Verify Firmware Password Extension Attribute

jbisgett
Contributor II

I need help with creating an Extension Attribute that will verify that the Firmware Password is set to what it should be set to.

firmwarepasswd -verify will return "Correct" or "Incorrect" on the local machine when the password is provided. I need to know how to create a script that will run the command and then populate the EA attribute with the information.

7 REPLIES 7

hkabik
Valued Contributor

I would do this as a policy / EA combo. I'd make the EA Input Type a text field with a String Data Type.

Then I'd set a policy at whatever frequency you want that runs a script that determines if the password is active and set as expected, then leverage the API to fill in the EA's text field.

The reason I'd do it this way is so you can use an encrypted string to mask the password in the script. If you did this all as an EA, you'd have to put the password right in the EA scrip in plain text.

The script would end up looking something like this (approximately):

#!/bin/sh

#Decrypt Encrypted Strings as vairables
function DecryptString() {
    echo "${1}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${2}" -k "${3}"
}
APIUser=$(DecryptString $4 'Salt' 'Passphrase') 
APIPass=$(DecryptString $5 'Salt' 'Passphrase') 
FirmwarePass=$(DecryptString $6 'Salt' 'Passphrase') 

# Non-encrypted variables
JSSURL="https://your.jss.address:8443"

Serial=$(ioreg -c IOPlatformExpertDevice -d 2 | awk -F" '/IOPlatformSerialNumber/{print $(NF-1)}')

Result==$(firmwarepasswd -verify $FirmwarePass)

JSSHostname="$JSSURL/JSSResource/computers/serialnumber/$Serial/subset/extensionattributes"

#Load the result into EA String
EALoad="<computer><extension_attributes><extension_attribute><id>YOUR EA ID NUMBER</id><value>$Result</value></extension_attribute></extension_attributes></computer>"

#Upload the EA String via the API
curl -s -f -k -u $APIUser:$APIPass -X PUT -H "Content-Type: text/xml" -d "<?xml version="1.0" encoding="ISO-8859-1"?>$EALoad" $JSSHostname --verbose

This is just a skeleton for it off the top of my head and would need alot of your specifics plugged in. It also assumes you placed the encrypted strings in Parameters 4, 5 and 6 (api login, api password, and firmware password respectively).

You'll also want to read up on how encrypted strings work so you know how to get the needed info and what plugs in where in this script.

https://github.com/jamfit/Encrypted-Script-Parameters

jbisgett
Contributor II

This looks like exactly what I am looking for. Thanks. I'll test it and post back if it works.

jbisgett
Contributor II

So I tested the script without the decryption part, as I am still trying to figure out how to use the generate encryption part, and the script fails due to the firmwarepass result. The firmwarepasswd -verify command generates a prompt to enter the password, so I believe an expect script will have to be passed, to properly enter the password when the command expects a password to be entered.

Somehow similar to this:

spawn firmwarepasswd -verify 
expect { 
"Enter password:" { 
  send "$efipass
" 
   exp_continue 
}

hkabik
Valued Contributor

You supplied the password in the script? I thought that command could go as such:

sudo firmwarepasswd -verify foobar

If not, apologies. I misunderstood how that command worked.

jbisgett
Contributor II

Yea, the prompt just sits there waiting for a password to be entered after running the firmwarepasswd -verify command. It does not accept it in the format you suggest, as it wants the end user to type in the password.

I'm getting closer to what I need, but I need a little clarity from something you suggested. I can't figure out how to actually use the encrypted strings command that you linked. The site just says type it in, but it doesn't explain how to set it up so that you can type it in. Would you be able to provide any steps for how to use the script to generate the encrypted strings?

hkabik
Valued Contributor

sure, it's very easy.

Paste:

function GenerateEncryptedString() {
    # Usage ~$ GenerateEncryptedString "String"
    local STRING="${1}"
    local SALT=$(openssl rand -hex 8)
    local K=$(openssl rand -hex 12)
    local ENCRYPTED=$(echo "${STRING}" | openssl enc -aes256 -a -A -S "${SALT}" -k "${K}")
    echo "Encrypted String: ${ENCRYPTED}"
    echo "Salt: ${SALT} | Passphrase: ${K}"
}

Into an empty terminal prompt and hit return. That will create the GenerateEncryptedString function for the duration of that session.

From there all you have to do is type in:

GenerateEncryptedString "text to be encrypted"

and it will provide you a Sting, Salt and Passphrase for text.

For example:

GenerateEncryptedString "Hello"

Will return:

Encrypted String: U2FsdGVkX195DgArPRSiOhRYIsEmiI/s9fNnx4qETv0=
Salt: 790e002b3d14a23a | Passphrase: 8b6ea305d2b9fd0f046f35d1

You would then place the provided encrypted string into the Script Parameters and the Salt and Passphrase into the script where noted.

jbisgett
Contributor II

Thats awesome! Thanks!