Encrypt password in new user script

Question

Level 1

5 points

Encrypt password in new user script

I posted this in another forum, but got the tip to ask here instead, so...

I'm building a script that creates a new user, but I have not been able to solve how to generate an encrypted password, put this in the script and let dscl set the password (encrypted) for the user.
I don't want to put the password in clear text inside the script.

In Ubuntu you can do it like this:

Encrypt the password:
+mkpasswd -s <password>+

Set encrypted passwd:
+usermod -p <encrypted_passwd> <user_name>+

But in Mac OS X, there exist no "mkpasswd" or "usermod" so my question is if anyone knows how to solve this problem?

MBP Rev A, Mac OS X (10.6.2)

Posted on Jan 18, 2010 7:01 AM

Reply

Answer 1

Best reply

Nils C. Anderson

Level 4

3,495 points

Jan 18, 2010 4:11 PM in response to psychozz

to generate the encrypted passwds you can use

slappasswd

or

openssl passwd
see: man 1ssl passwd for details.

Both come with OS X.

Reply

Answer 2

psychozz Author

Level 1

5 points

Jan 18, 2010 11:06 PM in response to Nils C. Anderson

@Nils: Thanks! But I've already tried openssl passwd with no luck and just tested slappasswd with the same results. Well I get the outputs from these commands, but how do I set the password on a user?
I've tried with "dscl . -passwd /Users/<user> <encrypted_passwd>"
but when I try to authenticate with "dscl . -authonly <username>" I get "Authentication for node /Local/Default failed. (-14090, eDSAuthFailed)"

Do I need to add something to the "AuthenticationAuthority" key? (I've already tried ";SHA1; ;MD5; ;SSHA;")

Reply

Answer 3

Jan 19, 2010 5:34 PM in response to psychozz

Sorry, i didn't have time to futz with dscl. But I did take a quick look at the
[passwd(1)|http://developer.apple.com/mac/library/documentation/Darwin/Reference /ManPages/man1/passwd.1.html|passwd -- modify a user's password] manpage. And from the looks of it, it may be what you want. It's linked to the OpenDirectory framework.

I'll try to take a look at the dscl command later.

Reply

Answer 4

psychozz Author

Level 1

5 points

Jan 20, 2010 6:21 AM in response to Nils C. Anderson

@Nils: Tested with passwd, but no luck. It sets the hash as the password. In Ubuntu for example "usermod -p" allows you to set an encrypted password (see: http://www.computerhope.com/unix/usermod.htm) But I can't find any information if dscl or passwd is accepting encrypted passwords, and if so how the command looks like.

Reply

Answer 5

etresoft

Level 8

47,560 points

Jan 20, 2010 7:43 AM in response to psychozz

You might want to try reporting this over in the MacOS X Server forum.

Reply

Answer 6

Jan 20, 2010 6:45 PM in response to psychozz

Take a look at Chapter 1 in this book. Right around page 32 and 33.
It shows 2 methods for creating users. Its expecting the password to be
in clear text. But the password is stored a separate file, not within the
script or on the command line.

[Mac OS X Directory Services V10.6: A Guide to Configuring Directory Services|http://books.google.com/books?id=yIrvTUC2INoC&lpg=PP1&dq=Apple%20Direc tory%20Services&pg=PA32#v=onepage&q=Apple%20Directory%20Services&f=false]

Reply