Solved: Script admin password change when first admin logi...

bdruth · ‎02-10-2018

I'm scripting automated provisioning of the Splunk marketplace AMI and I can't figure out how to script the required initial password change so that I can perform other scripted steps.

sudo /opt/splunk/bin/splunk edit user admin -password '<new password>' -auth admin:<initial pass>
The administrator requires you to change your password.
Please enter a new password:

Short of writing an expect script (please no), is there a way to get past this?

bdruth · ‎02-10-2018

Thank you @micahkemp for pointing at $SPLUNK_HOME/etc/passwd - there's a flag on the admin user, force_change_pass - removing this and restarting the splunk service will allow the CLI to change the password (or do anything else) without prompting for a password change.

  sudo -u splunk sed -i -e 's/force_change_pass$//' /opt/splunk/etc/passwd
  sudo service splunk restart
  sudo /opt/splunk/bin/splunk edit user admin -password '<new pass>' -auth admin:<initial pass>

As of 7.0.0, this works.

View solution in original post

rbendik · ‎11-01-2019

@bdruth, what was the solution you found if you dont mind sharing?

bdruth · ‎02-10-2018

Thank you @micahkemp for pointing at $SPLUNK_HOME/etc/passwd - there's a flag on the admin user, force_change_pass - removing this and restarting the splunk service will allow the CLI to change the password (or do anything else) without prompting for a password change.

  sudo -u splunk sed -i -e 's/force_change_pass$//' /opt/splunk/etc/passwd
  sudo service splunk restart
  sudo /opt/splunk/bin/splunk edit user admin -password '<new pass>' -auth admin:<initial pass>

As of 7.0.0, this works.

bdruth · ‎02-10-2018

One additional comment - adding the $SPLUNK_HOME/etc/.ui_login does prevent the UI from providing the assistive info re: what the initial login is when you hit the login page the first time.

micahkemp · ‎02-10-2018

So if you were planning on deploying a single password (as in, not different per machine), copying a pre-configured etc/passwd would have accomplished this as well, right?

micahkemp · ‎02-10-2018

You could do a fresh install, change the admin password, and copy the $SPLUNK_HOME/etc/passwd file contents to put in place (even before installing Splunk) on the image.

Also, you can disable the password change prompt by creating the file (touch it): $SPLUNK_HOME/etc/.ui_login

The above tidbit courtesy of a past answers question. It's not actually changing the password that removes the prompt to change your password; it's logging in to the UI the first time. touching the .ui_login button will make it seem like you've already logged in.

bdruth · ‎02-10-2018

The image has Splunk installed and it starts when the AMI launches. Not sure if replacing etc/passwd would set the 'user has changed his password' flag - the AMI, when it boots, already sets the initial password (it's the instance ID). But, I can try and report back.

bdruth · ‎02-10-2018

Actually - the .ui_login trick doesn't seem to work anymore. That was the first thing I came across, too. I did however figure out what does work 🙂

micahkemp · ‎02-10-2018

Edited based on your comment that what's important is no longer being prompted to change your password.

Script admin password change when first admin login requires password change

Monitoring MariaDB and MySQL

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake