Hello All,

Just doing a little digging on JAMFNation in setting up our Self Service Portal, came across a script from Andrina Kelly (below) and her 2013 JNUC Presentation. Essentially, I'm looking to add perhaps an authentication hook to ensure that end-users are "indeed" entering their updated password instead of avoiding a mistaked keystroke. Perhaps a test map to a server or something.

Any advice or resources are warmly welcome! Thank you.

!/bin/bash

############################################################

Created By: Andrina Kelly, andrina.kelly@bellmedia.ca, Ext 4995

Creation Date: July 2013

Last modified: July 25th, 2013

Brief Description: Deletes the users login.keychain, and creates a new keychain

############################################################

Set CocoaDialog Location

CD="/Path/to/CocoaDialog.app/Contents/MacOS/CocoaDialog"

Find out who's logged in

USER=who | grep console | awk '{print $1}'

Get the name of the users keychain - some messy sed and awk to set up the correct name for security to like

KEYCHAIN=su $USER -c "security list-keychains" | grep login | sed -e 's/"//g' | sed -e 's/// /g' | awk '{print $NF}'

Go delete the keychain in question...

su $USER -c "security delete-keychain $KEYCHAIN"

Ask the user for their login password to create a new keychain

rv=($($CD secure-standard-inputbox --title "Set New Keychain Password" --no-newline --informative-text "Enter your current login password"))
PASSWORD=${rv[1]}

Create the new login keychain

expect <<- DONE
set timeout -1
spawn su $USER -c "security create-keychain login.keychain"

# Look for prompt
expect "?chain:"
# send user entered password from CocoaDialog
send "$PASSWORD
"
expect "?chain:"
send "$PASSWORD
"
expect EOF
DONE

Set the newly created login.keychain as the users default keychain

su $USER -c "security default-keychain -s login.keychain"

Page 1 / 1

@ruschg Are these Macs joined to an Active Directory domain, in range of a DC when this is run, and the user account its being run from is AD based?
If the answer to all of those is yes, I would look at using ldapsearch using the user's Distinguished Name to see if it can do a lookup against its own account, or an account you know is always there, like a service account in AD, for example. If this is successful using the user's entered password, then its the right password since ldapsearch would fail if the password entered is wrong.

@ruschg Have you looked at also deleting Local Items &/or ADPassMon?

@mm2270 and @bentoms - many thanks for your responses. With these ideas in mind, I believe I'm all set.

@bentoms - this made my day: "But if I had a £ for every Keychain call…"

@ruschg Haha glad you like it & that we could help :)

!/bin/bash

############################################################

Created By: Andrina Kelly, andrina.kelly@bellmedia.ca, Ext 4995

Creation Date: July 2013

Last modified: July 25th, 2013

Brief Description: Deletes the users login.keychain, and creates a new keychain

############################################################

Set CocoaDialog Location

Find out who's logged in

Get the name of the users keychain - some messy sed and awk to set up the correct name for security to like

Go delete the keychain in question...

Ask the user for their login password to create a new keychain

Create the new login keychain

Set the newly created login.keychain as the users default keychain

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded