – 2010-07-21T18:34:19.323
5
ssh access is granted to members of the com.apple.access_ssh group. This is the group that you're editing when you make access modifications to the Remote Login service through the Sharing pref pane.
While dscl can be use to edit group memberships (as described in other answers), dseditgroup is a cleaner way to modify the com.apple.access_ssh group memberships from the command line.
to add a user:
sudo dseditgroup -o edit -t user -a USERNAME com.apple.access_ssh
to remove a user:
sudo dseditgroup -o edit -t user -d USERNAME com.apple.access_ssh
teppic
Posted 2010-07-21T17:18:26.347
Reputation: 346
2
I'm on 10.11.5 and the commands don't complain, but the user still can't ssh. EDIT: tried this and it worked: https://support.apple.com/kb/PH18726
– Jayen – 2016-06-27T07:00:59.960Thanks, Chealion! Could you provide also a command to enable Remote Management for a specific user only (e.g. for the current one)? The solution of ghoppe seems to alter all users with
Remote Accessenabled, which may be unwanted. – Andrei – 2010-07-21T19:25:46.4371@Andrei: Add the -users flag after -configure with the list of users. I've added it to my answer. – Chealion – 2010-07-21T19:48:18.203
@Jayen Yes, but what is the command line equivalent of specifying which users can log in? I'm trying to set this up remotely. – Michael – 2017-08-28T23:30:04.910
Sorry I'm not a Mac person and the lack of keyboard-able things (and their documentation) is the main reason. – Jayen – 2017-08-29T03:54:58.050
1While this answer may still work, @teppic's answer provides a more correct method using the specific tool for editing groups dseditgroup. – Endareth – 2018-01-03T04:53:45.137
4It seems that the structure of access_ssh has changed over time. The key 'user' in the first dscl command should now be GroupMembership. The second dscl command appending the UID to groupmembers is still valid. – Erik – 2012-04-10T16:05:11.193
2Erik is correct - @Chealion, could you update your answer with changing the command to
dscl . append /Groups/com.apple.access_ssh GroupMembership <username>– rfay – 2012-11-21T00:56:08.220@Chealion Does this work for OSX 10.8.x ? – David Andreoletti – 2013-07-03T01:33:55.977
I tried on 10.8.3 and all dscl commands returned errors: DS Error -14009 :( – David Andreoletti – 2013-07-04T08:24:17.153