joshua-d-miller / macOSLAPS

Swift binary that will change a local administrator password to a random generated password. Similar behavior to LAPS for Windows

MIT License

382 stars 57 forks source link

Password Reset Function Cannot Find a Password that Meets Requirements #93

Open brianhm opened 1 year ago

brianhm commented 1 year ago

Monterey 12.6.3 MacBook Pro (13-inch, M1, 2020)

Script result: Error|2023-02-15 16:30:15|macosLAPS|We were unable to generate a password with the requirements specified. Please run macOSLAPS again or change your password requirements

Script being Used: `#!/bin/bash

Manual Reset of LAPS Password

/usr/local/laps/macosLAPS -resetPassword

exit 0`

Configuration Profile being Used: Preference Domain: edu.psu.macoslaps `<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

DaysTillExpiration 1 LocalAdminAccount servicedesk PasswordLength 14 RemovePassChars {}[]| Method Local PasswordRequirements Lowercase 2 Uppercase 2 Number 2 Symbol 2 `

joshua-d-miller commented 1 year ago

Hello there!

I believe I found the issue in ValidatePassword.Swift. The original line was this:

"[.*! \"#$%&'()*+,-./:;<=>?@\\[\\\\\\]^_`{|}~]"

Where when we are creating this requirement for amount of symbols I believe we need .* in front of it like the others so it should look like this:

".*[.*! \"#$%&'()*+,-./:;<=>?@\\[\\\\\\]^_`{|}~]"

I will hopefully publish a new build over the weekend that you can try and see if this remedies the issue.

Thanks!

brianhm commented 1 year ago

This now appears to only happen on my Ventura test box, for what it's worth. Running 13.2.1. I've been able to reset it as many times as I want on my Monterey box with no issues. Here is the config profile from Managed Preferences folder:

`user@USC02VD0XKHV2T ~ % plutil -p /Library/Managed\ Preferences/edu.psu.macoslaps.plist{ "DaysTillExpiration" => 1 "LocalAdminAccount" => "admin" "Method" => "Local" "PasswordLength" => 14 "PasswordRequirements" => { "Lowercase" => 2 "Number" => 2 "Symbol" => 2 "Uppercase" => 2 } "RemovePassChars" => "{}[]|"}

brianhm commented 1 year ago

Any updates, Joshua?

JordyThery commented 6 months ago

I've encountered the same on Ventura / Sonoma. I've opened the project in Xcode and am able to change that line Joshua shared in February 2023. I can sign it with my own developer account but that's probably not the proper way to go forward.

joshua-d-miller commented 5 months ago

Hi there!

Could you try the 4.0.0 prerelease version and let me know if the Password Requirements seem to work better now. The new method is we grab your requirements and get the characters needed to fulfill that requirement, shuffle them, then we generate the rest of your password, and finally shuffle the characters around again for a random password that should meet your requirements.

Thanks!