Using the -passhash option with jamf mount command: Can't figure it out!

scraig
New Contributor II

When attempting to mount a file share like so:
jamf mount -server URL -share jamf -type smb -username casper_rw -passhash md5edpassword -workgroup DOMAIN -verbose
I get an authentication error.
I've tried using both the management_password_md5/sha256 values returned from the API DistributionPoints object and passing the password through md5 like
echo password | md5

None of these work, so obivously I'm misunderstanding something.

It DOES work using -password instead of -passhash, FWIW. Also, there are no funky characters in the original password.

8 REPLIES 8

loceee
Contributor

I haven't been able to find any way to generate a passhash that the jamf binary can eat.

https://jamfnation.jamfsoftware.com/discussion.html?id=2213

Apart from running a Casper imaging session that creates a management account, and pilfering the firstboot script. NOT great. Bump the thread... not sure if there is feature request for this.. but there should be. I will vote for it.

scraig
New Contributor II

Well, the interesting thing is that in the Distribution Point results from the API, it lists both an MD5 and a SHA256 password... Keys are management_password_md5 and management_password_sha256. It would seem to me that these would be the password hashes in question, but maybe that's not correct. It made sense, since I was trying to mount the distribution points, to use the password hash listed for them... Running the correct password through md5 does NOT match what the API reports.

But you think it's the hashed password for the management account?

I've contacted JAMF support about this one, as I could really use the hashes from the API for automating distribution point mounting.

loceee
Contributor

Oh yeah, I hadn't seen that hashed pass via the distro points in the api. That would be very helpful. Good find.

Only place I have seen using the -passhash is when creating users with the jamf binary. And the hash is a format I haven't seen, or had clarification on from JAMF.

Be good to know what you find out on this.

scraig
New Contributor II

But your comment makes me think too... The -passhash for mounting could be the hashed password for the local casper admin account. I'll try that and see if it works.

scraig
New Contributor II

I tried the -passhash mount using the local Casper admin account's password hashed through md5, which didn't work. Nor with my (admin) user account.

loceee
Contributor

Nope. It definitely doesn't expect md5 or sha256 hashes.

Run a Casper imaging session over a test volume without a reboot. Tell it to create a management account.

Then go and sticky beak at the first boot scripts. There will be a line that calls the jamf bin with your pass hash to create the mgmt account. I haven't found a better way to generate them, but wish the -passhash would take md5 or sha256 hashes.

scraig
New Contributor II

So just to document this for other interested admins, the password hashes that are returned as part of a Distribution Point API query are not meant to be used for the --passhash option to the jamf mount command. I spoke with JAMF the other day, and the passwords, as entered in the management section of the JSS are hashed multiple times, through a secret hashing algorithm. They cannot disclose what the relationship between the "functional" hash, and the hash as displayed in the Distribution Point results is, and so 3rd party code cannot, with API access to the DP, mount the fileshares without knowing the password.

For what it's worth, if you have any business mounting the fileshares in the first place, you should probably have access to the passwords! I was interested, personally, in automating the initial setup for my AutoPkg processor JSSImporter.

Also, if you ARE interested in getting a functional password hash to use with jamf mount, JAMF gave me the procedure to retrieve it from the debug logs of the Casper Suite apps. The apps can be flipped into "Debug" mode by adding a file or directory named debug to the Support folder of the app bundle. i.e.:

touch "/Applications/Casper Suite/Casper Admin.app/Contents/Support/debug"

Then, fire up the app to the point where it mounts the fileshare. The password hash can be found in the debug log now found at ~/Library/Logs/JAMF/CasperAdminDebug.log

loceee
Contributor

That's handy info, but a shame you can't leverage the api. I understand their reasoning however. My old CDP rsyncing script will stay the same then.