Skip to main content
Question

Using hash in account creation scripts


Forum|alt.badge.img+2

I'm wondering, is it possible to use hashes, preferably SHA-512, instead of plain text with the "sysadminctl" command . I really dislike the thought of a script containing my admin account password in plain text. I'm also creating a new admin account with the script so it would be a bad idea to have that account's password in the plain text.

6 replies

DBrowning
Forum|alt.badge.img+24
  • Esteemed Contributor
  • 668 replies
  • September 20, 2019

Forum|alt.badge.img+2
  • Author
  • New Contributor
  • 1 reply
  • September 24, 2019

Worked! Thanks.


Forum|alt.badge.img+8

Could someone please provide me a step-by-step tutorial on how to utilise this? I understand what the script does, but I'm getting confused on how to start and what to do.


Forum|alt.badge.img+12
  • Valued Contributor
  • 359 replies
  • July 23, 2020

I must be missing something. The script contains all the information needed to decrypt the encrypted string. So anybody with access to the script still gets the admin password. The only place where protection is added is in the JSS, where the policy now contains the encrypted string instead of the plain text password. So this scheme only protects the password inside the JSS - whose access is anyhow very restricted.


donmontalvo
Forum|alt.badge.img+36
  • Legendary Contributor
  • 4293 replies
  • July 23, 2020

@MagicMick this might help:

Script Parameters


Forum|alt.badge.img+31
  • Honored Contributor
  • 2721 replies
  • July 23, 2020

just a fair bit of caution, every script jamf runs still hits disk in clear text, in the temp folder that jamf downloads to. So, even if you pass an encrypted string, with parameters to decrypt it, it all hits disk in clear text. Meaning a simple tool like pstree for example can just scrape all that data. Tools like hunters.ai will easily pick this up, or any threat hunting tool should. So, do not assume encrypted strings in jamf scripts is secure, it is simply an extra layer an attacker would have to get through. Which, if said attacker knows how jamf works, it would not be too difficult to get to.

So, really if you want to put security first, don't pass any creds in scripts to client endpoints.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings