Security

Script admin password change when first admin login requires password change

bdruth
Path Finder

I'm scripting automated provisioning of the Splunk marketplace AMI and I can't figure out how to script the required initial password change so that I can perform other scripted steps.

sudo /opt/splunk/bin/splunk edit user admin -password '<new password>' -auth admin:<initial pass>
The administrator requires you to change your password.
Please enter a new password:

Short of writing an expect script (please no), is there a way to get past this?

Tags (1)
1 Solution

bdruth
Path Finder

Thank you @micahkemp for pointing at $SPLUNK_HOME/etc/passwd - there's a flag on the admin user, force_change_pass - removing this and restarting the splunk service will allow the CLI to change the password (or do anything else) without prompting for a password change.

  sudo -u splunk sed -i -e 's/force_change_pass$//' /opt/splunk/etc/passwd
  sudo service splunk restart
  sudo /opt/splunk/bin/splunk edit user admin -password '<new pass>' -auth admin:<initial pass>

As of 7.0.0, this works.

View solution in original post

rbendik
New Member

@bdruth, what was the solution you found if you dont mind sharing?

0 Karma

bdruth
Path Finder

Thank you @micahkemp for pointing at $SPLUNK_HOME/etc/passwd - there's a flag on the admin user, force_change_pass - removing this and restarting the splunk service will allow the CLI to change the password (or do anything else) without prompting for a password change.

  sudo -u splunk sed -i -e 's/force_change_pass$//' /opt/splunk/etc/passwd
  sudo service splunk restart
  sudo /opt/splunk/bin/splunk edit user admin -password '<new pass>' -auth admin:<initial pass>

As of 7.0.0, this works.

bdruth
Path Finder

One additional comment - adding the $SPLUNK_HOME/etc/.ui_login does prevent the UI from providing the assistive info re: what the initial login is when you hit the login page the first time.

0 Karma

micahkemp
Champion

So if you were planning on deploying a single password (as in, not different per machine), copying a pre-configured etc/passwd would have accomplished this as well, right?

0 Karma

micahkemp
Champion

You could do a fresh install, change the admin password, and copy the $SPLUNK_HOME/etc/passwd file contents to put in place (even before installing Splunk) on the image.

Also, you can disable the password change prompt by creating the file (touch it): $SPLUNK_HOME/etc/.ui_login

The above tidbit courtesy of a past answers question. It's not actually changing the password that removes the prompt to change your password; it's logging in to the UI the first time. touching the .ui_login button will make it seem like you've already logged in.

0 Karma

bdruth
Path Finder

The image has Splunk installed and it starts when the AMI launches. Not sure if replacing etc/passwd would set the 'user has changed his password' flag - the AMI, when it boots, already sets the initial password (it's the instance ID). But, I can try and report back.

0 Karma

bdruth
Path Finder

Actually - the .ui_login trick doesn't seem to work anymore. That was the first thing I came across, too. I did however figure out what does work 🙂

0 Karma

micahkemp
Champion

Edited based on your comment that what's important is no longer being prompted to change your password.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...