-
Notifications
You must be signed in to change notification settings - Fork 2
/
SSHManagement.pkginfo
137 lines (121 loc) · 4.24 KB
/
SSHManagement.pkginfo
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>_metadata</key>
<dict>
<key>created_by</key>
<string>kevinmcox</string>
<key>creation_date</key>
<date>2022-04-08T11:12:44Z</date>
<key>munki_version</key>
<string>5.6.4.4406</string>
<key>os_version</key>
<string>12.3.1</string>
</dict>
<key>autoremove</key>
<false/>
<key>catalogs</key>
<array>
<string>live</string>
</array>
<key>category</key>
<string>NoPkg</string>
<key>description</key>
<string>Manages the Remote Login / SSH process on macOS.</string>
<key>developer</key>
<string>Armin Briegel</string>
<key>display_name</key>
<string>SSH Management</string>
<key>icon_name</key>
<string>Terminal.png</string>
<key>installcheck_script</key>
<string>#!/bin/bash
PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/munki export PATH
# Original Script by Armin Briegel
# http://scriptingosx.com/2014/12/control-ssh-access-with-munki-nopkg-scripts/
# This will run as a munki install_check script.
# Exit status of 0 means install needs to run.
# Exit status of 1 means no installation necessary.
ssh_group="com.apple.access_ssh"
# Is SSH enabled?
if [[ $(systemsetup -getremotelogin) = 'Remote Login: Off' ]]; then
echo 'Remote login is off, install needed.'
exit 0
fi
# Does a group named "com.apple.access_ssh" exist?
if [[ $(dscl /Local/Default list /Groups | grep "${ssh_group}-disabled" | wc -l) -eq 1 ]]; then
echo "Access set to 'All Users' install needed."
exit 0
elif [[ $(dscl /Local/Default list /Groups | grep "$ssh_group" | wc -l) -eq 0 ]]; then
echo "No group '$ssh_group' install needed."
exit 0
fi
# Does the group contain the admin group?
admin_uuid=$(dsmemberutil getuuid -G admin)
if [[ $(dscl /Local/Default read Groups/com.apple.access_ssh NestedGroups | grep "$admin_uuid" | wc -l) -eq 0 ]]; then
echo 'Admin group not nested in $ssh_group, install needed.'
exit 0
fi
echo "Everything seems as it should be, no install needed."
exit 1</string>
<key>installer_type</key>
<string>nopkg</string>
<key>minimum_os_version</key>
<string>11.0</string>
<key>name</key>
<string>SSHManagement</string>
<key>postinstall_script</key>
<string>#!/bin/bash
PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/munki export PATH
# Original Script by Armin Briegel
# http://scriptingosx.com/2014/12/control-ssh-access-with-munki-nopkg-scripts/
# Executed if needed to enable SSH after the install check script is run.
ssh_group="com.apple.access_ssh"
# enable ssh
if [[ $(systemsetup -getremotelogin) = 'Remote Login: Off' ]]; then
echo "Turning on Remote Login/SSH."
launchctl load -w /System/Library/LaunchDaemons/ssh.plist
fi
# Does a group named "com.apple.access_ssh" exist?
if [[ $(dscl /Local/Default list /Groups | grep "${ssh_group}-disabled" | wc -l) -eq 1 ]]; then
#rename this group
echo "Renaming group '${ssh_group}-disabled'"
dscl localhost change /Local/Default/Groups/${ssh_group}-disabled RecordName ${ssh_group}-disabled $ssh_group
elif [[ $(dscl /Local/Default list /Groups | grep "$ssh_group" | wc -l) -eq 0 ]]; then
# create group
echo "Creating group $ssh_group"
dseditgroup -o create -n "/Local/Default" -r "Remote Login Group" -T group $ssh_group
fi
# does the group contain the admin group?
admin_uuid=$(dsmemberutil getuuid -G admin)
if [[ $(dscl /Local/Default read Groups/$ssh_group NestedGroups | grep "$admin_uuid" | wc -l) -eq 0 ]]; then
echo "Adding admin group to $ssh_group"
dseditgroup -o edit -n "/Local/Default" -a admin -t group $ssh_group
fi
exit 0</string>
<key>unattended_install</key>
<true/>
<key>unattended_uninstall</key>
<true/>
<key>uninstall_method</key>
<string>uninstall_script</string>
<key>uninstall_script</key>
<string>#!/bin/sh
echo "Disabling Remote Login/SSH..."
launchctl unload -w /System/Library/LaunchDaemons/ssh.plist</string>
<key>uninstallable</key>
<true/>
<key>uninstallcheck_script</key>
<string>#!/bin/bash
if [[ $(systemsetup -getremotelogin) = 'Remote Login: On' ]]; then
echo "Remote Login/SSH needs to be disabled."
exit 0
else
echo "Remote Login/SSH is already disabled, no action needed."
exit 1
fi</string>
<key>version</key>
<string>2.0</string>
</dict>
</plist>