search

joshua-d-miller / macOSLAPS

Swift binary that will change a local administrator password to a random generated password. Similar behavior to LAPS for Windows
MIT License
382 stars 57 forks source link

Retrieving the password with a custom attribute script in version 4.0.0 #104

Open mhu4711 opened 1 month ago

mhu4711 commented 1 month ago

I've been testing the current macOSLAPS pre-release version (4.0.0 Build 845) and had a bit of a struggle in figuring out how to actually retrieve the password via the new "temporary keychain item" method (since I couldn't find any documentation for it).

Here's a modification for the existing custom attribute script that I've come up with, in case somebody else has a need for it:

## Ask macOSLAPS to write out the current password to the system keychain $LAPS -getPassword > /dev/null SERVICE_NAME=$(/bin/cat /var/root/.GeneratedLAPSServiceName) CURRENT_PASSWORD=$(/usr/bin/security find-generic-password -s "$SERVICE_NAME" -w 2&> /dev/null) CURRENT_EXPIRATION=$(/usr/bin/security find-generic-password -s "$SERVICE_NAME" | /usr/bin/grep -Eo "\d{4}-\d{2}-\d{2}.*\d") ## Test $current_password to ensure there is a value if [ -z "$CURRENT_PASSWORD" ] then echo "ERROR: failed to retrieve password" exit 1 else /bin/echo "Password: $CURRENT_PASSWORD | Expiration: $CURRENT_EXPIRATION" ## Run macOSLAPS a second time to remove the password export entry from the system keychain $LAPS > /dev/null fi

joshua-d-miller commented 4 weeks ago

This is great. I may take inspiration from this or just copy and put it in the Wiki. Either way I'll be sure to credit you 👍 . Thank you for this!