Blog

Awhile ago I posted to the Mac OS X Server list a way for changing/setting the root password in Single User Mode i.e. without a install DVD handy and without having to start any deamons.I even found it the other day on Mr. Shoop’s site (Firefox: direct link Safari: index link) I thought I would write it up and talk about how it works and some caveats. I also included a little bit of of general information about “local” passwordsFirst we need to boot in to single user mode Which ) + s during startup we must mount the harddrive so its writable.( pretty standard step ) mount -uw / We are using nicl in raw mode to inject an older style crypt password. see below how to backup the database,as a mistake here could do some real damage.nicl -raw /var/db/netinfo/local.nidb create /users/root passwd $(openssl passwd r00tpass) Beware of the line break,type in on one line with a space after the first passwd nicl -raw /var/db/netinfo/local.nidb create /users/root authentication_authority ';basic;' Now if this is Mac OS X Server you might need to set the authority to bypass the existing root password, but this step only applies if there is an existing password. You wont have to fix this later as the login window will automatically update it when you login the first time.Your all done, now you can reboot, and login as the root user from the console or otherwise. Using whatever password you specified (the first 8 characters anyway) i.e. the password above is “r00tpass” so username:root password:r00tpass reboot # "exit" would work as wellNow that we are in to the system we can do what we came for , and to clean up we can disable the root account . If this is server be aware that root needs to be enabled for Open Directory replica creation. The following disables root’s password. dsenableroot -d Or to just change the password ( which also will update you to a shadow hash, that is if the loginwindow didn’t do it for you because you didn’t need to change to ;basic; above) dscl . -passwd /users/root you must either preface with sudo , or still be logged in as root to perform these operations Also if you don’t see an “Other” prompt at the Loginwindow it probably didn’t work, however you can try and get to a prompt by selecting a username in the loginwindow using the arrow keys (up or down) and while holding the option key hit return. This will put you at a username and password prompt no matter what (MCX included).

Now for an explanation on whats going on here We are inserting an old style crypt password directly into the passw(or)d field (which is being generated by the openssl command). This is how 10.0-10.2 stored its password , more modern versions 10.3-10.4 store their passwords in /var/db/shadow/hash<– Drag to location bar to open in Finder. The files here are named for the users GUID and are only readable by root. To find the currently logged in local user’s GUID run: dscl . -read /users/$USER GeneratedUID Now the Loginwindow ( via DirectoryService) still has compatibility with storing the password in the passwd attribute of the user record. Normally this would be bypassed as it contains invalid data “********” <– Which is not your password, just a place holder of sorts. Modern Mac OS X user records are told to then look in the shadow hash by the AuthenticationAuthority attribute which will look for a password file if one exists. dscl . -read /users/$USER AuthenticationAuthority even Mobile accounts have this, as they have a “cached” password stored locally.A crypt password looks like this random string compared to the 8 “stars” (and optionally has ;basic; as your AuthenticationAuthority attribute mentioned above.) pu/JNtJf3ipxY This string is the truncated (8 characters) form of the password you typed in.A major concern about passwords in crypt format is that they can be potentially be cracked using tools like john the ripper. So if you plan on re-using this password in the future it would be best to attempt to cover your tracks by securely erasing your command history (which will contain the expanded crypt password) .While still in single user mode: srm "$HISTFILE" Or to do this after the fact, the file is almost always: srm /var/root/.bash_history A quick scenario for those who run labs With modern boot times (intel) someone could force shut down your Mac,type the above commands in,reboot within 60 seconds ( folks in educational labs I am looking at you ).If they are quick enough the could even modify the startup/launchd item for ssh as well so they could finish up their hackery remotely. A way to prevent this and also the more “classic” DVD boot trick is to enable a Firmware Password. which will restrict the modifier keys (Command + s) from working. The only exception for single user mode being that local admin users can enable/disable it using the following commands sudo nvram boot-args="-s" which will set the machine to single user boot until you run (in single user mode or otherwise i.e. an install DVD ) nvram boot-args=But admin’s can normally change the root password, or just use sudo anyway.Backing up the and Restoring the database cp -Rp /var/db/netinfo/local.nidb /var/db/netinfo/local.nidb.bkp And then to restore you can move the existing out of the way: mv /var/db/netinfo/local.nidb /var/db/netinfo/local.nidb.broke And restore from the backup you created. mv /var/db/netinfo/local.nidb.bkp /var/db/netinfo/local.nidb Worse comes to worse check out Apple’s doc on replacing the netinfo database.Thanks for reading, I have a follow up article coming up regarding swapping passwords temporarily as to log in as a user without having to reset their password.Update: Well as Filipp over at the unflyingobject has already posted almost exactly the shell code I was going to follow up this article with you should go take a look at his article: “Temporarily changing passwords” he also has some other very good content as well.

If would you like to contact me with comments or inaccuracies about this article, feel free but support requests will be ignored unless you would like to sign up for Iris Professional Services service. Thanks