joshua-d-miller/macOSLAPS

Obfuscate Password

frutiger1 opened this issue · 8 comments

Is it possible to base64 encode or completely hide the password from the Profiles System Preference?

We technically could use base64 encoding however the FirstPass key is meant to be a burner password and is usually changed once macOSLAPS is installed. In most setups, this password would only be good for a temporary amount of time. While we could base64 encode it, that also means someone could just as easily base64 decode it so I'm not sure if that would give you the intended results of additional security. Hiding the key from system preferences in the profiles tab I don't believe is possible but I would be happy to look into that possiblity.

wakco commented

Another idea might be to not include the FirstPass in the Config Profile, and instead when installing macoslaps, write it to the preference file with defaults, perform the first run, then remove the preference file. i.e.

defaults write /Library/Preferences/edu.psu.macoslaps.plist FirstPass "FirstPassword"
/usr/local/laps/masoslaps
rm -f /Library/Preferences/edu.psu.macoslaps.plist

Although a command line option such as -FirstPass "FirstPassword" might be a better option if added, as then we could simply tell macoslaps that it is running for the first time. Which in turn could be a way of handling repairs of the account if the password got changed by other methods.

@wakco this is actually a great idea and I might be able to incorporate this.

I would suggest taking it a step further and also encrypting the password stored in the local file.
Then add a decryption function to the EA. This way if a user or someone else gets temporary elevated rights and located the local file, they would have access to the account.

I second the command line idea that @wakco mentions...! It would mean that we could build this into a script in Jamf Pro, and specify the FirstPass variable as positional parameter in a policy to be passed to the script!

Would love to see this :)

I like this idea and I'm hoping over the holiday to make some changes and update macOSLAPS. I think adding a FirstPass command line argument shouldn't be too hard. Thank you for the suggestion. I'm sorry I haven't responded. My new gig is busy and great.

Please try the prerelease of macOSLAPS which now includes the ability to specify a FirstPassword at the command line using the following: /usr/local/laps/macOSLAPS -firstPass "PasswordHere" Prerelease is here https://github.com/joshua-d-miller/macOSLAPS/releases/tag/3.0.0(752)

Please use the latest release as it should address this feature request.