search

joshua-d-miller / macOSLAPS

Swift binary that will change a local administrator password to a random generated password. Similar behavior to LAPS for Windows
MIT License
387 stars 58 forks source link

Retrieving the password with a custom attribute script in version 4.0.0 #104

Open mhu4711 opened 4 months ago

mhu4711 commented 4 months ago

I've been testing the current macOSLAPS pre-release version (4.0.0 Build 845) and had a bit of a struggle in figuring out how to actually retrieve the password via the new "temporary keychain item" method (since I couldn't find any documentation for it).

Here's a modification for the existing custom attribute script that I've come up with, in case somebody else has a need for it:

## Ask macOSLAPS to write out the current password to the system keychain $LAPS -getPassword > /dev/null SERVICE_NAME=$(/bin/cat /var/root/.GeneratedLAPSServiceName) CURRENT_PASSWORD=$(/usr/bin/security find-generic-password -s "$SERVICE_NAME" -w 2&> /dev/null) CURRENT_EXPIRATION=$(/usr/bin/security find-generic-password -s "$SERVICE_NAME" | /usr/bin/grep -Eo "\d{4}-\d{2}-\d{2}.*\d") ## Test $current_password to ensure there is a value if [ -z "$CURRENT_PASSWORD" ] then echo "ERROR: failed to retrieve password" exit 1 else /bin/echo "Password: $CURRENT_PASSWORD | Expiration: $CURRENT_EXPIRATION" ## Run macOSLAPS a second time to remove the password export entry from the system keychain $LAPS > /dev/null fi

joshua-d-miller commented 4 months ago

This is great. I may take inspiration from this or just copy and put it in the Wiki. Either way I'll be sure to credit you 👍 . Thank you for this!

FocusTechnologiesAdmin commented 1 month ago

Hi!

Thank you SO MUCH for this amazing script! our experience using this, there were a few issues:

  1. $LAPS was not defined
  2. /dev/nulls were stopping the variables from loading properly, we removed a few of them for now
  3. Additionally, the output for $SERVICE_NAME was being returned for us with a % symbol at the end. So we modified the script so with a sed for removing the % character if found.
## Ask macOSLAPS to write out the current password to the system keychain
/usr/local/laps/macOSLAPS -getPassword
SERVICE_NAME=$(sudo /bin/cat /var/root/.GeneratedLAPSServiceName)
SERVICE_NAME=$(echo "$SERVICE_NAME" | sed 's/%//g')
CURRENT_PASSWORD=$(sudo /usr/bin/security find-generic-password -s "$SERVICE_NAME" -w)
CURRENT_EXPIRATION=$(sudo /usr/bin/security find-generic-password -s "$SERVICE_NAME" | /usr/bin/grep -Eo "\d{4}-\d{2}-\d{2}.*\d")

## Test $current_password to ensure there is a value
if [ -z "$CURRENT_PASSWORD" ]
then
    echo "ERROR: failed to retrieve password"
    exit 1
else
    echo "Password: $CURRENT_PASSWORD | Expiration: $CURRENT_EXPIRATION"
    ## Run macOSLAPS a second time to remove the password export entry from the system keychain
    # echo "Clearing the temporarily stored password from the keychain"
    /usr/local/laps/macOSLAPS > /dev/null
fi