Posted on 10-11-2011 05:24 AM
I work for a School District and our admin password before we had JAMF was compromised and since then has been changed. But I believe while the students knew the admin password they enabled the root account on several computers.
How do I disable it remotely? I am fairly new to JAMF and scripting so if can please be detailed.
Thanks
Dave
Posted on 10-11-2011 06:17 AM
dsenable root
bash-3.2# dsenableroot help
dsenableroot:: Enable or disable root user with Directory Services. Version 10.5.3 Usage: dsenableroot [-d] [-u username] [-p password] [-r rootPassword] Example 1: dsenableroot Attempt to enable root account. Your username will be used. Both passwords will be prompted for. Example 2: dsenableroot -d -u username Attempt to disable root account. Only user password will be prompted for. In all cases passwords cannot be empty strings.
Also Casper has built in features to change passwords in the accounts tabs of machines scoped. You can do it from the web interface via policy.
-Tom
Posted on 10-11-2011 06:39 AM
The problem with "dsenableroot -d" for disabling root is that it prompts for a password. If you use the -u and -p arguments to pass username and password so it doesn't prompt for a password, you risk those credentials showing up in the process table in clear text. You also risk them being passed over the network in clear text unless you use a secure protocol for all your JSS client communication.
# remote the AuthenticationAuthority from the user's account dscl . delete /Users/root AuthenticationAuthority
# Put a single asterisk in the password entry, thus locking the acount. dscl . -create /Users/root Password '*'
We put the commands above in a policy script which is scoped appropriately.
--
Walter Rowe, System Hosting
Enterprise Systems / OISM
walter.rowe at nist.gov<mailto:walter.rowe at nist.gov>
301-975-2885
Posted on 03-05-2015 11:53 AM
what's the difference between doing
# remote the AuthenticationAuthority from the user's account dscl . delete /Users/root AuthenticationAuthority # Put a single asterisk in the password entry, thus locking the acount. dscl . -create /Users/root Password '*'
and
# Disable root login by setting root's shell to /usr/bin/false dscl . -create /Users/root UserShell /usr/bin/false
Posted on 09-07-2017 02:37 AM
@jwojda the first method disable all authentication, while the second one only disable logging in.
It's not a very complete response, but the first one is safer.