[Casper] Hidden SSH account

John Wetter john_wetter at hopkins.k12.mn.us
Tue Aug 26 21:44:51 PDT 2008 

That's why when in doubt, I just use a quickadd package.  Have an auto-login user on your JSS that just takes Recon, and hand out the QuickAdd package.  Have it set to create the hidden user and recon and manage using that hidden user.

If you run recon on a machine in the JSS, the user/pswd field should auto-populate if it is a managed computer.  Recon does not add an account, hence why I just use a quickadd package.

I think it's quite important to have Casper manage the computers with a hidden user.  This way, if someone changes the visible admin username, you can still manage the computer.  This also becomes handy if your admin password gets compromised as the netadmin user is still there to manage and change the password for your visible admin account.

-John


 *
Now this I could very well be wrong on, and again if JAMF wants to clarify, cool. I’d rather know what’s right than not. I don’t think Recon adds an account to your OS, all Recon really needs for an account is a user in the JSS to allow it to submit data when it runs. The manual (page 367 in the current 6 version) is somewhat vague to me about this setting in the management framework. What confuses me is that it says you need to select an account for machines not added to the JSS. Then what is it using to run Recon and submit data to the JSS if I don’t have a specified account and it’s a machine in the JSS? Is this what you see for a user with your dscl command, some secret account it adds? I just see the account I created with the binary in my base, but I do have an account specified in the framework as well and may not add an account if that’s set? That setting has probably been used way before I took over here...

 *   Yup, everything should log to jamf.log.

I probably haven’t answered it right either. I just want to make sure we’re telling people the right things. My official CCA training may be out of date being version 4.x.

Craig E

On 8/26/08 6:46 PM, "Thomas Larkin" <tlarki at kckps.org<UrlBlockedError.aspx>> wrote:

According to my Casper bible it says this:

"If you would like computers that are imaged with this configuration to be managed by Casper and the JSS, enter the enter the user name and password that allows access to this configuration via SSH in the fields labeled SSH username and SSH password"

Wudi from JAMF totally went over that too at the CCA training, and I am not quite sure if it actually creates the account or not.  I mean all you need is SSH to run, right? The account doesn't necessarily need a home directory since all the JAMF logs are piped out into like /var/jamf/jamf.log anyway right?

Because your frame work is going to force SSH on, and recon will add the account, but when it adds the account I don't ever see an account show up in the finder, I do see it though if I do a dscl . list /Users

I don't think I quite answered that question right either.

>>> "Ernst, Craig S." <ERNSTCS at uwec.edu<UrlBlockedError.aspx>> 08/26/08 6:23 PM >>>
As always on a managed machine you can see the jamf binary commands and there options by going into terminal on a managed machine and typing:

/usr/sbin jamf help

Or just

Jamf help

Tom, I just want to make sure I'm understanding the comment below. Are you talking about the option for "Ensure that Computers Imaged with this Configuration are managed". If that's configured it will create the hidden account? Or what are you referring to. I wasn't under the impression it did that, actually created the account, unless that was something new in 6.0. That option merely stored that account information in the JSS for that machine so it knew how to connect with the remote tools.

I know that if a machine has existing autorun data, imaging using prestaging, or when you are using Casper Imaging to image the computer you can enter that information into the Accounts tab. However, I don't think those options hide the account like the -hiddenUser switch does using the binary.

I've always kept a current copy of the binary around on a network share to run that command, but if there was an easier way that'd be cool...sort of.

Thanks,

Craig E


On 8/26/08 5:41 PM, "Thomas Larkin" <tlarki at kckps.org<UrlBlockedError.aspx>> wrote:

Or

Better yet also add the ssh account into your configuration from Casper Admin as well.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20080826/10b43ba2/attachment.htm

More information about the Casper mailing list