Get Backdoor Admin Password From Keychain - Rocketman-Tech/rcc GitHub Wiki

The Get Backdoor Admin Password From Keychain tool retrieves the password of a designated "backdoor" or breakglass admin account from the system keychain. It is primarily designed for integration with Jamf extension attributes.

To use this tool effectively within a Jamf extension attribute, refer to the following script example:

#!/bin/zsh
# Define the username, extension attribute, and key chain path of the backdoor admin account
BreakglassAdminUsername=$(defaults read /Library/Managed\Preferences/tech.rocketman.breakglass shortName)
BreakglassAdminExtAttr=$(defaults read /Library/Managed\Preferences/tech.rocketman.breakglass extAttr)
BreakglassAdminKeyChain=$(defaults read /Library/Managed\ Preferences/tech.rocketman.breakglass keyChain)

# Check if rocketman (RCC) is installed
if ! command -v rocketman &>/dev/null; then
  echo "<result>RCC Not Installed</result>"
  exit 0
fi

# Retrieve the password from the keychain
BreakglassAdminPassword=$(
rocketman GetBackdoorAdminPasswordFromKeychain\
  --shortName "$BreakglassAdminUsername" \
  --extAttr "$BreakglassAdminExtAttr" \
  --keyChain "$BreakglassAdminKeyChain" \
  2>/dev/null
)
exitCode=$?

# Evaluate the result
if [[ $exitCode -eq 0 && -n "$BreakglassAdminPassword" ]]; then
  # Successfully retrieved password
  echo "<result>$BreakglassAdminPassword</result>"
elif [[ $exitCode -eq 1 ]]; then
  # Tool indicates no password set
  echo "<result>No Backdoor Admin Password Set</result>"
else
  # Any other non-zero exit code is considered an unknown error
  echo "<result>Other Error Occurred</result>"
fi

This script:

1. Sets the username, extension attribute and keychain path for a backdoor admin account.
2. Checks if the Rocketman Command Center (RCC) is installed and indicates if it is not.
3. Attempts to securely retrieve the password for the specified account from the keychain using RCC.
4. Outputs the password or a relevant status message in a format suitable for Jamf extension attributes.

None. This tool can run without specifying optional parameters.

The short name or username of the admin account whose password is stored in the keychain.

• Type: string
• Default: commander
• Example:

  rocketman GetBackdoorAdminPasswordFromKeychain --shortName breakglass

The name of the extension attribute used to store the password in the keychain. This attribute enables precise retrieval of the password.

• Type: string
• Default: RCC: Breakglass Admin Password - Commander
• Example:

  rocketman GetBackdoorAdminPasswordFromKeychain --extAttr "BreakGlass Admin Password"

Specifies the domain to use for locating configuration options in local or managed .plist files.

• Type: string
• Default: tech.rocketman.getbdadminpassfromkeychain
• Example:

  rocketman GetBackdoorAdminPasswordFromKeychain --domain "custom.domain.getBackdoorPassword"

Path to the keychain file where the password is stored. Typically set to /Library/Keychains/System.keychain for system-wide credentials.

• Type: string
• Default: /Library/Keychains/System.keychain
• Example:

  rocketman GetBackdoorAdminPasswordFromKeychain --keyChain /Library/Keychains/System.keychain

• Recommended Usage: While this tool can be used directly from the command line, its primary use case is within Jamf extension attributes for secure, automated password retrieval.
• Keychain Access: Ensure the specified keychain file contains the correct password entry. Use the --keyChain parameter to point to the appropriate file.
• Case Sensitivity: The extension attribute provided with --extAttr is case-sensitive. Ensure it matches the exact name used in the keychain.