nu-its / lapsformac Goto Github PK

I have been using this LAPS successfully for sometime with clients running High Sierra and connected to JAMF Pro. This still works with High Sierra 10.13.6 and JAMF Pro 10.7.1.

I have recently started building client Macs with Mojave 10.14 and the same JAMF Pro 10.7.1 and the same script and policies. Unfortunately I am finding that it fails on these.

I am having a similar issue with a script that is supposed to temporarily reset the jamfmanager account so that it can then trigger issuing a secure token to that account for use with FileVault. This also is not working.

I therefore suspect Apple have changed the security on being able to remotely change passwords.

Anyone else seen this?

Thanks so much for posting this set of scripts and workflow. In my testing it is working great, but I wanted to ask one question regarding the output log in Casper when the policy runs to change the password of an existing admin account.

The script runs and works, but I get an error for some reason in the log. Not sure why.

Executing Policy LAPS for localadmin
Running script LAPS...
Script exit code: 0
Script result: unable to write 'random state'
localadmin is a local user on the Computer
A Password was found in LAPS.
Password stored in LAPS is correct for localadmin.

Updating password for localadmin.

There was an error.

Error changing password for localadmin

New password for localadmin is verified.
463LAPS password for localadmin is verified.
LAPS Update Finished.

Opening this as an issue because a pull request with my current repo would include too many other changes.

ISSUE
When using curl | xpath | awk to retrieve the LAPS password from the API, the resulting value contains multiple leading newline characters.

Example:

udid=$(/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/awk '/Hardware UUID:/ { print $3 }')
extAttName="\"LAPS\""
oldPass=$(/usr/bin/curl -skfu "$apiUser":"$apiPass" -H "Accept: application/xml" "$apiURL/JSSResource/computers/udid/$udid/subset/extension_attributes" | /usr/bin/xpath "//extension_attribute[name=$extAttName]" 2>&1 | awk -F"<value>|</value>" '{ print $2 }')

echo "==$oldPass=="

Result:

==

aXyl47ctwer6==

This will work most of the time if you don't quote the variable when using it because bash will interpret it as "split using $IFS," but will break as soon as $IFS changes. However, proper syntax calls for quoting to prevent splitting and globbing, and that will break this method every time.

SOLUTION
Trim the whitespace characters off before using the variable. This can be accomplished a number of ways, I chose to use bash parameter expansion syntax.

Example using the variable set with curl above:

oldPass=${oldPass//[$'\t\r\n ']}
echo "==$oldPass=="

Result:
==aXyl47ctwer6==

I could not see any notes in the Wiki, issues i.e. here or Jamf Nation about this although I may have missed one.

Similar local admin password randomisation tools to this one typically fail to solve the issue of the fact then when the local admin account's password is changed via a script it then becomes out of sync with that user accounts 'Login' and 'Local Items' keychains. As an example this does apply to the similar macOSLAPS project.

Therefore this is a request to if not already covered include steps to change the passwords for the local admin account 'Login' and 'Local Items' keychains to match the new randomised password when this LAPSforMac script runs.

As far as I can see the following could be the basis or at least partial basis for such a solution:

#!/bin/sh
localAdmin="localadmin"
oldPassword="ye-olde-password"
newPassword="shiny-shiny-password"
if [ -e /Users/"$localAdmin"/Library/KeyChains/login.keychain ] 
then
	# old file name
	/usr/bin/security set-keychain-password -o "$oldPassword" -p "$newPassword" /Users/"$localAdmin"/Library/KeyChains/login.keychain
elif [ -e /Users/"$localAdmin"/Library/KeyChains/login.keychain-db ]
then
	# new file name
	/usr/bin/security set-keychain-password -o "$oldPassword" -p "$newPassword" /Users/"$localAdmin"/Library/KeyChains/login.keychain-db
fi
# Apparently the security command does not understand the 'Local Items' keychain however hypothetically…
# hardUUID=`system_profiler SPHardwareDataType | awk '/UUID/ { print $3; }'`
# /usr/bin/security set-keychain-password -o "$oldPassword" -p "$newPassword" /Users/"$localAdmin"/Library/KeyChains/"$hardUUID"/keychain-2.db
# Could simply delete the 'Local Items' keychains using the following
# /bin/rm -rf /Users/"$localAdmin"/Library/KeyChains/"$hardUUID"

Hi

I noticed that xpath is behaving different in Big Sur (beta), you need to add -e to get the same result on a Mac that have Big Sur (beta).

I am now testing all my setup - especially Jamf related issues with macOS Big Sur and this includes the LAPS scripts provided here.

The existing setup works fine under macOS Catalina.

However it looks like there is a problem in macOS Big Sur. I am including the messages shown in Terminal but will continue to test and investigate further myself.

In addition to the error messages, the script asks for a password during execution which did not use to occur. Interestingly despite all this, it does appear to have succeeded in that the initial default password has been successfully changed and recorded in Jamf. (Tested by unlocking System Preferences with the new random password.)

Running script LAPS...
Password: 
Script exit code: 1
Script result: (23) Failed writing body
No Password is stored in LAPS, setting LAPS to initial value.
<?xml version="1.0" encoding="UTF-8"?><computer><id>147</id></computer>(23) Failed writing body
localadmin is a local user on the Computer
/Library/Application Support/JAMF/tmp/LAPS: line 179: recon: command not found
No Password is stored in LAPS.
<dscl_cmd> DS Error: -14090 (eDSAuthFailed)
Error: Password stored in LAPS is not valid for localadmin.
Current password not available, proceeding with forced update.
Reset password for localadmin
New password for localadmin is verified.
<?xml version="1.0" encoding="UTF-8"?><computer><id>147</id></computer>(23) Failed writing body
<dscl_cmd> DS Error: -14090 (eDSAuthFailed)
Error: LAPS password for localadmin is not correct!

Error running script: return code was 1.

The following routine is used for password generation and will lead to weak passwords a (relatively) large percentage of the time:
openssl rand -base64 10 | tr -d OoIi1lLS | head -c12;echo

The first issue arises from generating a random string which is not divisible by 3. Due to the way base64 encodes characters this will always result in a output that is padded with two "=" characters. These will be characters 15 and 16, which will (most of the time) not be part of the 12 characters used for the password. Unless;
The 2nd issue arises from the "OoIi1lLS" characters being removed from the generated string. If enough characters are removed then the "=" padding characters will be the 12th and (sometimes) 11th characters of the generated password. This happens ~25% of the time (in a test of 100,000 generated passwords).
An extension of the 2nd issue also occurs when a more significant portion of the random and base64 encoded string contains the blacklisted characters. Of the 100,000 generated password sample 1.3% were 11 characters long, 0.2% were 10 characters long, 0.03% were 9 characters long and 0.01% were 8 characters long. Keep in mind that every one of these diminished passwords will end with two of the "=" padding characters, i.e those characters are known so brute-forcing efforts only need to consider the remaining characters.

The overall result of this is the setting of unintentionally weak passwords for admin accounts and the generation of password hashes that go from infeasible in their entropy and complexity to bruteforceable in minutes/hours.

As a slight update, this routine could theoretically set a password of 2 characters where those characters would be "==" each and every time.

In the LAPS Account Creation script the following exist:

LAPSaccountEvent=""
LAPSaccountEventFVE=""
LAPSrunEvent=""

I am unsure what this is calling for. Can you clarify?

I was curious if you have ever seen a failure like this happen occasionally. It seems to fix itself just it will fail some times...
Script result: simpleit is a local user on the Computer<br/>A Password was found in LAPS.<br/>Password stored in LAPS is correct for simpleit.<br/>Updating password for simpleit.<br/>Reset password for simpleit<br/>New password for simpleit is verified.<br/><html><br/><head><br/> <title>Status page</title><br/></head><br/><body style="font-family: sans-serif;"><br/><p style="font-size: 1.2em;font-weight: bold;margin: 1em 0px;">Bad Request</p><br/><p>Error in XML file</p><br/><p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.1">here</a>.<br><br/>Please continue your visit at our <a href="/">home page</a>.<br/></p><br/></body><br/></html><br/><dscl_cmd> DS Error: -14090 (eDSAuthFailed)<br/>Error: LAPS password for simpleit is not correct!<br/>

This is the part that is really confusing me... <html><br/><head><br/> <title>Status page</title><br/></head><br/><body style="font-family: sans-serif;"><br/><p style="font-size: 1.2em;font-weight: bold;margin: 1em 0px;">Bad Request</p><br/><p>Error in XML file</p><br/><p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.1">here</a>.<br><br/>Please continue your visit at our <a href="/">home page</a>.<br/></p><br/></body><br/></html>

Able to create the account and confirm the account password is being seen in the Extension Attribute of the computer, but the script is not able to see that?
What am I missing?

I am testing out the LAPS.sh script. I have the extension attribute in place and have manually created {account} on the machine.

I manually run the policy with the script and I receive:

Running LAPS...
Current password not available, proceeding with forced update for {account}
Verify new password for {account}
Error: Password reset for {account} was not successful

Not quite sure where to look for troubleshooting. Do you have any suggestions?

Hi, not an issue more of a newbie not knowing what parameter values to put :

    Parameter 9: LAPS Account Event
    Parameter 10: LAPS Account Event FVE
    Parameter 11: LAPS Run Event

I know that FVE is the File Vault Enabled, but unsure as to what these parameters values are meant to be populated with.

Thanks in advance
Paul

Unsure of what these should be set to or what they are referencing... Should these values be 'None" for recurring check-in?