Using hash in account creation scripts

bwbritt86
New Contributor

I'm wondering, is it possible to use hashes, preferably SHA-512, instead of plain text with the "sysadminctl" command . I really dislike the thought of a script containing my admin account password in plain text. I'm also creating a new admin account with the script so it would be a bad idea to have that account's password in the plain text.

6 REPLIES 6

DBrowning
Valued Contributor II

bwbritt86
New Contributor

Worked! Thanks.

TechSpecialist
Contributor

Could someone please provide me a step-by-step tutorial on how to utilise this? I understand what the script does, but I'm getting confused on how to start and what to do.

mschroder
Valued Contributor

I must be missing something. The script contains all the information needed to decrypt the encrypted string. So anybody with access to the script still gets the admin password. The only place where protection is added is in the JSS, where the policy now contains the encrypted string instead of the plain text password. So this scheme only protects the password inside the JSS - whose access is anyhow very restricted.

donmontalvo
Esteemed Contributor III

@MagicMick this might help:

Script Parameters

--
https://donmontalvo.com

tlarkin
Honored Contributor

just a fair bit of caution, every script jamf runs still hits disk in clear text, in the temp folder that jamf downloads to. So, even if you pass an encrypted string, with parameters to decrypt it, it all hits disk in clear text. Meaning a simple tool like pstree for example can just scrape all that data. Tools like hunters.ai will easily pick this up, or any threat hunting tool should. So, do not assume encrypted strings in jamf scripts is secure, it is simply an extra layer an attacker would have to get through. Which, if said attacker knows how jamf works, it would not be too difficult to get to.

So, really if you want to put security first, don't pass any creds in scripts to client endpoints.