Create hidden account with Jamf binary - password security ?

May
Contributor III

Hi all

i need to create a hidden account with its home folder in /var/
if i place the account password in a script or add the full command including the password into Policy > Files and Processes isn't this a huge security flaw ?

/usr/local/bin/jamf createAccount -username <netadmin> -realname <"Network Administrator"> -password <p@55w0rd> -home </var/netadmin> -hiddenUser -admin

can anyone suggest a way to deal with this ?

or if i use CreateUSerPkg is the password any more secure in pkg on our JDS ?

and...

does using -secureSSH to the end of the command make it so no other users can ssh on ?

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

That could work too. I would say, yes, there is a difference between Files and Processes and the Reset Account Password. With the former, the command shows up in the policy logs, including any password passed to it as a string, and may show up in the system.log of the target Mac, at least until the log is rolled.

The latter, to my knowledge, does not show any command in the jamf.log or policy log nor anything in the system.log, so I'm thinking using the Reset Account Password is much more secure.

View solution in original post

5 REPLIES 5

May
Contributor III

looks like CreateUserPkg may be the way to go, thanks @rtrouton link

The problem i have with this approach is even if specify a Home Directory path in /var/ it doesn't get created,
does it not create home folders for uid's under 500 ?

mm2270
Legendary Contributor III

CreateUserPkg isn't being maintained anymore and it has now known issues with the latest versions of OS X. One of those issues is that it's not creating accounts as hidden even if you specify it to do so.
However, you could use it as a start to get the base account in place, then run shell commands to move the account home dir and update the record in dscl (the NFSHomeDirectory path) into /var/ and make sure it's hidden. It's extra work, but at least you won't need to have the password in clear text in a script. Even if it's passed as a parameter it's not entirely safe.

May
Contributor III

Thanks,

i was thinking i could maybe use the /usr/local/bin/jamf createAccount command in a policy > Files an Processes to create the account and home folder then immediately update the account password with a policy > Local Accounts > Reset Account Password,
do you know if this would be a more secure way of creating the account from the JSS ?

that said i'm assuming there's no difference in how the password is sent between Files and Processes and Reset Account Password ?

mm2270
Legendary Contributor III

That could work too. I would say, yes, there is a difference between Files and Processes and the Reset Account Password. With the former, the command shows up in the policy logs, including any password passed to it as a string, and may show up in the system.log of the target Mac, at least until the log is rolled.

The latter, to my knowledge, does not show any command in the jamf.log or policy log nor anything in the system.log, so I'm thinking using the Reset Account Password is much more secure.

May
Contributor III

Thanks for the help!

i just checked and Reset Account Password doesn't seem to show the password in any of the logs where as Files and Processes does as you stated.