Change user password by providing new password as hash in a script

Currently working on a deployment of a large number of Mac's, on which I want to set the password for an administrator account without putting the password plain-text in the script. Is there some way to provide a hash of the password to dscl/passwd?


Solution 1:

yes you can change the password by providing a hash to a script. This works for 10.7 and later (up to at least 10.9.1).

  1. You need the hash you want to set it to. The easiest way to do this is create an account with the password you want and read the hash. The hash is stored in /var/db/dslocal/nodes/Default/users/[username].plist in the ShadowHashData field

  2. Create the user the standard way (using dscl) but don't set the password using dscl instead use the defaults command.

Example for user called 'lana':

#!/bin/bash

#hash to set obtained from: 
#defaults read /var/db/dslocal/nodes/Default/users/lana.plist ShadowHashData
pw_hash='(<10145341 4c544544 ...really long...2d534841>)'

#needs to be unique
$uid=510

#gid of an existing group
$gid=510

dscl . -create /Users/lana
dscl . -create /Users/lana UserShell /bin/bash
dscl . -create /Users/lana RealName "Lana May"
dscl . -create /Users/lana UniqueID $uid
dscl . -create /Users/lana PrimaryGroupID $gid
dscl . -create /Users/lana NFSHomeDirectory /Users/lana
dscl . -merge /Groups/admin GroupMembership lana
defaults write "/var/db/dslocal/nodes/Default/users/lana.plist" ShadowHashData "$pw_hash"