Filevault 2 and Changing local user passwords remotely

jcrowe
New Contributor

Hi.

Has anyone tried changing the password for a local administrator user remotely and not by going through passwd on a FIlevault 2 Lion system?

We need to change the password securely on about 200 hosts without having to type it in each system. Our systems are bound to AD, but we don't have access to create accounts so we cannot manage it that way either. I also don't think it is a good idea to not have a local administrator account.

The hashes I see are stored in

/var/db/dslocal/nodes/Default/users/user.plist

But swapping out the hash for a different hash does not change the password in the Filevault and only the old password will work to decrypt the drive. But the hash does work everywhere else.

Does anyone know how to change it in the recovery partition or some other way to mange local administrator accounts?

Thanks for any help,

Justin

5 REPLIES 5

rtrouton
Release Candidate Programs Tester

You could set up a policy to reset the password of the local administrator account. Here's how you can do this:

  1. Set up a new policy
  2. Go to the Accounts section
  3. Go to the "Create Accounts/Reset Passwords/Delete Accounts" section
  4. Click the "Reset password" link
  5. Specify the username and the password you want to set.

--missing content--

Your Casper-managed Macs should check in, get the new password set, and pas
s it off to the recovery partition to update the credentials for the pre-bo
ot login screen.

Thanks,
Rich

On Dec 19, 2011, at 4:53 PM, Crowe, Justin G. (ARC-TNE)[Computer Sciences C orporation] wrote:

Hi. Has anyone tried changing the password for a local administrator user rem

otely and not by going through passwd on a FIlevault 2 Lion system?

We need to change the password securely on about 200 hosts without having

to type it in each system. Our systems are bound to AD, but we don't have access to create accounts so we cannot manage it that way either. I also d
on't think it is a good idea to not have a local administrator account.

The hashes I see are stored in /var/db/dslocal/nodes/Default/users/user.plist But swapping out the hash for a different hash does not change the passwo

rd in the Filevault and only the old password will work to decrypt the driv
e. But the hash does work everywhere else.

Does anyone know how to change it in the recovery partition or some other

way to mange local administrator accounts?

Thanks for any help, Justin
Casper mailing list Casper at list.jamfsoftware.com http://list.jamfsoftware.com/mailman/listinfo/casper

---
Rich Trouton
troutonr at janelia.hhmi.org

JFRC Help Desk
phone: x4030
email: helpdesk at janelia.hhmi.org

The best way to get in touch with me is through email.

jcrowe
New Contributor

We were thinking about doing this, but there were some concerns with our Security team since we are working with Government policies. From what I understand the passwords are stored encrypted in the database, but is the password used cleartext in anyway?

Also has this been tested to work with Lion and Filevault 2? Just wondering cause I was getting a test environment ready to test it.

Justin

rtrouton
Release Candidate Programs Tester

Justin,

With regards to the password, I don't believe it's stored in cleartext at any point. You should confirm that with Jamf's support though.

I've just tested the password reset policy on a newly-created local admin account with the following execution settings:

Triggered By: Startup
Execution Frequency: Ongoing
Make available offline: checked

Results: The account used the password set during the account's creation for the first boot. After the Mac was up, the reset password policy ran within a minute or so. At the next boot, the new password was being used at the pre-boot login screen.

I then tested changing the account's password to a different password using passwd on the machine, then restarted.

Results: On the first boot following the password change, the passwd-changed password was used at the pre-boot login screen. After the Mac was up, the password reset policy ran. At the next boot, the policy-set password was being used at the pre-boot login screen.

Thanks,
Rich

brian_flynn
New Contributor III

Justin,

I would suggest checking with JAMF, however, I have seen the passwords
stored in clear text when the policy is marked for offline use. We're on
8.22 and if you mark the policy as offline a local XML file is created on
the client machine. Within the XML file the account and password are in
clear text. The permissions on the folder structure and the file are set
to be accessible only by root, however if your users are administrators
they can easily "sudo su" and view the files. I'm not sure if this is
different on other versions.

Thanks
Brian

jcrowe
New Contributor

For those that are interested,

I have been working with JAMF Support for a little bit now. The password is stored in cleartext in an XML file as Brian said if it is marked for offline use. The password is also passed to the dscl command in cleartext in both offline and online use. This means that the password can be seen in the process table by using "ps" or similar commands. They reported that you rarely see the process but it is visible sometimes. They are working on this and filed it in their things to do.

But, if you are managing local accounts on several systems with Filevault 2 this may be the only option for now.

Thanks,

Justin