joshua-d-miller / macOSLAPS

Swift binary that will change a local administrator password to a random generated password. Similar behavior to LAPS for Windows
MIT License
387 stars 58 forks source link

security does not have access to view keychain for LAPS password #105

Closed taagokoster closed 4 months ago

taagokoster commented 4 months ago

Been testing 4.0.0 build 845, and the documentation mentions that security should have access to view the password in keychain after running a -resetPassword command. But in my case security does not appear to have access to view the password, and at the moment this is prevent storing the password anywhere else. SCR-20240715-nune

joshua-d-miller commented 4 months ago

Hello @taagokoster,

When you run the -getpassword flag in 4.0.0 it creates a file with a unique identifier. That unique identifier is a temporary keychain item that allows security to read it and has the LAPS password.

Thanks!

taagokoster commented 4 months ago

Thank you for replying this quick @joshua-d-miller !

image Am I doing something wrong? What command should I be using to extract this password using security to succcessfully escrow it to eg Kandji? Testing it locally I get a prompt for my admin creds, and from MDM side the password itself is blank as it can't read it using security.

taagokoster commented 4 months ago

Or is this an expected behaviour and it can only be accessed after giving permissions? If so, any recommendations on how to grab the current password to store in MDM?

joshua-d-miller commented 4 months ago

So the path would be to generate the random keychain item by using macOSLAPS -getpassword then using the security command with the contents of that file to grab the UUID. I believe someone put something together in the MacAdmins Slack. Here is a link as it's one of my issues. https://github.com/joshua-d-miller/macOSLAPS/issues/104. Once I have some more time I plan to document this as it's still a release candidate and then add it to the wiki.

taagokoster commented 4 months ago

Nice! Can confirm, I was able to get that working too. Thank you very much!