Login Password Variable

Discussion in 'Mac Programming' started by gpchess2k, Apr 10, 2017.

  1. gpchess2k, Apr 10, 2017
    Last edited: Apr 10, 2017

    gpchess2k macrumors newbie

    gpchess2k

    Joined:
    Oct 12, 2015
    #1
    Hey guys,

    Is there a way to create a variable with the current logged in users password? I am trying to use the variable to login into a wireless network since our machines are bound to AD. I was thinking of capturing it somehow from login.keychain or other ideas?
     
  2. 960design macrumors 68020

    Joined:
    Apr 17, 2012
    Location:
    Destin, FL
    #2
    What? We are going to need a little more information on your use case.

    Logins should not be sent in the clear, EVER.

    How about, just tell us what you want to accomplish... there may be a better way.
     
  3. chown33 macrumors 604

    Joined:
    Aug 9, 2009
  4. gpchess2k thread starter macrumors newbie

    gpchess2k

    Joined:
    Oct 12, 2015
    #4
    Sorry. Bash preferably. Im just trying to join a network that uses the same creds as the user logged into the machine. Whichever way is safest. Heres a quick example of what I have now:


    Code:
    AIRPORT="en0"
    WIFI_NETWORK_NAME="network-name"
    loggedInUser=$(stat -f%Su /dev/console)
    WIFI_PASSWORD=""
     
    networksetup -setairportpower $AIRPORT off
    networksetup -setairportpower $AIRPORT on
    sleep 2
     
    if networksetup -getairportnetwork $AIRPORT | grep -i -a $WIFI_NETWORK_NAME ;
    then
        echo 'Connected!';
        exit 0
    fi
     
    if networksetup -setairportnetwork $AIRPORT $WIFI_NETWORK_NAME $WIFI_PASSWORD | grep -i -a "Failed" ;
    then
        echo 'Failed to connect, just restarting...';
        networksetup -setairportpower $AIRPORT off
        networksetup -setairportpower $AIRPORT on
        sleep 1
    fi
     
    networksetup -getairportnetwork $AIRPORT
     
    exit 0;
     
  5. bradl macrumors 68040

    bradl

    Joined:
    Jun 16, 2008
    #5
    Okay.. reading this implies that the Mac you are using is already bound to the AD domain, and what you are wanting to do is use those credentials to provide a login to your WiFi network.. do I have that right?

    If so, does your wireless network hardware have the capability to bind to that same AD network? I ask, because if it does, you're trying to re-invent the wheel, where you are trying to get the same credentials that have been passed to your domain controller to log into the network that may already be on that domain.

    If that's the case, you're doing this at the wrong place. Instead of making the Mac do everything, why not let a Group Policy at the AD level handle the authentication to the wireless network for you. That's what that functionality is there for.

    You can set the GP to state that if the OS = a non-Windows machine, run these set of processes, one of which would include logging into the wireless network with the same credentials used to authenticate onto the domain from that machine.

    BL.
     
  6. gpchess2k thread starter macrumors newbie

    gpchess2k

    Joined:
    Oct 12, 2015
    #6
    Thanks and yes Bradl thats correct. We use JSS (Jamf) and yes we could do it using config profiles or what not BUT I am not on our network team and looking to create more of a repair script for our junior techs. Our company is worldwide and getting to a place where we manage wifi to this this extent will take some time. I already have a large script that cleans up the network but having the ability to join back in would be a time saver.
     
  7. gpchess2k thread starter macrumors newbie

    gpchess2k

    Joined:
    Oct 12, 2015
    #7
    To re-phrase the question: Our current wifi is based on AD authentication. Is there a way to connect a particular machine using the bound account to the wifi network via bash or apple script?
     
  8. chown33 macrumors 604

    Joined:
    Aug 9, 2009
    #8
    Did you try the script you gave in post #4?

    If you put the password in as a cleartext string literal, does the script work as intended?

    If it doesn't work, and you instead use the WLAN's password, does it work then? Is the WLAN's password a pre-shared key, like the majority of consumer wifi AP's, or is the WLAN access controlled using a RADIUS server?

    If the posted script actually works for a given password, then that's a different problem to solve than the script not working at all.

    There are two separate questions here. The question in your 1st post is basically "How do I get a certain password?" The second question is in post #6.


    The command to access the keychain is named 'security'. Its man page describes how to use it to get a password from a keychain.

    However, the action of getting a password (or other protected secret) may itself be protected by the keychain password, which is prompted for using a dialog. The user can use the Keychain app to manage access control, but the default is to only grant access to the app that created the protected item.

    Examples:
    Code:
    security find-internet-password -a chown33
      # list the unprotected info for the 1st password with the given account name.
      # you can further qualify the item; see the man page.
    
    security find-internet-password -a chown33 -g
      # get the secret password, if allowed.
      # will prompt with a dialog, unless Access Control was previously granted.
    

    I'll also point out that your script should use quoting when it expands shell variables. There are multiple places where this could be a problem. If any of the variables happens to contain a space (or any whitespace) embedded in it, then you'll get multiple args instead of one, and havoc may then ensue. See example:
    https://forums.macrumors.com/thread...nts-files-and-settings.2037837/#post-24410656
     
  9. gpchess2k thread starter macrumors newbie

    gpchess2k

    Joined:
    Oct 12, 2015
    #9
    We do have a RADIUS server. Wifi network uses AD creds. But i figured it out and rewrote the script. My last question is: Can I run a command to get the password and hold it as a variable to then place it at the end of the script? What I want to do is capture the password of the SSID from keychains, remove the keychain/SSID, and re-join the same network using stored password (safely). Here is what I have thus far:

    Code:
    #!/bin/sh
    SSID="MyNetwork"
    AIRPORT=$(/usr/sbin/networksetup -listallhardwareports | awk '/^Hardware Port: (Wi-Fi|AirPort)/,/^Ethernet Address/' | head -2 | tail -1 | cut -c 9-)
    WIFI_NETWORK_NAME="MyNetwork"
    loggedInUser=$(stat -f%Su /dev/console)
    WIFI_PASSWORD=$(sudo /usr/bin/security find-generic-password -l "MyNetwork" -w /Users/USERNAME/Library/Keychains/login.keychain-db)
    osvers=$(sw_vers -productVersion | awk -F. '{print $.1}')
    wifiDevice=$(/usr/sbin/networksetup -listallhardwareports | awk '/^Hardware Port: Wi-Fi/,/^Ethernet Address/' | head -2 | tail -1 | cut -c 9-)
    INDEX=0
    SECURITY=WPA2E
    
    #Remove network first
    while security delete-generic-password -l 'Wired 802.1X' '/Library/Keychains/System.keychain' ; do true; done
    networksetup -removepreferredwirelessnetwork $AIRPORT MyNetwork
    while security delete-generic-password -l MyNetwork ; do true; done
    
    #Re-join network using stored password in Alias?
    sudo networksetup -setairportpower $wifiDevice on
    
    security add-generic-password -a $loggedInUser -D "802.1X Password" -l MyNetwork -p $WIFI_PASSWORD -s com.apple.network.eap.user.item.wlan.ssid.MyNetwork -T /System/Library/SystemConfiguration/EAPOLController.bundle/Contents/Resources/eapolclient
    
    sudo networksetup -setairportnetwork $wifiDevice MyNetwork
    
    sudo networksetup -setairportpower $wifiDevice off
    
    sudo networksetup -setairportpower $wifiDevice on
    
    
    --- Post Merged, Apr 13, 2017 ---
    The wifi password will always be the computer login password of the target machine. Above I am pulling from the SSID (granted it's even correct!). If there's a way to set the machine password as the variable then that would be even better. But i doubt it =/
     
  10. Kornelis, Apr 13, 2017
    Last edited: Apr 13, 2017

    Kornelis macrumors member

    Kornelis

    Joined:
    Dec 4, 2010
    Location:
    Amsterdam, NL
    #10
  11. gpchess2k thread starter macrumors newbie

    gpchess2k

    Joined:
    Oct 12, 2015
    #11
    Thanks Kornelis. Good sources but these machines are freshly imaged and bound to Active Directory. I cant find any passwords currently in Keychain Access. Just need the actual login password to be the variable. I guess what I am looking for is not possible. =/
     

Share This Page