Installation

Scripting admin credentials in scripted install

tkw03
Communicator

Hello

Im working on a new script to install Splunk via bash. before accepting the license and starting Splunk, with no prompt and answering yes, Im creating the user-seed.conf file in system/local

 

#create admin account
cd /opt/splunk/etc/system/local/
touch user-seed.conf
echo "[user_info]" >> user-seed.conf
echo "USERNAME = admin" >> user-seed.conf
echo "HASHED_PASSWORD = <hased pass>" >> user-seed.conf

 

However after 

 

'/opt/splunk/bin/splunk start --accept-license --answer-yes --no-prompt'

 

and going back and trying to find user-seed.conf it no longer exists. Im also removing any file etc/passwd before starting. When Splunk starts with the hashed pass in user-seed.conf does that file disappear or get moved?

Maybe Im going about this the wrong way? Better way to do this?

Thanks for the thoughts!

Todd

Labels (2)
0 Karma

codebuilder
SplunkTrust
SplunkTrust

Since you are starting Splunk for the first time it's not going to honor your value for the HASHED_PASSWORD parameter. Use PASSWORD instead and Splunk will hash it for you.

You can also use this syntax in your start command (though it does leave it behind in the command history), "admin" is the default admin user:
splunk start --accept-license --answer-yes --no-prompt --seed-passwd <your password>

If you use the user-seed.conf method (with PASSWORD) be sure the directory/file are owned by the user/group that you are running Splunk as.

----
An upvote would be appreciated and Accept Solution if it helps!

isoutamo
SplunkTrust
SplunkTrust
Splunk honor your HASHED_PASSWORD in user-seed.conf if you have done it as you later on said with command "splunk hash-password" and add it to this file. You must do this before starting it in first time.

tkw03
Communicator

The only problem I see is that user-seed.conf no longer exists once I start Splunk the first time AND when I look at passwd it does not contain any of the info I put in user-seed.conf so I dont know how to verify the password is actually set as I wanted it to be.

 

Any ideas how I can verify that? "validate-passwd" doesnt seem to tell me what I need to know.

 

Thanks as always

Todd

0 Karma

isoutamo
SplunkTrust
SplunkTrust

This works on our ansible scripts https://docs.splunk.com/Documentation/Splunk/8.2.1/Security/Secureyouradminaccount

And as it was said earlier splunk remove that user-seed.conf file after successful start. You could test it e.g. by 

splunk list tcp

  and give the user and it's password. If it works it give you an answer for that query.

r. Ismo

codebuilder
SplunkTrust
SplunkTrust

If it returns nothing then your password meets requirements. Otherwise it will return an ERROR.

e.g...

splunk validate-passwd '$6$m84'
ERROR: Password did not meet complexity requirements. Password must contain at least:
* 8 total printable ASCII character(s).

----
An upvote would be appreciated and Accept Solution if it helps!

tkw03
Communicator

The un-hashed password returns nothing which I think means it works?
I tried the hashed password but it errors but I think it probably should right? 

0 Karma

codebuilder
SplunkTrust
SplunkTrust

If your hashed password threw errors then it either does not meet complexity requirements or you need to enclose it within tick marks.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

tkw03
Communicator

I thought that might happen. My goal is to NOT use a clear-text password but Ive been having a bit-o-trouble getting that lined out. Any thoughts on how that might be achieved?

 

Thanks all for the assistance!

0 Karma

codebuilder
SplunkTrust
SplunkTrust

You can use a hashed password, it just needs to be hashed by Splunk. It can't be a random string you create.
This obviously means you need to have Splunk up and running (somewhere) but here is the command:

splunk hash-passwd <plaintext password>


You should be able to execute that on an unrelated node running the same Splunk version and be fine.

----
An upvote would be appreciated and Accept Solution if it helps!

tkw03
Communicator

I did do that, the hashed pass I used in the script is the hashed password I created from the password I wanted to use. I didn't create a random hash. It doesnt appear to update passwd though so Im not sure it actually works.

0 Karma

codebuilder
SplunkTrust
SplunkTrust

There is also a validate-passwd function you can use after hashing.

More info here: https://docs.splunk.com/Documentation/Splunk/8.2.1/Security/Secureyouradminaccount

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @tkw03,

This is normal behaviour. passwd file is updated with your hashed password and users-seed.conf file is deleted.

I think you are able to login with the new password.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...