- Jamf Nation Community
- Products
- Jamf Pro
- create hidden admin account ( without casper )
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-25-2012 02:14 AM
Hi folks,
Its early days where I am on the Casper front, so as much as I'd like to I can't use it to help me here.
I need to create a hidden local admin, I'm fully aware of the script required for this and have that all in place, my one issue is that I really don't want to embed the password as clear text in the shell script.
My thoughts are to obstruficate with Platypus, its not 100% secure, but its better.
Before I attempt to re-invent the wheel, I thought I'd ask, just in case I've missed a trick.
Thanks,
j.
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-25-2012 02:35 AM
There is pkg already out there from the instaDMG project which allows you to create users. The Lion version will shadow hash your password and can allow you to hide the user and change defaults like home folder location.
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-25-2012 02:35 AM
There is pkg already out there from the instaDMG project which allows you to create users. The Lion version will shadow hash your password and can allow you to hide the user and change defaults like home folder location.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-25-2012 03:18 AM
thanks, looks great.. other than the pkgs shows as directories, rather than downloadable .pkg..
?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-25-2012 03:34 AM
Run the following command in Terminal to download the InstaDMG files:
svn checkout http://instadmg.googlecode.com/svn/trunk/ instadmg-read-only
A new folder named instadmg-read-only should download and appear in your home folder. Open instadmg-read-only and go to AddOns/createUser. The createUser packages will be there, along with the README file.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-25-2012 03:42 AM
nice... :) thanks all folks.. right, back to coal face...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-25-2012 06:15 AM
@eftech The old QuickAdd installers (pre-8.4?) used a hash for the hidden admin account. This thread has me wondering, was it a security concern then? :)
I started a similar thread:
https://jamfnation.jamfsoftware.com/discussion.html?id=4537
@rtrouton The instadmg script looks like art...but is it easier than using a hash and leveraging the jamf binary command createUser? Just curious since we have several projects spun up that involve embedding hashed passwords into scripts.
Don
My thoughts are to obstruficate with Platypus, its not 100% secure, but its better.
--
https://donmontalvo.com
https://donmontalvo.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-25-2012 06:44 AM
i don't think using the createuser method is easier, just a different way to achieve the same results. if anything, it's more flexible, since it doesn't rely on the jamf tools to be in place. you can use that approach in a number of different deployment scenarios, not just triggered via casper policy, etc.
i've never seen documentation on how jamf hashes its passwords used in the quickadd scripts, but my guess is it's weak, at best. i'd rather use a baked in, already hashed password as the OS expects it. the createuser script just drops it into the account's plist as the OS would.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-25-2012 03:17 PM
I just tested and for some reason the UID of the hidden user is over 500:
/usr/sbin/jamf createAccount -username jdoe -realname jdoe -passhash xxxxxxxxxxxx -home /private/var/jdoe -admin -hiddenuserThe account is created, the home directory is created, we can log on fine...but the account is visible and has UID over 500. :(
Am I missing something?
[EDIT] Ok, in the rush to get out for the long weekend I found the issue...typo, should have been "-hiddenUser"...works fine...happy Memorial Day to all th vets![/EDIT]
Don
--
https://donmontalvo.com
https://donmontalvo.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-15-2014 01:15 PM
I've used the jamf createAccount that donmontalvo reverend above to create a local admin except used sudo since I am running 9.4. The question I have is this, is there a way to add to this so it will use an existing home folder instead of erroring out that the user exits?
I have a home folder with all of the settings I need packaged as well as 2 other folders that are dropped in. These are all set to deploy for imaging but I really want to use the create user to avoid building a local admin into the image. I'll be honest I am not the best at scripting (learning) and am still getting the hang of terminal (getting much better). I just got stuck on this.
I have also tried scripting to create the account, which worked, but it fails when i try to use an existing folder.
