Jamf Nation Community

donmontalvo · ‎05-22-2012

Is there a command or tool we can use to create a password hash so it can be used in a script for JSS?

In the "old days" (pre 8.4) when Recon used to spit out QuickAdd installers with postflight scripts that included hashed passwords, we were a couple'a clicks away from hashing passwords.

But now that QuickAdd "enrolls" computers, we lost that nugget.

So what's the best way to turn a password into a hash? Is there a command line trick? Or is there a GUI doohicky that can do the trick? I guess I'm not a hash guru (never touched the stuff myself although my buddies did when I was stationed in Turkey...but I digress...), figured I'd check in with the group.

Thanks,
Don

--
https://donmontalvo.com

mm2270 · ‎05-22-2012

I'm not exactly sure what you're looking to do, but one of the following will create a hash of whatever is echoed through it-

echo "Password" | md5

echo "Password" | base64

Hopefully that is something you can use.

Edit: I would go with the md5 hash as that is surely more secure (although either one may be just fine depending on how you plan to use it)
Someone may also have better ideas.

Edit 2: Ok, another thought on this. If you just need to pass a password to a script being run from the JSS in a policy, another approach you can take is to assign the password to parameter 4 or whichever number you happen to like. That way its not hardcoded in the script itself, but managed by the JSS.
For example, in your script, include a section that defines a variable called 'Pass' to $4, like so:

Pass=""

if [ "$4" != "" ] && [ "$Pass" == "" ]; then
    Pass=$4
fi

Also a good idea to have a check in place in the script to be sure it has a password it can use, like this:

if [ "$Pass" == "" ]; then
    echo "Error:  The parameter 'Pass' is blank.  Please specify a value."
    exit 1
fi

When you upload your script in Casper Admin (after thorough testing) make sure to assign the label for parameter 4 as "Password" or something like that. When you later assign it to a policy, the "Password" label will show up. Make sure you enter the actual password in that section. When the script runs, the JSS will send that password down to the script, since the script knows it should be looking at $4 for the actual password.

Make sense?

View solution in original post

rockpapergoat · ‎05-23-2012

i think what don's talking about is the same type of simple hashing present in quick add packages.

so, something that you can pass to the jamf binary when creating an account, like "-passhash '%c4%cf%de%cb%cc%c7%cf%c4'."

it looks to me like url encoded hex values, but i never got confirmation of that from jamf. being able to programmatically replicate what the jamf binary expects would be convenient.

View solution in original post

jarednichols · ‎05-23-2012

Preferably something that won't make my head explode? :)

That's the hard bit, you see :) You're going to end up down a Wikipedia wormhole (where you start at one article and end up at another article hours later) but the cryptography article is a good one to start with: http://en.wikipedia.org/wiki/Cryptography

Once you have a handle on that (in particular symmetric encryption vs PKI) move on to understanding the different algorithms that are out there.

View solution in original post

mm2270 · ‎05-22-2012

I'm not exactly sure what you're looking to do, but one of the following will create a hash of whatever is echoed through it-

echo "Password" | md5

echo "Password" | base64

Hopefully that is something you can use.

Edit: I would go with the md5 hash as that is surely more secure (although either one may be just fine depending on how you plan to use it)
Someone may also have better ideas.

Edit 2: Ok, another thought on this. If you just need to pass a password to a script being run from the JSS in a policy, another approach you can take is to assign the password to parameter 4 or whichever number you happen to like. That way its not hardcoded in the script itself, but managed by the JSS.
For example, in your script, include a section that defines a variable called 'Pass' to $4, like so:

Pass=""

if [ "$4" != "" ] && [ "$Pass" == "" ]; then
    Pass=$4
fi

Also a good idea to have a check in place in the script to be sure it has a password it can use, like this:

if [ "$Pass" == "" ]; then
    echo "Error:  The parameter 'Pass' is blank.  Please specify a value."
    exit 1
fi

When you upload your script in Casper Admin (after thorough testing) make sure to assign the label for parameter 4 as "Password" or something like that. When you later assign it to a policy, the "Password" label will show up. Make sure you enter the actual password in that section. When the script runs, the JSS will send that password down to the script, since the script knows it should be looking at $4 for the actual password.

Make sense?

jarednichols · ‎05-23-2012

@Don
Yeah some background would help on this.

@mm2270
Generally, MD5's got serious weaknesses. Pick something from the SHA-2 family. Obviously that'll depend if what Don needs can use something in SHA-2...

rockpapergoat · ‎05-23-2012

i think what don's talking about is the same type of simple hashing present in quick add packages.

so, something that you can pass to the jamf binary when creating an account, like "-passhash '%c4%cf%de%cb%cc%c7%cf%c4'."

it looks to me like url encoded hex values, but i never got confirmation of that from jamf. being able to programmatically replicate what the jamf binary expects would be convenient.

jarednichols · ‎05-23-2012

being able to programmatically replicate what the jamf binary expects would be convenient.

Indeed

donmontalvo · ‎05-23-2012

@mm2270 Thanks, I'll test both solutions and will post results.

I'm not exactly sure what you're looking to do, but one of the following will create a hash of whatever is echoed through it-K
echo "Password" | md5

echo "Password" | base64
Hopefully that is something you can use.

@jarednichols We are working on a script that will need to use a password that we need to keep secured. Unfortunately I can't post the specifics on an open forum. :)

@rockpapergoat You hit the nail on the head. The old QuickAdd (pre-8.43, we jumped from 7.31) gave you hashes...now with enrollment, no more hashes. I guess I just need to see if the hash is MD5 or SHA-2 (as recommended by Jared), will post result.

--
https://donmontalvo.com

mm2270 · ‎05-23-2012

@Don, have you accounted for how you will decrypt the password later? If something that your script is passing the hashed password on to is expecting the actual password, how will that work? I'm not very well versed on these things, so just kind of talking out loud here.
I see that openssl has functions to encrypt and later decrypt a passphrase with the use of a known key. That may be something to look at as well. Again, not sure how secure this really needs to be for you.

@Jared- thanks for the info on md5. As I said above, I'm not the most well versed on these things. Any suggested reading you can recommend that will give me some primers on this stuff? (I do want to learn more) Preferably something that won't make my head explode? :)

jarednichols · ‎05-23-2012

Preferably something that won't make my head explode? :)

That's the hard bit, you see :) You're going to end up down a Wikipedia wormhole (where you start at one article and end up at another article hours later) but the cryptography article is a good one to start with: http://en.wikipedia.org/wiki/Cryptography

Once you have a handle on that (in particular symmetric encryption vs PKI) move on to understanding the different algorithms that are out there.

donmontalvo · ‎05-23-2012

I vote we donate Jared's brain to science...LOL

--
https://donmontalvo.com

ernstcs · ‎05-23-2012

If you're looking to deal with passwords for things JAMF related, you can still get that out of Casper Imaging and the FirstRun script it generates. You create the account on the accounts tab with the information you want with a custom install, and when you use Casper Imaging just make sure you don't boot to Macintosh HD after imaging, dig down to the location of the FirstRun script (system/library/startupitems/Firstrun) and crack that open. You should see the line the binary will use to create the account.

donmontalvo · ‎05-23-2012

@ernstcs Thanks for the tip, was hoping to avoid all those steps. If the command line works, we'll ask the requestor to run and provide us with hash to put into the script. :)

--
https://donmontalvo.com

Jamf Nation Community

How to hash a password