Encrypted Strings - with openSSL

pairjal
New Contributor II

Hi,

I tried to follow this script to make temp admin through self service:
https://github.com/kc9wwh/MakeMeAdminPy

But then I stuck with getting the encrypted string from the script here:
https://github.com/brysontyrrell/EncryptedStrings

Any one know how can I execute below and get the result?

!/bin/bash

Use 'openssl' to create an encrypted Base64 string for script parameters

Additional layer of security when passing account credentials from the JSS to a client

Use GenerateEncryptedString() locally - DO NOT include in the script!

The 'Encrypted String' will become a parameter for the script in the JSS

The unique 'Salt' and 'Passphrase' values will be present in your script

function GenerateEncryptedString() { # Usage ~$ GenerateEncryptedString "String" local STRING="${1}" local SALT=$(openssl rand -hex 8) local K=$(openssl rand -hex 12) local ENCRYPTED=$(echo "${STRING}" | openssl enc -aes256 -a -A -S "${SALT}" -k "${K}") echo "Encrypted String: ${ENCRYPTED}" echo "Salt: ${SALT} | Passphrase: ${K}"
}

Thanks,

7 REPLIES 7

maffettb
New Contributor III

Have you figured this out yet? I am also stumped...I gotta be missing something simple.

pairjal
New Contributor II

Hi @maffettb

no. I'm stuck on this. Tried to find any guide or information, but not available.

@mm2270 might able to help?

Tribruin
Valued Contributor II

Haven't used this specific script, but it looks like the purpose of the encrypted strings function is to generate the encrypted password and hash/salt phrases. Looks you will need to do a few steps:

Download the EncryptedString.sh script. The easiest way to generate the encrypted string is to edit the script at the bottom and add the following line:

GenerateEncryptedString "<<yourOrgAdminPassword>>"

You will get an output like:

Encrypted String: U2FsdGVkX1900X/Nu7QM9lzaurWKLIwdbVQGO+UPHnA=
Salt: 74d17fcdbbb40cf6 | Passphrase: 39f273b3b7ec4f189a3963af

Edit the removeTempAdmin.py script and update lines 76 & 77 with the Salt and Passphrase from your generated output. (Don't forget to change line 75 to your local admin account, don't change the second part of the dictionary, that will be passed via script arguments.

Upload the script to Jamf and create the policy with that script. Put the encrypted string generated above in as Parameter 4.

maffettb
New Contributor III

Got it Thanks to you but had to slightly change stuff.
@pairjal After digging yesterday, I found another thread that explained how to run the .sh script and get an out put BUT, turns out that the .sh version doesn't correctly output the encrypted strings and will actually change your orgadmin password on you.

The python version of encrypted strings does work though but I couldn't figure out how to get any output until @RBlount pointed me in the right direction!

You just need to copy that first part of the python script and add a line at the bottom following the python scripts usage syntax and then you can run the script in terminal.

!/usr/bin/python2.7

Python wrapper for 'openssl' to create an encrypted Base64 string for script parameters

Additional layer of security when passing account credentials from the JSS to a client

import subprocess

Use GenerateEncryptedString() locally - DO NOT include in the script!

The 'Encrypted String' will become a parameter for the script in the JSS

The unique 'Salt' and 'Passphrase' values will be present in your script

def GenerateEncryptedString(inputString): '''Usage >>> GenerateEncryptedString("String")''' salt = subprocess.check_output(['/usr/bin/openssl', 'rand', '-hex', '8']).rstrip() passphrase = subprocess.check_output(['/usr/bin/openssl', 'rand', '-hex', '12']).rstrip() p = subprocess.Popen(['/usr/bin/openssl', 'enc', '-aes256', '-a', '-A', '-S', salt, '-k', passphrase], stdin = subprocess.PIPE, stdout = subprocess.PIPE) encrypted = p.communicate(inputString)[0] print("Encrypted String: %s" % encrypted) print("Salt: %s | Passphrase: %s" % (salt, passphrase))
GenerateEncryptedString("MyOrgAdminPassword")

Achan121
New Contributor

@maffettb

Hey Just reading your response

You just need to copy that first part of the python script and add a line at the bottom following the python scripts usage syntax and then you can run the script in terminal.

Not sure what you mean by this. can you provide me a screen shot... Or if you can walk me through it.

sorry in advance for such a silly question.

tlarkin
Honored Contributor

Encrypted strings, while it is technically a mitigation, does not really get you the protections you think it might. In the end, simple tools like pstree can collect information on processes that will show code and positional parameters in clear text. Meaning, it would still be somewhat trivial to decrypt values. Not to mention, it still will get decrypted on disk for a small period of time. Tools like hunters.ai can easily detect these threats. In the end you should never pass credentials on the client endpoint for anything. Registration tokens and other way less risky type of credentials can be passed (and there is no choice sometimes) with a minimal accepted risk. Having gone through countless and various security and compliance audits in my 20 year career it has become painfully obvious to me to avoid these type of workflows any chance you can.

In my opinion, you should spend your efforts on reworking your workflows where you aren't passing credentials to the endpoint at all versus spending all this effort to encrypt strings in every piece of code you deploy. To my best knowledge no tool out there does full E2EE where an agent will do a GET request and execute code locally on the device. If there is a tool that does this I would be happy to know! I still try to always enforce my personal rules of no curl scripts on the client side, no credentials on the client side, and always put security, threat models, and compliance into consideration when building workflows

cole_seph
New Contributor II

solid answer @tlarkin