i would like to make a script for OS X that allow me to change the password for a user account.
i have to use this script on several iMac with the same user/password.
i want to store the passwords inside the script, no security problems involved.
the command is :
dscl . passwd Users/account_name
When i run the command, the terminal asks me to enter :
- New Password :
- Permission denied. Please enter user's old password:
example : new password : test
old password : test2
dscl . passwd Users/account_name
- auto enter test
- auto enter test2
The script is okay. I suppose. One way to stop the password request for the users old password is to use sudo and /etc/sudoers file. You can also enable or disable the root user from the command line, which is not the preferred method.
Unfortunately i cannot enable the Root Account on all the iMac.
i try to give you more details :
i have 20 iMac with 2 User Account (both Administrators).
i have to change the password for both the accounts on all the iMac
All the iMac run the latest OS X version , 10.12.x?
i would like to make a script that i can send to every iMac using Apple remote tool, and that will make me save a lot of time.
I'm a beginner user of the OS X terminal...
this is an example of what i want to do:
20 iMac
users account name : Administrator & SSH
old psw for Administrator & SSH : "AAA"
new psw to enter for both the accounts : "BBB"
#script to change password
dscl . passwd Users/Administrator
<<a command that can enter automatically the new password stored in the script>>
<<a command that can enter automatically the old password stored in the script>>
dscl . passwd Users/SSH
<<a command that can enter automatically the new password stored in the script>>
<<a command that can enter automatically the old password stored in the script>>
This sort of operation is intentionally blocked in OSX and most UNIX in general. UNIX logins and login-related tools (and even remote tools, like ssh) accept passwords typed by a human being in realtime - not from files, scripts, variables, commandline options, CGI, or anything else. Nothing but an interactive terminal will do.
This is to prevent people from writing scripts which automatically escalate themselves into other people's privileges or especially into root privileges. Anyone could read such a script and discover the secret to subverting your systems. This also places another barrier in the way of an attacker trying to do the same sort of thing you are.
Not even root can really avoid this, it just cuts out the middleman since it doesn't actually need to login to anything to update anyone's password entries.
You may need to rethink what you're trying to do. Some sort of privileged login should be involved, either via sudo or root itself, not brute-forcing passwords into inputs meant to be typed into. (Which you could, with the third-party expect brute-forcing tool, but that shouldn't be done on a regular basis.)
thank you for the accurate description
so basically there is not any way to avoid this problem ?
i would like to make an authomatism that allow me to make this massive task in a single click...
In your opinion , there is a way using any other workaround ?
like root account or anything else.
i've tried to make some research on the web, i've found a ssh key...
it should be a way to store a specific key (like a password) and to evoke it when needed.
Could it be used for my task ?
and if yes, what would be the code to store and evoke a key ?
sorry i completely missed the last part of your message, i've just seen the "OS X version" request and i started with the reply.
ok i've made a research ,
basically i can disable the SIP protection using csrutil
or the Gatekeeper using spctl.
this will grant me a lot of possibilities but i'm still not sure about how i can run a password stored in the script.
i've seen that a command could be "send" but i'm not sure if i can run it on my mac
i will try to make an attempt
Not without installing third-party applications and/or arranging privileged access first.
Maybe -- if you enabled ssh servers, enabled root, and enabled ssh root logins on all your machines first. That would allow you to ssh into root. You would still have the problem of password inputs - but at least you would be root.
That's kind of the point - these shenanigans are locked down by default.
Thanks Corona688 you saved me from all the rigmarole of explaining.
@araan87.
As an addendum, there is a reason why Apple keeps you locked out. I think it is called security.
As soon as 'root' becomes the default operating mode for your potential task your system is WWIIDDEE open to third party _attacks_.
Do you want that? <- Rhetorical!
Security is only as good as its weakest link!
