I have two groups,
As the name suggestes i want only ssh login permitted to the first group of users and only gui login permitted to the next group of users.
Is it possible?
MacBook Pro, OS X Mountain Lion (10.8.3)
You can manage which users have access to Remove Login (SSH) by selecting this service in the Sharing system preferences, and then clicking the "Only these users" radio button and populating the list with the usernames (or groups) that you would like to allow SSH access.
Unfortunately there is no way to prevent a user from logging in. Apple includes "Sharing Only" account options that are meant for this purpose, but I believe SSH sessions require an account that has a home folder environment (I'm not sure about this, but I believe it is the case).
You can try creating a sharing only account and then adding it to your sshonly group, and then only enable this group in the Remote Login service to see if you can grant it SSH access this way, but if not then I believe there is only a partial answer to your request, which only allowing some users SSH access, though all users will have local login access.
You can manage which users have access to Remove Login (SSH) by selecting this service in the Sharing system preferences, and then clicking the "Only these users" radio button and populating the list with the usernames (or groups) that you would like to allow SSH access.
Unfortunately there is no way to prevent a user from logging in. Apple includes "Sharing Only" account options that are meant for this purpose, but I believe SSH sessions require an account that has a home folder environment (I'm not sure about this, but I believe it is the case).
You can try creating a sharing only account and then adding it to your sshonly group, and then only enable this group in the Remote Login service to see if you can grant it SSH access this way, but if not then I believe there is only a partial answer to your request, which only allowing some users SSH access, though all users will have local login access.
I found there is an option to allow restricted users for remote access, so that solves the guionly problem, because they cannot ssh.
But is there a way to enforce the the ssh only option (I mean disabling the GUI login)?
Trying...
Ok Solved it. This is what i did.
Create a user with "standard" previlage not "sharing only"
Because "sharing only" user has no shell or no home directory. You need both of that for ssh login.
Select the user/group in remote access option system preferences -> sharing
Dont select the user đ
Default enabled, so dont have to do anything again
$ sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE$ sudo defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array $USERNAME$ sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool FALSEAh I see, it doesn't necessarily prevent the user from logging on, but simply doesn't list them at the login window.
Another approach is to play with /etc/sshd_config 'AllowGroups' option. You create a group for ssh users, then make sure that users allowed to use ssh are a member of that group.
See "man sshd_config", and some Google searching for examples.
Good point, though isnt this a bit redundant with the system's ssh user management in the Sharing system preferences? I guess the difference is Apple's approach is to restrict access by having a group called "access_ssh" in the OS X directory services to which SSH-enabled accounts can be added, wherease the classic approach you mentioned is to adjust the ssh daemon configuration itself.
Yes, it doesnt stop the gui access. I wonder if this is even possible in traditional linux machines.
But a good and easy solution though.
I agree with Tophler Kessler, it is better to change the sharing preference rather than tunning or changing the ssh daemon configuration.
Disable GUI/SSH Login for specific users
