Skip to main content
Answer

How to hash a password

  • May 23, 2012
  • 10 replies
  • 39 views
donmontalvo
Forum|alt.badge.img+36

Is there a command or tool we can use to create a password hash so it can be used in a script for JSS?

In the "old days" (pre 8.4) when Recon used to spit out QuickAdd installers with postflight scripts that included hashed passwords, we were a couple'a clicks away from hashing passwords.

But now that QuickAdd "enrolls" computers, we lost that nugget.

So what's the best way to turn a password into a hash? Is there a command line trick? Or is there a GUI doohicky that can do the trick? I guess I'm not a hash guru (never touched the stuff myself although my buddies did when I was stationed in Turkey...but I digress...), figured I'd check in with the group.

Thanks,
Don

Best answer by mm2270

I'm not exactly sure what you're looking to do, but one of the following will create a hash of whatever is echoed through it-

echo "Password" | md5

echo "Password" | base64

Hopefully that is something you can use.

Edit: I would go with the md5 hash as that is surely more secure (although either one may be just fine depending on how you plan to use it)
Someone may also have better ideas.

Edit 2: Ok, another thought on this. If you just need to pass a password to a script being run from the JSS in a policy, another approach you can take is to assign the password to parameter 4 or whichever number you happen to like. That way its not hardcoded in the script itself, but managed by the JSS.
For example, in your script, include a section that defines a variable called 'Pass' to $4, like so:

Pass=""

if [ "$4" != "" ] && [ "$Pass" == "" ]; then
    Pass=$4
fi

Also a good idea to have a check in place in the script to be sure it has a password it can use, like this:

if [ "$Pass" == "" ]; then
    echo "Error:  The parameter 'Pass' is blank.  Please specify a value."
    exit 1
fi

When you upload your script in Casper Admin (after thorough testing) make sure to assign the label for parameter 4 as "Password" or something like that. When you later assign it to a policy, the "Password" label will show up. Make sure you enter the actual password in that section. When the script runs, the JSS will send that password down to the script, since the script knows it should be looking at $4 for the actual password.

Make sense?

--https://donmontalvo.com

    10 replies

    mm2270
    Forum|alt.badge.img+24
    • mm2270
    • Legendary Contributor
    • Answer
    • May 23, 2012

    I'm not exactly sure what you're looking to do, but one of the following will create a hash of whatever is echoed through it-

    echo "Password" | md5

echo "Password" | base64

    Hopefully that is something you can use.

    Edit: I would go with the md5 hash as that is surely more secure (although either one may be just fine depending on how you plan to use it)
    Someone may also have better ideas.

    Edit 2: Ok, another thought on this. If you just need to pass a password to a script being run from the JSS in a policy, another approach you can take is to assign the password to parameter 4 or whichever number you happen to like. That way its not hardcoded in the script itself, but managed by the JSS.
    For example, in your script, include a section that defines a variable called 'Pass' to $4, like so:

    Pass=""

if [ "$4" != "" ] && [ "$Pass" == "" ]; then
    Pass=$4
fi

    Also a good idea to have a check in place in the script to be sure it has a password it can use, like this:

    if [ "$Pass" == "" ]; then
    echo "Error:  The parameter 'Pass' is blank.  Please specify a value."
    exit 1
fi

    When you upload your script in Casper Admin (after thorough testing) make sure to assign the label for parameter 4 as "Password" or something like that. When you later assign it to a policy, the "Password" label will show up. Make sure you enter the actual password in that section. When the script runs, the JSS will send that password down to the script, since the script knows it should be looking at $4 for the actual password.

    Make sense?

    J
    Forum|alt.badge.img+24
    • jarednichols
    • Valued Contributor
    • May 23, 2012

    @Don
    Yeah some background would help on this.

    @mm2270
    Generally, MD5's got serious weaknesses. Pick something from the SHA-2 family. Obviously that'll depend if what Don needs can use something in SHA-2...

    R
    Forum|alt.badge.img+13

    i think what don's talking about is the same type of simple hashing present in quick add packages.

    so, something that you can pass to the jamf binary when creating an account, like "-passhash '%c4%cf%de%cb%cc%c7%cf%c4'."

    it looks to me like url encoded hex values, but i never got confirmation of that from jamf. being able to programmatically replicate what the jamf binary expects would be convenient.

    J
    Forum|alt.badge.img+24
    • jarednichols
    • Valued Contributor
    • May 23, 2012
    being able to programmatically replicate what the jamf binary expects would be convenient.

    Indeed

    donmontalvo
    Forum|alt.badge.img+36
    • donmontalvo
    • Author
    • Hall of Fame
    • May 23, 2012

    @mm2270 Thanks, I'll test both solutions and will post results.

    I'm not exactly sure what you're looking to do, but one of the following will create a hash of whatever is echoed through it-K 
    echo "Password" | md5

echo "Password" | base64
    Hopefully that is something you can use.

    @jarednichols We are working on a script that will need to use a password that we need to keep secured. Unfortunately I can't post the specifics on an open forum. :)

    @rockpapergoat You hit the nail on the head. The old QuickAdd (pre-8.43, we jumped from 7.31) gave you hashes...now with enrollment, no more hashes. I guess I just need to see if the hash is MD5 or SHA-2 (as recommended by Jared), will post result.

    --https://donmontalvo.com
    mm2270
    Forum|alt.badge.img+24
    • mm2270
    • Legendary Contributor
    • May 23, 2012

    @Don, have you accounted for how you will decrypt the password later? If something that your script is passing the hashed password on to is expecting the actual password, how will that work? I'm not very well versed on these things, so just kind of talking out loud here.
    I see that openssl has functions to encrypt and later decrypt a passphrase with the use of a known key. That may be something to look at as well. Again, not sure how secure this really needs to be for you.

    @Jared- thanks for the info on md5. As I said above, I'm not the most well versed on these things. Any suggested reading you can recommend that will give me some primers on this stuff? (I do want to learn more) Preferably something that won't make my head explode? :)

    J
    Forum|alt.badge.img+24
    • jarednichols
    • Valued Contributor
    • May 23, 2012
    Preferably something that won't make my head explode? :)

    That's the hard bit, you see :) You're going to end up down a Wikipedia wormhole (where you start at one article and end up at another article hours later) but the cryptography article is a good one to start with: http://en.wikipedia.org/wiki/Cryptography

    Once you have a handle on that (in particular symmetric encryption vs PKI) move on to understanding the different algorithms that are out there.

    donmontalvo
    Forum|alt.badge.img+36
    • donmontalvo
    • Author
    • Hall of Fame
    • May 23, 2012

    I vote we donate Jared's brain to science...LOL

    --https://donmontalvo.com
    E
    Forum|alt.badge.img+21
    • ernstcs
    • Contributor
    • May 23, 2012

    If you're looking to deal with passwords for things JAMF related, you can still get that out of Casper Imaging and the FirstRun script it generates. You create the account on the accounts tab with the information you want with a custom install, and when you use Casper Imaging just make sure you don't boot to Macintosh HD after imaging, dig down to the location of the FirstRun script (system/library/startupitems/Firstrun) and crack that open. You should see the line the binary will use to create the account.

    donmontalvo
    Forum|alt.badge.img+36
    • donmontalvo
    • Author
    • Hall of Fame
    • May 23, 2012

    @ernstcs Thanks for the tip, was hoping to avoid all those steps. If the command line works, we'll ask the requestor to run and provide us with hash to put into the script. :)

    --https://donmontalvo.com
    Terms & ConditionsCookie settingsAccessibility statement