[Casper] Hidden SSH account

[Thomas Larkin]

Personally, I create two hidden local admin accounts on every machine
for this exact reason.  1 is solely for casper stuff, and I don't give
that password out at all.  There is never a need to log into that
account to do anything.  The other one is a local hidden admin account
for administration, troubleshooting, and maintenance of the computer.  I
hide them from the finder and put their home directory in /private/var.

I sort of found a bug with Casper 6.0 already.  It seems that when you
try to update the Casper SSH account password on version 6, but your
clients haven't updated their command line application yet, it doesn't
change it right.  Of course, someone in my department gave that password
out to someone who didn't know what it was for, and I was forced to do a
massive password change.  So, I no longer give out the ssh account
password, and all the casper servers have passwords that only me and one
other person I work with know, both of us are CCA so I figured that
would be best practice.  So, I just made my update JAMF binary policy
more aggressive as well as my update inventory.  I also added the jamf
command to change a password to that account since the built in feature
seems to bug out a bit when working with a 5.13 client.  Since the 5.13
was in my image and deployed to 6,000 Macbooks you can't really
instantly update the command line app for casper.

You could create post script actions for when you add quickadd.pkg that
create accounts using the jamf binary, it is very easy and straight
forward.  I have a script that uses the JAMF binary that creates an
account, runs recon, and sets master passwords for root, firmware and
whatever else I need done.  If you use the JAMF commands it makes your
script less code and a lot easier to follow since they simplify it, and
I prefer to keep things simple.



>>> John Wetter <john_wetter at hopkins.k12.mn.us> 08/26/08 11:45 PM >>>
That's why when in doubt, I just use a quickadd package.  Have an
auto-login user on your JSS that just takes Recon, and hand out the
QuickAdd package.  Have it set to create the hidden user and recon and
manage using that hidden user.

If you run recon on a machine in the JSS, the user/pswd field should
auto-populate if it is a managed computer.  Recon does not add an
account, hence why I just use a quickadd package.

I think it's quite important to have Casper manage the computers with a
hidden user.  This way, if someone changes the visible admin username,
you can still manage the computer.  This also becomes handy if your
admin password gets compromised as the netadmin user is still there to
manage and change the password for your visible admin account.

-John


 *
Now this I could very well be wrong on, and again if JAMF wants to
clarify, cool. I’d rather know what’s right than not. I don’t think
Recon adds an account to your OS, all Recon really needs for an account
is a user in the JSS to allow it to submit data when it runs. The manual
(page 367 in the current 6 version) is somewhat vague to me about this
setting in the management framework. What confuses me is that it says
you need to select an account for machines not added to the JSS. Then
what is it using to run Recon and submit data to the JSS if I don’t have
a specified account and it’s a machine in the JSS? Is this what you see
for a user with your dscl command, some secret account it adds? I just
see the account I created with the binary in my base, but I do have an
account specified in the framework as well and may not add an account if
that’s set? That setting has probably been used way before I took over
here...

 *   Yup, everything should log to jamf.log.

I probably haven’t answered it right either. I just want to make sure
we’re telling people the right things. My official CCA training may
be out of date being version 4.x.

Craig E

On 8/26/08 6:46 PM, "Thomas Larkin"
<tlarki at kckps.org<UrlBlockedError.aspx>> wrote:

According to my Casper bible it says this:

"If you would lbe managed by Casper and the JSS, enter the enter the user name and
password that allows access to this configuration via SSH in the fields
labeled SSH username and SSH password"

Wudi from JAMF totally went over that too at the CCA training, and I am
not quite sure if it actually creates the account or not.  I mean all
you need is SSH to run, right? The account doesn't necessarily need a
home directory since all the JAMF logs are piped out into like
/var/jamf/jamf.log anyway right?

Because your frame work is going to force SSH on, and recon will add the
account, but when it adds the account I don't ever see an account show
up in the finder, I do see it though if I do a dscl . list /Users

I don't think I quite answered that question right either.

>>> "Ernst, Craig S." <ERNSTCS at uwec.edu<UrlBlockedError.aspx>> 08/26/08
6:23 PM >>>
As always on a managed machine you can see the jamf binary commands and
there options by going into terminal on a managed machine and typing:

/usr/sbin jamf help

Or just

Jamf help

Tom, I just want to make sure I'm understanding the comment below. Are
you talking about the option for "Ensure that Computers Imaged with this
Configuration are managed". If that's configured it will create the
hidden account? Or what are you referring to. I wasn't under the
impression it did that, actually created the account, unless that was
something new in 6.0. That option merely stored that account information
in the JSS for that machine so it knew how to connect with the remote
tools.

I know that if a machine has existing autorun data, imaging using
prestaging, or when you are using Casper Imaging to image the computer
you can enter that information into the Accounts tab. However, I don't
think those options hide the account like the -hiddenUser switch does
using the binary.

I've always kept a current copy of the binary around on a network share
to run that command, but if there was an easier way that'd be
cool...sort of.

Thanks,

Craig E


On 8/26/08 5:41 PM, "Thomas Larkin"
<tlarki at kckps.org<UrlBlockedError.aspx>> wrote:

Or

Better yet also add the ssh account into your configuration from Casper
Admin as well.