JSS Hardcoded account information is bad

Jamf Admins, lets take a minute to talk about hardcoded values in scripts.

It’s great that we’re a social community that publishes shares and modifies each other’s work on GitHub, but please sanitize that information.

Take this as an example:

For privacy to the original poster i’ve removed identifying information.
Note: Even though mm2270 is listed as the author of this script, the above was reposted under another GitHub account.

In plain text, this GitHub repo had the jss url,  username, and password readily available… Slight problem… Anyone with the know how can access that JSS.

One way to mitigate part of the problem is use a local account with your JSS, and enable SSO. That way they only have access to your JSS via the api, it’s a bit more work todo damage but it still could be done. NEVER use a Directory account for scripts.

Better yet, is NEVER hardcode your scripts with passwords.

You can do this in a few following ways.

Hardcode them in a plist

*This should never be done on a client machine

 

First, create a plist with your values.

Then you can load them as part of your script.

If you’ve got python-jss, or autopkgr already installed you can use those values in your script instead.

Prompt for the values when you run your script

 

Using osascript

Using shell

 

Passed as arguments through command line

 

Passed through the JSS

 

You can also use the above while executing locally, keeping mind $1, $2 and $3 are automatically assigned by the JSS

sh pass_args_from_jss.sh a s d rderewianko.jamfcloud.com rderewianko mysecurepassword

 

Again if you do decide to hardcode the value into your script please don’t publish that to GitHub sanitize your work before publishing.

If you do, people like myself will find it. Some of these people aren’t as nice about it, and could use it for malicious purposes.

If you happen to find credentials on GitHub, macadmin slack’s a great place to start by getting ahold of the offender.

 

We’re here working together, lets help each other keep each other secure.

3 Comments

  • Brian Bocklett May 16, 2018 at 10:07 am

    Great information!

    I’m a fan of obfuscating the user and pass with OpenSSL. Via https://github.com/jamfit/Encrypted-Script-Parameters

    it still has a worry of sanitizing scripts before pushing to GitHub. Since it is still Hardcoding the data, but if the jss_url and the encrypted strings are separated and used only in Parameters passed via Jamf, then it becomes a bit harder to have all the information to mess with someone’s Jamf Pro Server.

    Reply
    • rderewianko May 16, 2018 at 10:13 am

      I agree, while this post isn’t the end all be all, it was a jumping point. 🙂

      Reply
  • Retry a failed Profile from a client | My Thoughts May 21, 2018 at 1:09 pm

    […] privileges for macOS Configuration Profiles (note the difference between the API and the GUI). See https://www.rderewianko.com/hardcoding_is_bad/ for some good ideas on passing the username/password/JSS name in a […]

    Reply

Leave a Comment