Related to my last post, I needed to figure out a way to create local homes for SSH only users automatically on their first login. If the Mac is bound to a directory server it can use the user’s network home if one has been specified, but sometimes that’s not what you want. There are two ways of achieving this functionality, and I’ll let you know what they are after the jump.
The quickest way to get this functionality is to first add a home check test in the /etc/sshrc file. This file is automatically executed for every SSH user after they login. If the home check test fails, I simply have it create one. This would look something like below:
/bin/test -d /Users/$USER
if [ $? -ne 0 ]; then
/usr/sbin/chown `id -u`:`id -g` /Users/$USER
I found it necessary to chown the directory afterwards as the group of the home folder was always wrong, and it doesn’t hurt.
Normally non-administrator users cannot add a subdirectory inside /Users, so unless only administrators are SSH’ing in; you need to add an ACL to the /Users folder.
chown +a "everyone allow add_subdirectory" /Users
The only downside to all of this is that the code inside /etc/sshrc does not run with the login process. Which means that the first time a SSH user logs in, it will think that they have no home directory. And it will plop them at the root of the filesystem with an error message. You won’t be able to suppress the error message but you can prevent them from ending up at the root, by adding this line to the beginning of /etc/profile:
Do not fully specify the path for cd (i.e. /usr/bin/cd) as it won’t change directories. I’m not entirely sure why this is, but it’s something I noted.
The above isn’t the prettiest solution but it certainly is the easiest. The better way would be to create an authorization plug-in, and add it to /etc/authorization. The only reason I didn’t do that was because of two reasons: I don’t know how to write in C, and I didn’t have the time necessary to learn. If you would like to try doing it this way, the following Apple Developer page should be of help: