Using hash in account creation scripts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on
09-19-2019
03:04 PM
- last edited on
03-04-2025
07:25 AM
by
kh-richa_mig
I'm wondering, is it possible to use hashes, preferably SHA-512, instead of plain text with the "sysadminctl" command . I really dislike the thought of a script containing my admin account password in plain text. I'm also creating a new admin account with the script so it would be a bad idea to have that account's password in the plain text.
- Labels:
-
Scripts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-20-2019 04:23 AM
@bwbritt86 Check this out: Encrypted Strings as parameters
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-24-2019 10:07 AM
Worked! Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-22-2020 11:59 PM
Could someone please provide me a step-by-step tutorial on how to utilise this? I understand what the script does, but I'm getting confused on how to start and what to do.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-23-2020 01:28 AM
I must be missing something. The script contains all the information needed to decrypt the encrypted string. So anybody with access to the script still gets the admin password. The only place where protection is added is in the JSS, where the policy now contains the encrypted string instead of the plain text password. So this scheme only protects the password inside the JSS - whose access is anyhow very restricted.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-23-2020 02:00 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-23-2020 11:30 AM
just a fair bit of caution, every script jamf runs still hits disk in clear text, in the temp folder that jamf downloads to. So, even if you pass an encrypted string, with parameters to decrypt it, it all hits disk in clear text. Meaning a simple tool like pstree for example can just scrape all that data. Tools like hunters.ai will easily pick this up, or any threat hunting tool should. So, do not assume encrypted strings in jamf scripts is secure, it is simply an extra layer an attacker would have to get through. Which, if said attacker knows how jamf works, it would not be too difficult to get to.
So, really if you want to put security first, don't pass any creds in scripts to client endpoints.
