Details
-
Bug
-
Status: Resolved
-
Normal
-
Resolution: Fixed
-
None
-
None
-
Night's Watch
-
5
-
NW - 2020-02-05
-
Needs Assessment
-
Bug Fix
-
Due to Apple changing user management in macOS 10.15, Puppet could no longer manage user passwords on that version. Puppet now uses the `dsimport` utility to manage passwords on macOS 10.15 or higher.
-
Needs Assessment
Description
It looks like direct access to binary plists under /var/db/dslocal/nodes/Default/ has been blocked beginning with macOS 10.15 (even with Full Disk Access activated), so we can no longer overwrite that file to set/change the password on an macOS user.
Error: Unable to write the file /var/db/dslocal/nodes/Default/users/testuser.plist. #<IOError: File /var/db/dslocal/nodes/Default/users/testuser.plist not writable!>
|
There's still a way to circumvent this and still be able to modify passwords. It involves the use of the dsimport command to indirectly manipulate the contents of the binary user plist.
For this, we need to have the ShadowHashData (which we previously wrote to the plist) in binary format, then converted to base64.
Here is some ancient dsimport documentation (Apple seems to have removed all mentions of this tool since, but it still works): http://web.archive.org/web/20090106120111/http://support.apple.com/kb/TA21305?viewlocale=en_US
Basically the steps would be to:
1. If the user exists, remove the existing ShadowHashData (with dscl delete)
dscl -plist . read /Users/testuser should show no ShadowHashData
2. Import the file with the base64-converted hash using dsimport: dsimport /file/to/import /Local/Default M
dscl -plist . read /Users/testuser should show the new ShadowHashData
The challenge that remains is to correctly build the ShadowHashData plist, convert it to binary and then to base64, then build the dsimport file.
As per the documentation above, this is a file that changes the hashed password of an existing account:
0x0A 0x5C 0x3A 0x2C dsRecTypeStandard:Users 2 dsAttrTypeStandard:RecordName base64:dsAttrTypeNative:ShadowHashData
|
testuser:<base64 string>
|