Home of a code hacker, not a real hacker.

Filevault and Local Password Sync

by

So we’re using Filevault and Local Accounts and we were in the need to reset password remotely.

We tried all the command line options but none would sync with Filevault.

We found out that you could reset it as the user in the User and Groups Preference window but that’s not an option (because it’s remote).

After much experimenting we found the only command line that worked was to run passwd as the user, not passwd user.

So run

sudo -u bobbysue passwd

Not

passwd bobbysue

This complicates the code due to passwd requires interaction so you have to use something like expect.

Here is what I came up with and it seems to work well.

expect -c"
spawn sudo -u bobbysue passwd
sleep 1
expect \"assword:\"
send $old_pass\r
expect \"assword:\"
send $new_pass\r
expect \"assword:\"
send $new_pass\r
expect eof"

Wait, what if I don’t know the old password?

This will work.

#!/bin/sh
password_user="bobbysue"
pass="ctechastronomy"
#reset to a known password
expect -c"
spawn passwd $password_user
sleep 1
expect \"assword:\"
send $pass\r
expect \"assword:\"
send $pass\r
expect eof"
#reset to known password which then pushes to FileVault
expect -c"
spawn sudo -u $password_user passwd
sleep 1
expect \"assword:\"
send $pass\r
expect \"assword:\"
send $pass\r
expect \"assword:\"
send $pass\r
expect eof"

Gotchas

This will mess up your Keychain, if you know the original password you can unlock it but if not you will need to create a new one.