Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

macOS Login Password Variable

gpchess2k

gpchess2k

macrumors member
Original poster
Oct 12, 2015
42
0
Hey guys,

Is there a way to create a variable with the current logged in users password? I am trying to use the variable to login into a wireless network since our machines are bound to AD. I was thinking of capturing it somehow from login.keychain or other ideas?
 
Last edited:
What? We are going to need a little more information on your use case.

Logins should not be sent in the clear, EVER.

How about, just tell us what you want to accomplish... there may be a better way.
 
Sorry. Bash preferably. Im just trying to join a network that uses the same creds as the user logged into the machine. Whichever way is safest. Heres a quick example of what I have now:


Code: 
AIRPORT="en0"
WIFI_NETWORK_NAME="network-name"
loggedInUser=$(stat -f%Su /dev/console)
WIFI_PASSWORD=""
 
networksetup -setairportpower $AIRPORT off
networksetup -setairportpower $AIRPORT on
sleep 2
 
if networksetup -getairportnetwork $AIRPORT | grep -i -a $WIFI_NETWORK_NAME ;
then
    echo 'Connected!';
    exit 0
fi
 
if networksetup -setairportnetwork $AIRPORT $WIFI_NETWORK_NAME $WIFI_PASSWORD | grep -i -a "Failed" ;
then
    echo 'Failed to connect, just restarting...';
    networksetup -setairportpower $AIRPORT off
    networksetup -setairportpower $AIRPORT on
    sleep 1
fi
 
networksetup -getairportnetwork $AIRPORT
 
exit 0;
 
gpchess2k said:
Hey guys,

Is there a way to create a variable with the current logged in users password? I am trying to use the variable to login into a wireless network since our machines are bound to AD. I was thinking of capturing it somehow from login.keychain or other ideas?
Click to expand...

Okay.. reading this implies that the Mac you are using is already bound to the AD domain, and what you are wanting to do is use those credentials to provide a login to your WiFi network.. do I have that right?

If so, does your wireless network hardware have the capability to bind to that same AD network? I ask, because if it does, you're trying to re-invent the wheel, where you are trying to get the same credentials that have been passed to your domain controller to log into the network that may already be on that domain.

If that's the case, you're doing this at the wrong place. Instead of making the Mac do everything, why not let a Group Policy at the AD level handle the authentication to the wireless network for you. That's what that functionality is there for.

You can set the GP to state that if the OS = a non-Windows machine, run these set of processes, one of which would include logging into the wireless network with the same credentials used to authenticate onto the domain from that machine.

BL.
 
Thanks and yes Bradl thats correct. We use JSS (Jamf) and yes we could do it using config profiles or what not BUT I am not on our network team and looking to create more of a repair script for our junior techs. Our company is worldwide and getting to a place where we manage wifi to this this extent will take some time. I already have a large script that cleans up the network but having the ability to join back in would be a time saver.
 
To re-phrase the question: Our current wifi is based on AD authentication. Is there a way to connect a particular machine using the bound account to the wifi network via bash or apple script?
 
gpchess2k said:
To re-phrase the question: Our current wifi is based on AD authentication. Is there a way to connect a particular machine using the bound account to the wifi network via bash or apple script?
Click to expand...
Did you try the script you gave in post #4?

If you put the password in as a cleartext string literal, does the script work as intended?

If it doesn't work, and you instead use the WLAN's password, does it work then? Is the WLAN's password a pre-shared key, like the majority of consumer wifi AP's, or is the WLAN access controlled using a RADIUS server?

If the posted script actually works for a given password, then that's a different problem to solve than the script not working at all.

There are two separate questions here. The question in your 1st post is basically "How do I get a certain password?" The second question is in post #6.


The command to access the keychain is named 'security'. Its man page describes how to use it to get a password from a keychain.

However, the action of getting a password (or other protected secret) may itself be protected by the keychain password, which is prompted for using a dialog. The user can use the Keychain app to manage access control, but the default is to only grant access to the app that created the protected item.

Examples:
Code: 
security find-internet-password -a chown33
  # list the unprotected info for the 1st password with the given account name.
  # you can further qualify the item; see the man page.

security find-internet-password -a chown33 -g
  # get the secret password, if allowed.
  # will prompt with a dialog, unless Access Control was previously granted.


I'll also point out that your script should use quoting when it expands shell variables. There are multiple places where this could be a problem. If any of the variables happens to contain a space (or any whitespace) embedded in it, then you'll get multiple args instead of one, and havoc may then ensue. See example:
https://forums.macrumors.com/thread...nts-files-and-settings.2037837/#post-24410656
 
We do have a RADIUS server. Wifi network uses AD creds. But i figured it out and rewrote the script. My last question is: Can I run a command to get the password and hold it as a variable to then place it at the end of the script? What I want to do is capture the password of the SSID from keychains, remove the keychain/SSID, and re-join the same network using stored password (safely). Here is what I have thus far:

Code: 
#!/bin/sh
SSID="MyNetwork"
AIRPORT=$(/usr/sbin/networksetup -listallhardwareports | awk '/^Hardware Port: (Wi-Fi|AirPort)/,/^Ethernet Address/' | head -2 | tail -1 | cut -c 9-)
WIFI_NETWORK_NAME="MyNetwork"
loggedInUser=$(stat -f%Su /dev/console)
WIFI_PASSWORD=$(sudo /usr/bin/security find-generic-password -l "MyNetwork" -w /Users/USERNAME/Library/Keychains/login.keychain-db)
osvers=$(sw_vers -productVersion | awk -F. '{print $.1}')
wifiDevice=$(/usr/sbin/networksetup -listallhardwareports | awk '/^Hardware Port: Wi-Fi/,/^Ethernet Address/' | head -2 | tail -1 | cut -c 9-)
INDEX=0
SECURITY=WPA2E

#Remove network first
while security delete-generic-password -l 'Wired 802.1X' '/Library/Keychains/System.keychain' ; do true; done
networksetup -removepreferredwirelessnetwork $AIRPORT MyNetwork
while security delete-generic-password -l MyNetwork ; do true; done

#Re-join network using stored password in Alias?
sudo networksetup -setairportpower $wifiDevice on

security add-generic-password -a $loggedInUser -D "802.1X Password" -l MyNetwork -p $WIFI_PASSWORD -s com.apple.network.eap.user.item.wlan.ssid.MyNetwork -T /System/Library/SystemConfiguration/EAPOLController.bundle/Contents/Resources/eapolclient

sudo networksetup -setairportnetwork $wifiDevice MyNetwork

sudo networksetup -setairportpower $wifiDevice off

sudo networksetup -setairportpower $wifiDevice on
[doublepost=1492089904][/doublepost]The wifi password will always be the computer login password of the target machine. Above I am pulling from the SSID (granted it's even correct!). If there's a way to set the machine password as the variable then that would be even better. But i doubt it =/
 
Thanks Kornelis. Good sources but these machines are freshly imaged and bound to Active Directory. I cant find any passwords currently in Keychain Access. Just need the actual login password to be the variable. I guess what I am looking for is not possible. =/
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back