How can I create a user that can login through SSH but not on the local desktop in MacOS X El Capitan?

macos ssh security password user-account

I would like to have a user account in my MacOS X El Capitan system which is limited to login through SSH. I do not want that user to be able to use the system through any other means, especially not on the local desktop. I would like that user not to be listed as possible options when logging into the desktop.

Obviously the user needs to be allowed to access via SSH on the Sharing preferences menu. Setting the user's shell to /usr/bin/false, a usual way to disable login for users on MacOS X without deleting them, seems to disable SSH access as well as desktop access. Currently the only way I could come up with is setting a password for the user that the user doesn't know, but I suppose users could then change the password by themselves.

On Debian GNU/Linux for example I would be able to disable the password and/or login altogether. Is there something similar on MacOS?


Set up your new User as a Sharing Only account, this gives them no actual account on the computer itself that they can log into…

System Prefs > Users & Groups

  1. Click the lock
  2. Click the + sign to add a new User
  3. Set the new account to sharing only from the drop menu [stepped out on the pic for clarity]

enter image description here

Ref : Apple KB - OS X Yosemite: Create a sharing-only user account

After Comments...
Apparently, this works, but only in combination with some other tweaks.

You need to set up a new group, 'remote users'.
Add your sharing only user to that, then add that group to Remote Login

It seems that Sharing Only users by default have the shell /usr/bin/false and the home directory /dev/null.
Both of these values seem to be magic values for some PAM modules to block the user from connecting.
You have to change both and have the user added to the remote users group to make it work.


You can create a low-numbered user via dscl, as per this Apple support page and it will be hidden from most views.

Also, I believe that if you set the user home directory to something like /var/empty then ssh will log in but the gui will not.

Related

What's the difference between normal goo and red goo in World of Goo?
What are Silver Pantaloons for?
PS3 Hard Drive Replacement - Will a 3.5" ATA Hard Drive work?
How is Experience handled in Dragon Age?
Balancing queues in RollerCoaster Tycoon?
Defending when playing as a sniper!
What are some nice strategies, match-ups, build orders and resource sharing tactics for teams?
Is the end of New Super Mario Bros Wii really the end?
Can I pick a lock on a shop "closed for inventory"?
Is the Endurance implant "free?"
What parts of the content rating apply to skirmish/multiplayer?
Can I charge the seeker missile without wasting a missile in Metroid Prime 3?