topic Re: Scripting admin credentials in scripted install in Installation

Scripting admin credentials in scripted install

tkw03 — Wed, 28 Jul 2021 16:49:26 GMT

Hello

Im working on a new script to install Splunk via bash. before accepting the license and starting Splunk, with no prompt and answering yes, Im creating the user-seed.conf file in system/local

#create admin account cd /opt/splunk/etc/system/local/ touch user-seed.conf echo "[user_info]" >> user-seed.conf echo "USERNAME = admin" >> user-seed.conf echo "HASHED_PASSWORD = <hased pass>" >> user-seed.conf

However after

'/opt/splunk/bin/splunk start --accept-license --answer-yes --no-prompt'

and going back and trying to find user-seed.conf it no longer exists. Im also removing any file etc/passwd before starting. When Splunk starts with the hashed pass in user-seed.conf does that file disappear or get moved?

Maybe Im going about this the wrong way? Better way to do this?

Thanks for the thoughts!

Todd

Re: Scripting admin credentials in scripted install

scelikok — Wed, 28 Jul 2021 16:56:54 GMT

Hi @tkw03,

This is normal behaviour. passwd file is updated with your hashed password and users-seed.conf file is deleted.

I think you are able to login with the new password.

Re: Scripting admin credentials in scripted install

codebuilder — Wed, 28 Jul 2021 17:14:37 GMT

Since you are starting Splunk for the first time it's not going to honor your value for the HASHED_PASSWORD parameter. Use PASSWORD instead and Splunk will hash it for you.

You can also use this syntax in your start command (though it does leave it behind in the command history), "admin" is the default admin user:
splunk start --accept-license --answer-yes --no-prompt --seed-passwd <your password>

If you use the user-seed.conf method (with PASSWORD) be sure the directory/file are owned by the user/group that you are running Splunk as.

Re: Scripting admin credentials in scripted install

tkw03 — Wed, 28 Jul 2021 17:46:09 GMT

I thought that might happen. My goal is to NOT use a clear-text password but Ive been having a bit-o-trouble getting that lined out. Any thoughts on how that might be achieved?

Thanks all for the assistance!

Re: Scripting admin credentials in scripted install

codebuilder — Wed, 28 Jul 2021 18:15:41 GMT

You can use a hashed password, it just needs to be hashed by Splunk. It can't be a random string you create.
This obviously means you need to have Splunk up and running (somewhere) but here is the command:

splunk hash-passwd <plaintext password>

You should be able to execute that on an unrelated node running the same Splunk version and be fine.

Re: Scripting admin credentials in scripted install

codebuilder — Wed, 28 Jul 2021 18:18:13 GMT

There is also a validate-passwd function you can use after hashing.

More info here: https://docs.splunk.com/Documentation/Splunk/8.2.1/Security/Secureyouradminaccount

Re: Scripting admin credentials in scripted install

tkw03 — Wed, 28 Jul 2021 18:20:34 GMT

I did do that, the hashed pass I used in the script is the hashed password I created from the password I wanted to use. I didn't create a random hash. It doesnt appear to update passwd though so Im not sure it actually works.

Re: Scripting admin credentials in scripted install

isoutamo — Wed, 28 Jul 2021 19:47:08 GMT

Splunk honor your HASHED_PASSWORD in user-seed.conf if you have done it as you later on said with command "splunk hash-password" and add it to this file. You must do this before starting it in first time.

Re: Scripting admin credentials in scripted install

tkw03 — Wed, 28 Jul 2021 20:20:58 GMT

The only problem I see is that user-seed.conf no longer exists once I start Splunk the first time AND when I look at passwd it does not contain any of the info I put in user-seed.conf so I dont know how to verify the password is actually set as I wanted it to be.

Any ideas how I can verify that? "validate-passwd" doesnt seem to tell me what I need to know.

Thanks as always

Todd

Re: Scripting admin credentials in scripted install

codebuilder — Wed, 28 Jul 2021 20:42:57 GMT

If it returns nothing then your password meets requirements. Otherwise it will return an ERROR.

e.g...

splunk validate-passwd '$6$m84'
ERROR: Password did not meet complexity requirements. Password must contain at least:
* 8 total printable ASCII character(s).

Re: Scripting admin credentials in scripted install

tkw03 — Wed, 28 Jul 2021 20:58:57 GMT

The un-hashed password returns nothing which I think means it works?
I tried the hashed password but it errors but I think it probably should right?

Re: Scripting admin credentials in scripted install

isoutamo — Thu, 29 Jul 2021 07:51:14 GMT

This works on our ansible scripts https://docs.splunk.com/Documentation/Splunk/8.2.1/Security/Secureyouradminaccount

And as it was said earlier splunk remove that user-seed.conf file after successful start. You could test it e.g. by

splunk list tcp

and give the user and it's password. If it works it give you an answer for that query.

r. Ismo

Re: Scripting admin credentials in scripted install

codebuilder — Thu, 29 Jul 2021 13:50:22 GMT

If your hashed password threw errors then it either does not meet complexity requirements or you need to enclose it within tick marks.

Re: Scripting admin credentials in scripted install

samyversonco — Mon, 22 Apr 2024 00:58:01 GMT

How do you implement this using ansible playbook? I'm also stuck with this process of accepting the license in Splunk. I'm using user-seed.conf but it couldn't access the src path since I'm using gitlab as my repository.

- name: Generate Splunk Seed Password

ansible.builtin.set_fact:

splunk_seed_passwd: "{{ 'password' | password_hash('sha512') }}"

when: splunk_agent_status.rc != 0

- name: Create user-seed.conf file

ansible.builtin.template:

dest: /opt/splunkforwarder/etc/system/local/user-seed.conf

owner: root

group: root

mode: 0640

option: "{{ item.opt }}"

value: "{{ item.val }}"

with_items:

- {opt: 'USERNAME', val: 'admin'}

- {opt: 'HASHED_PASSWORD', val: '{{ hashed_pwd}}'}

become: true

when: splunk_agent_status.rc != 0

Re: Scripting admin credentials in scripted install

isoutamo — Mon, 22 Apr 2024 13:42:31 GMT

I have it this way (thanks splunk/ansible-splunk)

- name: Set admin access via seed when: splunk_first_run | bool block: - name: "Hash the password" command: "{{ splunk.exec }} hash-passwd {{ splunk.password }}" register: hashed_pwd changed_when: hashed_pwd.rc == 0 become: yes become_user: "{{ splunk.user }}" no_log: "{{ hide_password }}" - name: "Generate user-seed.conf (Linux)" ini_file: owner: "{{ splunk.user }}" group: "{{ splunk.group }}" dest: "{{ splunk.home }}/etc/system/local/user-seed.conf" section: user_info option: "{{ item.opt }}" value: "{{ item.val }}" mode: 0644 with_items: - {opt: 'USERNAME', val: '{{ splunk.admin_user }}'} - {opt: 'HASHED_PASSWORD', val: '{{ hashed_pwd.stdout }}'} loop_control: label: "{{ item.opt }}" when: ansible_system is match("Linux") become: yes become_user: "{{ splunk.user }}" no_log: "{{ hide_password }}"

Then those user + pass information is in config file which are per environment etc. on git. All those secrets are saved by ansible-vault, so there is no passwords as plain text on your repository/inventory. You could have as many config files as you are needing. Usually one or more per environment and customer.

Re: Scripting admin credentials in scripted install

isoutamo — Wed, 13 Nov 2024 23:33:46 GMT

This is old question, but I still comment here if someone needs it later.
When you are using hashed password in user-seed.conf you mast hash it with same splunk.secret string as you have in your new server! If you have hashed it with some other random splunk.secret and in a new server you have something else in splunk.secret those didn't match as hash keys have been different.

Re: Scripting admin credentials in scripted install

isoutamo — Wed, 13 Nov 2024 23:35:35 GMT

As I said earlier if you want to use hashed password instead of plain text, then you must use same splunk.secret on both nodes.

Re: Scripting admin credentials in scripted install

petejones — Thu, 15 May 2025 00:58:06 GMT

I don't believe this is correct.

Splunk uses the splunk.secret file for encrypting and decrypting passwords and other sensitive info in its configuration files. Splunk uses different algorithms for password hashing:

$6 (SHA-512): This algorithm is used for hashing passwords.
$7 (Encryption): This algorithm requires the splunk.secret file for decryption.

This is what makes it portable and useful with automation.

You can generate a password hash using

splunk hash-passwd <somePassword>

Then you can run something like this before you start Splunk.

cat <<EOF > $SPLUNK_HOME/etc/system/local/user-seed.conf [user_info] USERNAME = admin HASHED_PASSWORD = $6$TOs.jXjSRTCsfPsw$2St.t9lH9fpXd9mCEmCizWbb67gMFfBIJU37QF8wsHKSGud1QNMCuUdWkD8IFSgCZr5.W6zkjmNACGhGafQZj1 EOF

Alternatively you can create and export a user-seed.conf file with the same information, put it in Ansible Vault and then have it placed in $SPLUNK_HOME/etc/system/local as part of the automation

None of the hosts that user-seed.conf is being distributed to have to have the same splunk.secret since it's just hash-matching, not decrypting.