Help

How to send a command with needed password in a shell script?

mkolb
Contributor

Posted on ‎01-30-2017 04:00 AM

Hi everyone! Hope someone can help:

I want to write a script to disable the EFI password. I could use the jamf binary, I know, but I want the script to work even on machines without the jamf binary.

I wanted to ask, how can I perform a command and send the needed password (in this case, the firmwarepassword) with the command, so there would be no prompt in the Terminal?

This is the current state of the script:

#!/bin/sh
#This discovers the current user, needed for the osascript commands
currentuser=`stat -f%Su /dev/console`

#This prompts the user to enter the EFI-Password
read -r -d '' password <<'EOF'
   set dialogText to text returned of (display dialog "Please enter the EFI Password to disable it:" default answer "" with hidden answer)
   return dialogText
EOF

efi=$(sudo -u $currentuser /usr/bin/osascript -e "$password");

echo $efi | sudo -S firmwarepasswd -verify

exit 0

With the last line I tried to give the efi-password to the "firmwarepasswd -verify" command, but as it not worked out, I think this is completely wrong..

And the "-verify" is only now for testing, I know the correct option would be "-delete"

Thanks for any input!

0 Kudos
5 REPLIES 5

thoule
Valued Contributor II

Posted on ‎01-30-2017 05:22 AM

JAMF IT has created a method to do what you are asking. It's not simple, but it does work.

Encrypted-Script-Parameters

mkolb
Contributor

Posted on ‎02-01-2017 04:44 AM

Hi, thanks for your answer. This looks interesting, but it's based on the JSS. I want to write a solution that works completely without the JSS or the jamf binary.

I was thinking of using the "expect" and "send" commands, but I'm not capable of using them correctly..

0 Kudos

thoule
Valued Contributor II

Posted on ‎02-01-2017 05:19 AM

Sorry - I read your post too quickly and expected an FAQ. Yes, if that command line tool doesn't support sending the password via command line parameter, then you'll need the expect command. Assuming it prompts for password. I don't know what the output of that command looks like.

0 Kudos

mkolb
Contributor

Posted on ‎02-01-2017 08:11 AM

I'm still working on this... at the moment, this is my latest version:

#!/bin/sh
#This discovers the current user, needed for the osascript commands
currentuser=`stat -f%Su /dev/console`

#Functions to prompt for Passwords
read -r -d '' admin <<'EOF'
   set dialogText to text returned of (display dialog "Please enter the local Admin's Password:" default answer "" with hidden answer)
   return dialogText
EOF

read -r -d '' password <<'EOF'
   set dialogText to text returned of (display dialog "Please enter the EFI Password to disable it:" default answer "" with hidden answer)
   return dialogText
EOF

#Ask for Admin Password
admin=$(sudo -u $currentuser /usr/bin/osascript -e "$admin");


#Checks, if there is an EFI password set
efistatus=$(echo $admin | sudo -S firmwarepasswd -check);


if [ "$efistatus" = "Password Enabled: Yes" ] ; then
    #Asks for EFI Password
    efi=$(sudo -u $currentuser /usr/bin/osascript -e "$password");
    set input $efi
    spawn echo $admin | sudo -S firmwarepasswd -verify
    expect "*?assword:*"
    send -- "$input
"

fi


echo "Blubb blubb blubb"
exit 0

Unfortunately it still won't work. It asks for the admin password, it asks for the EFI password, but it is not able to "enter" this EFI password automatically without asking the user in the terminal for it..

0 Kudos

LRZ_Jamf
Contributor

Posted on ‎02-03-2017 01:58 AM 

#!/bin/sh

echo "${password1}
${password2}" | sudo -S firmwarepasswd -verify

may resolves your issue ;)