Im working on a new script to install Splunk via bash. before accepting the license and starting Splunk, with no prompt and answering yes, Im creating the user-seed.conf file in system/local
#create admin account cd /opt/splunk/etc/system/local/ touch user-seed.conf echo "[user_info]" >> user-seed.conf echo "USERNAME = admin" >> user-seed.conf echo "HASHED_PASSWORD = <hased pass>" >> user-seed.conf
'/opt/splunk/bin/splunk start --accept-license --answer-yes --no-prompt'
and going back and trying to find user-seed.conf it no longer exists. Im also removing any file etc/passwd before starting. When Splunk starts with the hashed pass in user-seed.conf does that file disappear or get moved?
Maybe Im going about this the wrong way? Better way to do this?
Thanks for the thoughts!
Since you are starting Splunk for the first time it's not going to honor your value for the HASHED_PASSWORD parameter. Use PASSWORD instead and Splunk will hash it for you.
You can also use this syntax in your start command (though it does leave it behind in the command history), "admin" is the default admin user:
splunk start --accept-license --answer-yes --no-prompt --seed-passwd <your password>
If you use the user-seed.conf method (with PASSWORD) be sure the directory/file are owned by the user/group that you are running Splunk as.
The only problem I see is that user-seed.conf no longer exists once I start Splunk the first time AND when I look at passwd it does not contain any of the info I put in user-seed.conf so I dont know how to verify the password is actually set as I wanted it to be.
Any ideas how I can verify that? "validate-passwd" doesnt seem to tell me what I need to know.
Thanks as always
This works on our ansible scripts https://docs.splunk.com/Documentation/Splunk/8.2.1/Security/Secureyouradminaccount
And as it was said earlier splunk remove that user-seed.conf file after successful start. You could test it e.g. by
splunk list tcp
and give the user and it's password. If it works it give you an answer for that query.
If it returns nothing then your password meets requirements. Otherwise it will return an ERROR.
splunk validate-passwd '$6$m84'
ERROR: Password did not meet complexity requirements. Password must contain at least:
* 8 total printable ASCII character(s).
The un-hashed password returns nothing which I think means it works?
I tried the hashed password but it errors but I think it probably should right?
If your hashed password threw errors then it either does not meet complexity requirements or you need to enclose it within tick marks.
I thought that might happen. My goal is to NOT use a clear-text password but Ive been having a bit-o-trouble getting that lined out. Any thoughts on how that might be achieved?
Thanks all for the assistance!
You can use a hashed password, it just needs to be hashed by Splunk. It can't be a random string you create.
This obviously means you need to have Splunk up and running (somewhere) but here is the command:
splunk hash-passwd <plaintext password>
You should be able to execute that on an unrelated node running the same Splunk version and be fine.
I did do that, the hashed pass I used in the script is the hashed password I created from the password I wanted to use. I didn't create a random hash. It doesnt appear to update passwd though so Im not sure it actually works.
There is also a validate-passwd function you can use after hashing.
More info here: https://docs.splunk.com/Documentation/Splunk/8.2.1/Security/Secureyouradminaccount
This is normal behaviour. passwd file is updated with your hashed password and users-seed.conf file is deleted.
I think you are able to login with the new password.