How to change local admin password AND Keychain password?

ralvarezOES
New Contributor III

Hi,
I'd like to change the local admin password on our MacBooks in Jamf. I'm looking at the Policy Local Accounts -> Reset Account Password and it reads, "Set a new account password. This does not update the account's login keychain password or FileVault 2 password."

What options do I have to change the local account password and Keychain password? Do I have to do these separately? Or should I just give my users some instructions to update the keychain password?

Or is there a different workflow I should be thinking about?

8 REPLIES 8

teodle
Contributor

If you're using a local admin account only as a way to give your users privilege escalation (without their regular account being in the 501 admin group), then who cares about keychain? If they do actually log into the console as local admin, they'll get a prompt to either update or create new keychain and just tell them to always create new.

sshort
Valued Contributor

If you create a policy that uses sysadminctl to change the password it will always create a new keychain. So if that's acceptable for your use case then you wouldn't have to worry about dealing with an out-of-sync keychain.

Here's an example I made with an interactive element, however you can trash that part and just hardcode whatever new password you want using a variable in your script. The base command is sysadminctl -adminUser adminUserHere -adminPassword adminPasswordHere -resetPasswordFor userToBeResetHere -newPassword newUserPasswordHere

AdamCraig
Contributor III

I've created a script which will fix these keychain issues after the fact for effected users:
https://www.jamf.com/jamf-nation/discussions/33601/update-keychain-password-script

ralvarezOES
New Contributor III

Thanks for all the reply. I'll test them today and post back how it turned out.

brandon_-_autob
New Contributor III

Did this work for you? Currently in same boat. i have a local admin acc provisioned upon pre-enrollment. And we have filevault 2 enabled. we grant out users a securetokenon and encrypt under their account.

How did you accomplish this task?

mcantwell
New Contributor III
Did this work for you? Currently in same boat. i have a local admin acc provisioned upon pre-enrollment. And we have filevault 2 enabled. we grant out users a securetokenon and encrypt under their account. How did you accomplish this task?

Would love to get an answer on this as well. Need to set new password for the local admin account (IT use only) and also update the FileVault 2 password. Is there an easy terminal command I can set to run after the "Local Accounts" payload?

Not applicable

here are the script that change admin password:

!/bin/bash

UPDATE KEYCHAIN PASSWORD

username=$( scutil <<< "show State:/Users/ConsoleUser" | awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}' )
loggedInUID=$(id -u "$username")

Find the renamed keychains

renamed=""

for n in {1..9} ; do long="Users/$username/Library/Keychains/login_renamed_$n.keychain-db" short="login_renamed_$n.keychain-db" echo "$long" if [[ ! -f $long ]] ; then echo "Above Keychain not Found" else renamed="$long" short_renamed="$short" echo "renamed set to Above Keychain" fi
done

If the rename keychain isn't found then exit

if [[ -z "$renamed" ]] ; then echo "Renamed keychain not found." dialog="Old keychain not found." cmd="Tell app "System Events" to display dialog "$dialog"" /usr/bin/osascript -e "$cmd" exit 1
fi

renamed=`echo ${renamed%???}`

Prompt use for current password

currentPass=$(/usr/bin/osascript<<END
tell application "System Events"
activate
set the answer to text returned of (display dialog "Please enter your Current account Password:" default answer "" with hidden answer buttons {"Continue"} default button 1)
end tell
END)

previousPass=$(/usr/bin/osascript<<END
tell application "System Events"
activate
set the answer to text returned of (display dialog "Please enter your Previous account Password:" default answer "" with hidden answer buttons {"Continue"} default button 1)
end tell
END)

Open the keychain to load it into keychain access

open "$renamed" &

sleep 2

close keychain access

killall Keychain Access

unlock the previous keychain

unlock_result=`expect -c "
spawn /bin/launchctl asuser $loggedInUID sudo -iu $username security unlock-keychain $short_renamed
expect "password to unlock $renamed"
send ${previousPass}
expect"`

if [[ "$unlock_result" == "The user name or passphrase you entered is not correct." ]] ; then echo "Previous Password did not unlock keychain" dialog="Previous Account password did not unlock the old keychain." cmd="Tell app "System Events" to display dialog "$dialog"" /usr/bin/osascript -e "$cmd" exit 1
fi

If it gets this far the Previous Password is correct

change the password to the previous keychain

expect -c "
spawn /bin/launchctl asuser $loggedInUID sudo -iu $username security set-keychain-password $short_renamed
expect "Old Password:"
send ${previousPass}
expect "New Password:"
send ${currentPass}
expect "Retype New Password:"
send ${currentPass}
expect"

Make a keychain archive on the users desktop

mkdir /Users/$username/Desktop/Keychain Archive

move the login keychain to the archive

mv /Users/$username/Library/Keychains/login.keychain-db /Users/$username/Desktop/Keychain Archive/login.keychain-db

copy the renamed keychain to the archive

cp /Users/$username/Library/Keychains/$short_renamed /Users/$username/Desktop/Keychain Archive/$short_renamed

wipe current keychain list

/bin/launchctl asuser $loggedInUID sudo -iu "$username" security list-keychains -s none

rename the renamed keychain to login

mv $renamed /Users/$username/Library/Keychains/login.keychain-db

add the login keychain to the list.

/bin/launchctl asuser $loggedInUID sudo -iu "$username" security list-keychains -s login.keychain-db

unlock keychain

expect -c "
spawn /bin/launchctl asuser $loggedInUID sudo -iu $username security unlock-keychain login.keychain-db
expect "password to unlock $renamed"
send ${currentPass}
expect"

set that keychain to the default keychain

result=$(/bin/launchctl asuser "$loggedInUID" sudo -iu "$username" security default-keychain -s "login.keychain-db")
if [[ -z $result ]] ; then dialog="Updating Old Keychain is complete. Recommended to verify keychain looks correct then reboot the computer"
else echo "$result" dialog="$result"
fi
cmd="Tell app "System Events" to display dialog "$dialog""
/usr/bin/osascript -e "$cmd"

exit 0

AdamCraig
Contributor III

@DevidDecosta Here is that script on my github lhttps://github.com/theadamcraig/jamf-scripts/blob/master/Update_keychain_password_v4.sh

This script doesn't update the password, it fixed the keychain issues after the password has been updated if the keychain password is not synced with the login password. (it specifically looks for a renamed keychain. so your keychain needs to break BEFORE that can fix it.)

I've made some updates to it as well to resolve a few edge case issues.