Security

Script admin password change when first admin login requires password change

bdruth
Path Finder

I'm scripting automated provisioning of the Splunk marketplace AMI and I can't figure out how to script the required initial password change so that I can perform other scripted steps.

sudo /opt/splunk/bin/splunk edit user admin -password '<new password>' -auth admin:<initial pass>
The administrator requires you to change your password.
Please enter a new password:

Short of writing an expect script (please no), is there a way to get past this?

Tags (1)
1 Solution

bdruth
Path Finder

Thank you @micahkemp for pointing at $SPLUNK_HOME/etc/passwd - there's a flag on the admin user, force_change_pass - removing this and restarting the splunk service will allow the CLI to change the password (or do anything else) without prompting for a password change.

  sudo -u splunk sed -i -e 's/force_change_pass$//' /opt/splunk/etc/passwd
  sudo service splunk restart
  sudo /opt/splunk/bin/splunk edit user admin -password '<new pass>' -auth admin:<initial pass>

As of 7.0.0, this works.

View solution in original post

rbendik
New Member

@bdruth, what was the solution you found if you dont mind sharing?

0 Karma

bdruth
Path Finder

Thank you @micahkemp for pointing at $SPLUNK_HOME/etc/passwd - there's a flag on the admin user, force_change_pass - removing this and restarting the splunk service will allow the CLI to change the password (or do anything else) without prompting for a password change.

  sudo -u splunk sed -i -e 's/force_change_pass$//' /opt/splunk/etc/passwd
  sudo service splunk restart
  sudo /opt/splunk/bin/splunk edit user admin -password '<new pass>' -auth admin:<initial pass>

As of 7.0.0, this works.

bdruth
Path Finder

One additional comment - adding the $SPLUNK_HOME/etc/.ui_login does prevent the UI from providing the assistive info re: what the initial login is when you hit the login page the first time.

0 Karma

micahkemp
Champion

So if you were planning on deploying a single password (as in, not different per machine), copying a pre-configured etc/passwd would have accomplished this as well, right?

0 Karma

micahkemp
Champion

You could do a fresh install, change the admin password, and copy the $SPLUNK_HOME/etc/passwd file contents to put in place (even before installing Splunk) on the image.

Also, you can disable the password change prompt by creating the file (touch it): $SPLUNK_HOME/etc/.ui_login

The above tidbit courtesy of a past answers question. It's not actually changing the password that removes the prompt to change your password; it's logging in to the UI the first time. touching the .ui_login button will make it seem like you've already logged in.

0 Karma

bdruth
Path Finder

The image has Splunk installed and it starts when the AMI launches. Not sure if replacing etc/passwd would set the 'user has changed his password' flag - the AMI, when it boots, already sets the initial password (it's the instance ID). But, I can try and report back.

0 Karma

bdruth
Path Finder

Actually - the .ui_login trick doesn't seem to work anymore. That was the first thing I came across, too. I did however figure out what does work 🙂

0 Karma

micahkemp
Champion

Edited based on your comment that what's important is no longer being prompted to change your password.

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...