[Casper] Hidden SSH account

James Partridge james.partridge at oucs.ox.ac.uk
Wed Aug 27 00:06:56 PDT 2008 

On 27 Aug 2008, at 04:15, Danny Lee wrote:

>> sudo /usr/sbin/jamf createAccount -username netadmin -realname  
>> "Casper
>> Administrator" -password p at 55w0rd –home /var/cadmin –shell “/bin/ 
>> bash”
>> -hiddenUser -admin
>
> This looks similar to what I have used to set up the hidden account,
> but Casper has been unable to use this account to manage our
> machines.  I end up using an admin account that is not hidden to
> manage the machine and that seems to work.  I think SSH is enabled for
> the hidden account but I am not totally sure.  It just seems kinda
> pointless for the hidden account if it doesn't work.

Something wrong here, then. We add a hidden admin account to all our  
managed machines (with a QuickAdd package generally) and it's  
essential to the way things work, particularly because amost all end  
users here are admins so can and will meddle. I agree with John Wetter  
about the importance of using a hidden account. In fact I'd go further  
and say that it's *essential* that the management account is hidden.  
If it's visible then people mess with it. There are a couple of checks  
you can do if this account isn't working for you:

First, try logging in as the hidden user ('netadmin', 'cadmin', or  
whatever else you call it) on the client machine just to check it  
works locally. I do this in Terminal with 'su netadmin' but you can  
also do it from the login window, of course. If that works and your  
JSS still can't connect to the machine then maybe the hidden user  
password is garbled in the JSS. Pull up the machine in the JSS  
inventory, click on 'Edit', and in the 'Computer Info' tab retype the  
password in the 'Management Password' fields. I mention this even  
though it seems obvious because we've had occasional problems in the  
past with this field getting corrupted when using a QuickAdd package.

If you can login as your 'netadmin' user locally, and you're sure the  
credentials are correct in the JSS, then everything should work,  
assuming that Remote Login is enabled on the client machines, of  
course. Those are really the only criteria you need to satisfy.

Another big advantage of the hidden admin account is that you can use  
the kickstart command to enable ARD for that user and set all the  
necessary access privileges without this being visible to the end user  
in System Preferences. We always do this with the user's permission  
(extolling the virtues of remote access with ARD) so it's not a big  
secret, but it's critical that they can't see and tamper with the  
settings. They soon forget about it!

The specific command we use is: "sudo /System/Library/CoreServices/ 
RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate - 
configure -access -on -users netadmin -privs -all -restart -agent" but  
see <http://support.apple.com/kb/HT2370> for more info.

HTH, and apologies if all this is stating the obvious.

James


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
James Partridge
Systems Development & Support (Apple)
NSMS
Oxford University Computing Service
13 Banbury Road
Oxford OX2 6NN

Tel.: (01865) 273207
iChat: james.partridge at mac.com

More information about the Casper mailing list