This has been driving me nuts for the past several months but I hadn’t made the time to figure out the problem. Basically, the only account that could be used to ssh into our OS X server was the admin account. The admin account lives in the traditional Unix /etc/passwd database. Any account that was created via Workgroup Manager, like mine, (that is one that lives in Open Directory, OS X’s LDAP authentication database) wouldn’t work. As I said, this has been driving me nuts and I finally spent some time digging through the man pages, configuration files and log files to figure out what was going on.
It seems that a previous sysadmin had added the AllowUsers keywords to the sshd configuration file in /etc/sshd_config. On the AllowUsers line were listed the users who were able to connect via ssh. And wouldn’t you know, my account wasn’t listed.
I got to this point by reading through the /var/log/secure.log file to see what OS X was recording as the problem with connecting. There was one line in particular that stood out:
Jan 18 15:13:09 xyzzy sshd: User peter from 192.168.1.154 not allowed because not listed in AllowUsers
AllowUsers? That’s strange. I don’t remember anywhere in OS X that would use a convention like this to control the environment. But a quick search on Google shows that this was a keyword used in the sshd configuration file. Adding my account name to the list and I was able to ssh in without any problem. Oh yeah, life is good!
One cool side note, sshd didn’t have to be restarted. It’s smart enough to know the configuration file has changed. Makes it very easy to test configuration changes.
But modifying the /etc/sshd_config file every time I need to allow ssh access to someone isn’t an easy way to manage account priveleges on OS X. Looking a bit more at the sshd_config man page shows that there’s also a AllowGroup option. So I removed the AllowUsers line and replaced it with:
Then using the standard Workgroup Manager, I added a new group called ssh and put the various accounts that need ssh access into the group. Now any accounts that needs ssh access can easily be added (or removed) from the ssh group and sshd will automatically give them access.