Encrypted Strings - with openSSL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-24-2019 01:48 AM
Hi,
I tried to follow this script to make temp admin through self service:
https://github.com/kc9wwh/MakeMeAdminPy
But then I stuck with getting the encrypted string from the script here:
https://github.com/brysontyrrell/EncryptedStrings
Any one know how can I execute below and get the result?
!/bin/bash
Use 'openssl' to create an encrypted Base64 string for script parameters
Additional layer of security when passing account credentials from the JSS to a client
Use GenerateEncryptedString() locally - DO NOT include in the script!
The 'Encrypted String' will become a parameter for the script in the JSS
The unique 'Salt' and 'Passphrase' values will be present in your script
function GenerateEncryptedString() {
# Usage ~$ GenerateEncryptedString "String"
local STRING="${1}"
local SALT=$(openssl rand -hex 8)
local K=$(openssl rand -hex 12)
local ENCRYPTED=$(echo "${STRING}" | openssl enc -aes256 -a -A -S "${SALT}" -k "${K}")
echo "Encrypted String: ${ENCRYPTED}"
echo "Salt: ${SALT} | Passphrase: ${K}"
}
Thanks,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-31-2019 02:00 PM
Have you figured this out yet? I am also stumped...I gotta be missing something simple.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-01-2019 12:54 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-01-2019 05:31 AM
Haven't used this specific script, but it looks like the purpose of the encrypted strings function is to generate the encrypted password and hash/salt phrases. Looks you will need to do a few steps:
Download the EncryptedString.sh script. The easiest way to generate the encrypted string is to edit the script at the bottom and add the following line:
GenerateEncryptedString "<<yourOrgAdminPassword>>"
You will get an output like:
Encrypted String: U2FsdGVkX1900X/Nu7QM9lzaurWKLIwdbVQGO+UPHnA=
Salt: 74d17fcdbbb40cf6 | Passphrase: 39f273b3b7ec4f189a3963af
Edit the removeTempAdmin.py script and update lines 76 & 77 with the Salt and Passphrase from your generated output. (Don't forget to change line 75 to your local admin account, don't change the second part of the dictionary, that will be passed via script arguments.
Upload the script to Jamf and create the policy with that script. Put the encrypted string generated above in as Parameter 4.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-01-2019 01:37 PM
Got it Thanks to you but had to slightly change stuff.
@pairjal After digging yesterday, I found another thread that explained how to run the .sh script and get an out put BUT, turns out that the .sh version doesn't correctly output the encrypted strings and will actually change your orgadmin password on you.
The python version of encrypted strings does work though but I couldn't figure out how to get any output until @RBlount pointed me in the right direction!
You just need to copy that first part of the python script and add a line at the bottom following the python scripts usage syntax and then you can run the script in terminal.
!/usr/bin/python2.7
Python wrapper for 'openssl' to create an encrypted Base64 string for script parameters
Additional layer of security when passing account credentials from the JSS to a client
import subprocess
Use GenerateEncryptedString() locally - DO NOT include in the script!
The 'Encrypted String' will become a parameter for the script in the JSS
The unique 'Salt' and 'Passphrase' values will be present in your script
def GenerateEncryptedString(inputString):
'''Usage >>> GenerateEncryptedString("String")'''
salt = subprocess.check_output(['/usr/bin/openssl', 'rand', '-hex', '8']).rstrip()
passphrase = subprocess.check_output(['/usr/bin/openssl', 'rand', '-hex', '12']).rstrip()
p = subprocess.Popen(['/usr/bin/openssl', 'enc', '-aes256', '-a', '-A', '-S', salt, '-k', passphrase], stdin = subprocess.PIPE, stdout = subprocess.PIPE)
encrypted = p.communicate(inputString)[0]
print("Encrypted String: %s" % encrypted)
print("Salt: %s | Passphrase: %s" % (salt, passphrase))
GenerateEncryptedString("MyOrgAdminPassword")
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-16-2020 09:16 PM
Hey Just reading your response
You just need to copy that first part of the python script and add a line at the bottom following the python scripts usage syntax and then you can run the script in terminal.
Not sure what you mean by this. can you provide me a screen shot... Or if you can walk me through it.
sorry in advance for such a silly question.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-27-2020 02:14 PM
Encrypted strings, while it is technically a mitigation, does not really get you the protections you think it might. In the end, simple tools like pstree
can collect information on processes that will show code and positional parameters in clear text. Meaning, it would still be somewhat trivial to decrypt values. Not to mention, it still will get decrypted on disk for a small period of time. Tools like hunters.ai can easily detect these threats. In the end you should never pass credentials on the client endpoint for anything. Registration tokens and other way less risky type of credentials can be passed (and there is no choice sometimes) with a minimal accepted risk. Having gone through countless and various security and compliance audits in my 20 year career it has become painfully obvious to me to avoid these type of workflows any chance you can.
In my opinion, you should spend your efforts on reworking your workflows where you aren't passing credentials to the endpoint at all versus spending all this effort to encrypt strings in every piece of code you deploy. To my best knowledge no tool out there does full E2EE where an agent will do a GET
request and execute code locally on the device. If there is a tool that does this I would be happy to know! I still try to always enforce my personal rules of no curl
scripts on the client side, no credentials on the client side, and always put security, threat models, and compliance into consideration when building workflows
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-14-2020 07:30 AM
solid answer @tlarkin