joshua-d-miller / macOSLAPS

Swift binary that will change a local administrator password to a random generated password. Similar behavior to LAPS for Windows
MIT License
387 stars 58 forks source link

Obfuscate Password #53

Closed frutiger1 closed 2 years ago

frutiger1 commented 3 years ago

Is it possible to base64 encode or completely hide the password from the Profiles System Preference?

joshua-d-miller commented 3 years ago

We technically could use base64 encoding however the FirstPass key is meant to be a burner password and is usually changed once macOSLAPS is installed. In most setups, this password would only be good for a temporary amount of time. While we could base64 encode it, that also means someone could just as easily base64 decode it so I'm not sure if that would give you the intended results of additional security. Hiding the key from system preferences in the profiles tab I don't believe is possible but I would be happy to look into that possiblity.

wakco commented 3 years ago

Another idea might be to not include the FirstPass in the Config Profile, and instead when installing macoslaps, write it to the preference file with defaults, perform the first run, then remove the preference file. i.e.

defaults write /Library/Preferences/edu.psu.macoslaps.plist FirstPass "FirstPassword" /usr/local/laps/masoslaps rm -f /Library/Preferences/edu.psu.macoslaps.plist

Although a command line option such as -FirstPass "FirstPassword" might be a better option if added, as then we could simply tell macoslaps that it is running for the first time. Which in turn could be a way of handling repairs of the account if the password got changed by other methods.

joshua-d-miller commented 3 years ago

@wakco this is actually a great idea and I might be able to incorporate this.

reuven-cohen commented 3 years ago

I would suggest taking it a step further and also encrypting the password stored in the local file. Then add a decryption function to the EA. This way if a user or someone else gets temporary elevated rights and located the local file, they would have access to the account.

wegotoeleven commented 3 years ago

I second the command line idea that @wakco mentions...! It would mean that we could build this into a script in Jamf Pro, and specify the FirstPass variable as positional parameter in a policy to be passed to the script!

Would love to see this :)

joshua-d-miller commented 3 years ago

I like this idea and I'm hoping over the holiday to make some changes and update macOSLAPS. I think adding a FirstPass command line argument shouldn't be too hard. Thank you for the suggestion. I'm sorry I haven't responded. My new gig is busy and great.

joshua-d-miller commented 2 years ago

Please try the prerelease of macOSLAPS which now includes the ability to specify a FirstPassword at the command line using the following: /usr/local/laps/macOSLAPS -firstPass "PasswordHere" Prerelease is here https://github.com/joshua-d-miller/macOSLAPS/releases/tag/3.0.0(752)

joshua-d-miller commented 2 years ago

Please use the latest release as it should address this feature request.