- Jamf Nation Community
- Products
- Jamf Pro
- Delete and Create Keychain - Authentication Check
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Delete and Create Keychain - Authentication Check
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-30-2015 07:49 AM
Hello All,
Just doing a little digging on JAMFNation in setting up our Self Service Portal, came across a script from Andrina Kelly (below) and her 2013 JNUC Presentation. Essentially, I'm looking to add perhaps an authentication hook to ensure that end-users are "indeed" entering their updated password instead of avoiding a mistaked keystroke. Perhaps a test map to a server or something.
Any advice or resources are warmly welcome! Thank you.
!/bin/bash
############################################################
Created By: Andrina Kelly, andrina.kelly@bellmedia.ca, Ext 4995
Creation Date: July 2013
Last modified: July 25th, 2013
Brief Description: Deletes the users login.keychain, and creates a new keychain
############################################################
Set CocoaDialog Location
CD="/Path/to/CocoaDialog.app/Contents/MacOS/CocoaDialog"
Find out who's logged in
USER=who | grep console | awk '{print $1}'
Get the name of the users keychain - some messy sed and awk to set up the correct name for security to like
KEYCHAIN=su $USER -c "security list-keychains" | grep login | sed -e 's/"//g' | sed -e 's/// /g' | awk '{print $NF}'
Go delete the keychain in question...
su $USER -c "security delete-keychain $KEYCHAIN"
Ask the user for their login password to create a new keychain
rv=($($CD secure-standard-inputbox --title "Set New Keychain Password" --no-newline --informative-text "Enter your current login password"))
PASSWORD=${rv[1]}
Create the new login keychain
expect <<- DONE set timeout -1 spawn su $USER -c "security create-keychain login.keychain"
# Look for prompt
expect "?chain:"
# send user entered password from CocoaDialog
send "$PASSWORD
"
expect "?chain:"
send "$PASSWORD
"
expect EOF
DONE
Set the newly created login.keychain as the users default keychain
su $USER -c "security default-keychain -s login.keychain"
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-30-2015 08:25 AM
@ruschg Are these Macs joined to an Active Directory domain, in range of a DC when this is run, and the user account its being run from is AD based?
If the answer to all of those is yes, I would look at using ldapsearch using the user's Distinguished Name to see if it can do a lookup against its own account, or an account you know is always there, like a service account in AD, for example. If this is successful using the user's entered password, then its the right password since ldapsearch would fail if the password entered is wrong.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-30-2015 10:03 AM
@ruschg Have you looked at also deleting Local Items &/or ADPassMon?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-30-2015 10:19 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-30-2015 10:24 AM
@ruschg Haha glad you like it & that we could help :)
