Local Admin Password Change - Check existing Password?

mcgace
New Contributor III

Hi,

I'm running a very basic script, which works, to change the local admin password on all our Macs. But, I want to know how to check if the currentPwd already matches the newPwd, and if so then it must exit.

How do I do that?

if [ currentPwd == newPwd ] then

echo 'password is correct'
else

#change account password

fi

Thank you to @adolfsson for the initial idea:

The Script below works but as you can see its not very 'clever' :-)

Script:

currentPassword="$4"
newPassword="$5"
accountName="$6"

adminUser="remoteadmin"

#Check that we are changing ONLY for remoteadmin
if [ "$adminUser" == "${accountName}" ]
    then 
        #Change management account locally on mac
        sudo dscl . passwd /Users/"${accountName}" "${currentPassword}" "${newPassword}"

        echo " Local Admin Account - Password changed! "

        #Report management account password back to JSS
        sudo jamf recon -sshUsername remoteadmin -sshPassword "${newPassword}"

        echo " Local Management Account - password passed to JSS! "
    else
        echo " You are trying to change the wrong account. No Changes! "
fi
2 ACCEPTED SOLUTIONS

boberito
Valued Contributor
#!/bin/sh
dscl /Local/Default -authonly "${loggedInUser}" "${userpassword}" 2>&1 /dev/null
if [ "$?" != "0" ]; then
    echo "Login incorrect"
fi

If it works, it's the new password. if it doesn't. Then it's the old. Or vice versa check the other way.

View solution in original post

boberito
Valued Contributor

$? will give you the exit code of a command. If it equals 0, it exited successfully.

Sometimes programs or scripts will do a different exit code so you know sort of why it failed. A good example or sort of explanation is if you run jamfHelper "/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -help" At the bottom of the help it says...

Return Values: The JAMF Helper will print the following return values to stdout... 0 - Button 1 was clicked 1 - The Jamf Helper was unable to launch 2 - Button 2 was clicked XX1 - Button 1 was clicked with a value of XX seconds selected in the drop-down XX2 - Button 2 was clicked with a value of XX seconds selected in the drop-down 239 - The exit button was clicked 243 - The window timed-out with no buttons on the screen 250 - Bad "-windowType" 255 - No "-windowType"

So different exit codes based off different results.

Basically in the small script example I initially posted, if login succeeds the exit code is 0. If it doesn't, it's something else but we dont care what it is, we just care that it wasn't 0.

Hopefully that all makes sense.

View solution in original post

6 REPLIES 6

boberito
Valued Contributor
#!/bin/sh
dscl /Local/Default -authonly "${loggedInUser}" "${userpassword}" 2>&1 /dev/null
if [ "$?" != "0" ]; then
    echo "Login incorrect"
fi

If it works, it's the new password. if it doesn't. Then it's the old. Or vice versa check the other way.

mcgace
New Contributor III

@boberito thanks, newb question: What is this testing?

if [ "$?" != "0" ]

boberito
Valued Contributor

$? will give you the exit code of a command. If it equals 0, it exited successfully.

Sometimes programs or scripts will do a different exit code so you know sort of why it failed. A good example or sort of explanation is if you run jamfHelper "/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -help" At the bottom of the help it says...

Return Values: The JAMF Helper will print the following return values to stdout... 0 - Button 1 was clicked 1 - The Jamf Helper was unable to launch 2 - Button 2 was clicked XX1 - Button 1 was clicked with a value of XX seconds selected in the drop-down XX2 - Button 2 was clicked with a value of XX seconds selected in the drop-down 239 - The exit button was clicked 243 - The window timed-out with no buttons on the screen 250 - Bad "-windowType" 255 - No "-windowType"

So different exit codes based off different results.

Basically in the small script example I initially posted, if login succeeds the exit code is 0. If it doesn't, it's something else but we dont care what it is, we just care that it wasn't 0.

Hopefully that all makes sense.

mcgace
New Contributor III

@boberito thanks that perfect. This worked and will help me with a few other things too. Thanks

devoted_lkrygsm
New Contributor III

You can strip down the true/false check in boberito's solution even further, like so:

#!/bin/sh
if dscl /Local/Default authonly "${loggedInUser}" "${userpassword}" ; then
    echo "Valid Login"
fi

Or if you want to test for an invalid login, add an ! in there:

#!/bin/sh
if ! dscl /Local/Default authonly "${loggedInUser}" "${userpassword}" ; then
    echo "Invalid Login"
fi

If you omit the [ ] and run a command as part of the if, it will evaluate true if the error state is 0 (success) and false for any non-zero error state.

The downside (if you care) of this method is that it does still echo the error if the password is wrong. :-)

brandon_-_autob
New Contributor III

How was your local admin account provisioned?