Security

Script admin password change when first admin login requires password change

bdruth
Path Finder

I'm scripting automated provisioning of the Splunk marketplace AMI and I can't figure out how to script the required initial password change so that I can perform other scripted steps.

sudo /opt/splunk/bin/splunk edit user admin -password '<new password>' -auth admin:<initial pass>
The administrator requires you to change your password.
Please enter a new password:

Short of writing an expect script (please no), is there a way to get past this?

Tags (1)
1 Solution

bdruth
Path Finder

Thank you @micahkemp for pointing at $SPLUNK_HOME/etc/passwd - there's a flag on the admin user, force_change_pass - removing this and restarting the splunk service will allow the CLI to change the password (or do anything else) without prompting for a password change.

  sudo -u splunk sed -i -e 's/force_change_pass$//' /opt/splunk/etc/passwd
  sudo service splunk restart
  sudo /opt/splunk/bin/splunk edit user admin -password '<new pass>' -auth admin:<initial pass>

As of 7.0.0, this works.

View solution in original post

rbendik
New Member

@bdruth, what was the solution you found if you dont mind sharing?

0 Karma

bdruth
Path Finder

Thank you @micahkemp for pointing at $SPLUNK_HOME/etc/passwd - there's a flag on the admin user, force_change_pass - removing this and restarting the splunk service will allow the CLI to change the password (or do anything else) without prompting for a password change.

  sudo -u splunk sed -i -e 's/force_change_pass$//' /opt/splunk/etc/passwd
  sudo service splunk restart
  sudo /opt/splunk/bin/splunk edit user admin -password '<new pass>' -auth admin:<initial pass>

As of 7.0.0, this works.

bdruth
Path Finder

One additional comment - adding the $SPLUNK_HOME/etc/.ui_login does prevent the UI from providing the assistive info re: what the initial login is when you hit the login page the first time.

0 Karma

micahkemp
Champion

So if you were planning on deploying a single password (as in, not different per machine), copying a pre-configured etc/passwd would have accomplished this as well, right?

0 Karma

micahkemp
Champion

You could do a fresh install, change the admin password, and copy the $SPLUNK_HOME/etc/passwd file contents to put in place (even before installing Splunk) on the image.

Also, you can disable the password change prompt by creating the file (touch it): $SPLUNK_HOME/etc/.ui_login

The above tidbit courtesy of a past answers question. It's not actually changing the password that removes the prompt to change your password; it's logging in to the UI the first time. touching the .ui_login button will make it seem like you've already logged in.

0 Karma

bdruth
Path Finder

The image has Splunk installed and it starts when the AMI launches. Not sure if replacing etc/passwd would set the 'user has changed his password' flag - the AMI, when it boots, already sets the initial password (it's the instance ID). But, I can try and report back.

0 Karma

bdruth
Path Finder

Actually - the .ui_login trick doesn't seem to work anymore. That was the first thing I came across, too. I did however figure out what does work 🙂

0 Karma

micahkemp
Champion

Edited based on your comment that what's important is no longer being prompted to change your password.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...