Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10246

Cannot set/change password of a user resource on macOS 10.15

    XMLWordPrintable

Details

    • Night's Watch
    • 5
    • NW - 2020-02-05
    • Needs Assessment
    • Bug Fix
    • Due to Apple changing user management in macOS 10.15, Puppet could no longer manage user passwords on that version. Puppet now uses the `dsimport` utility to manage passwords on macOS 10.15 or higher.
    • Needs Assessment

    Description

      It looks like direct access to binary plists under /var/db/dslocal/nodes/Default/ has been blocked beginning with macOS 10.15 (even with Full Disk Access activated), so we can no longer overwrite that file to set/change the password on an macOS user.

      Error: Unable to write the file /var/db/dslocal/nodes/Default/users/testuser.plist. #<IOError: File /var/db/dslocal/nodes/Default/users/testuser.plist not writable!>
      

      There's still a way to circumvent this and still be able to modify passwords. It involves the use of the dsimport command to indirectly manipulate the contents of the binary user plist.

      For this, we need to have the ShadowHashData (which we previously wrote to the plist) in binary format, then converted to base64.

      Here is some ancient dsimport documentation (Apple seems to have removed all mentions of this tool since, but it still works): http://web.archive.org/web/20090106120111/http://support.apple.com/kb/TA21305?viewlocale=en_US

      Basically the steps would be to:
      1. If the user exists, remove the existing ShadowHashData (with dscl delete)
      dscl -plist . read /Users/testuser should show no ShadowHashData
      2. Import the file with the base64-converted hash using dsimport: dsimport /file/to/import /Local/Default M
      dscl -plist . read /Users/testuser should show the new ShadowHashData

      The challenge that remains is to correctly build the ShadowHashData plist, convert it to binary and then to base64, then build the dsimport file.

      As per the documentation above, this is a file that changes the hashed password of an existing account:

      0x0A 0x5C 0x3A 0x2C dsRecTypeStandard:Users 2 dsAttrTypeStandard:RecordName base64:dsAttrTypeNative:ShadowHashData
      testuser:<base64 string>
      

      Attachments

        Activity

          People

            gabriel.nagy Gabriel Nagy
            gabriel.nagy Gabriel Nagy
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Zendesk Support