topic Re: Script admin password change when first admin login requires password change in Security

Script admin password change when first admin login requires password change

bdruth — Sun, 11 Feb 2018 01:24:36 GMT

I'm scripting automated provisioning of the Splunk marketplace AMI and I can't figure out how to script the required initial password change so that I can perform other scripted steps.

sudo /opt/splunk/bin/splunk edit user admin -password '<new password>' -auth admin:<initial pass>
The administrator requires you to change your password.
Please enter a new password:

Short of writing an expect script (please no), is there a way to get past this?

Re: Script admin password change when first admin login requires password change

micahkemp — Sun, 11 Feb 2018 01:53:04 GMT

You could do a fresh install, change the admin password, and copy the $SPLUNK_HOME/etc/passwd file contents to put in place (even before installing Splunk) on the image.

Also, you can disable the password change prompt by creating the file (touch it): $SPLUNK_HOME/etc/.ui_login

The above tidbit courtesy of a past answers question. It's not actually changing the password that removes the prompt to change your password; it's logging in to the UI the first time. touching the .ui_login button will make it seem like you've already logged in.

Re: Script admin password change when first admin login requires password change

bdruth — Sun, 11 Feb 2018 03:21:44 GMT

The image has Splunk installed and it starts when the AMI launches. Not sure if replacing etc/passwd would set the 'user has changed his password' flag - the AMI, when it boots, already sets the initial password (it's the instance ID). But, I can try and report back.

Re: Script admin password change when first admin login requires password change

micahkemp — Sun, 11 Feb 2018 03:36:46 GMT

Edited based on your comment that what's important is no longer being prompted to change your password.

Re: Script admin password change when first admin login requires password change

bdruth — Sun, 11 Feb 2018 04:05:15 GMT

Actually - the .ui_login trick doesn't seem to work anymore. That was the first thing I came across, too. I did however figure out what does work 🙂

Re: Script admin password change when first admin login requires password change

bdruth — Sun, 11 Feb 2018 04:07:42 GMT

Thank you @micahkemp for pointing at $SPLUNK_HOME/etc/passwd - there's a flag on the admin user, force_change_pass - removing this and restarting the splunk service will allow the CLI to change the password (or do anything else) without prompting for a password change.

  sudo -u splunk sed -i -e 's/force_change_pass$//' /opt/splunk/etc/passwd
  sudo service splunk restart
  sudo /opt/splunk/bin/splunk edit user admin -password '<new pass>' -auth admin:<initial pass>

As of 7.0.0, this works.

Re: Script admin password change when first admin login requires password change

bdruth — Sun, 11 Feb 2018 04:12:53 GMT

One additional comment - adding the $SPLUNK_HOME/etc/.ui_login does prevent the UI from providing the assistive info re: what the initial login is when you hit the login page the first time.

Re: Script admin password change when first admin login requires password change

micahkemp — Sun, 11 Feb 2018 04:15:57 GMT

So if you were planning on deploying a single password (as in, not different per machine), copying a pre-configured etc/passwd would have accomplished this as well, right?

Re: Script admin password change when first admin login requires password change

rbendik — Fri, 01 Nov 2019 21:52:37 GMT

@bdruth, what was the solution you found if you dont mind sharing?