Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.6: Unlock screens using any admin password System 10.6
Snow Leopard only hintMac OS X 10.6 tightened security and now one administrator user cannot unlock the screensaver of another admin user. However, many IT professionals need to be able to grant their users admin access to their Macs while still being able to effectively administer the machine in their absence.

Visiting a users machine to resolve a help desk ticket is frustrating if that users screen is locked and the user has left for the day, is out to lunch, in a meeting, etc.

To enable an admin to unlock another admins screensaver you simply edit a file on the machine, edit the file: /etc/pam.d/screensaver, changing

account required pam_group.so no_warn group=admin,wheel fail_safe
to
account sufficient pam_group.so no_warn group=admin,wheel fail_safe

You'll need to use a text editor capable of modifying and saving system files; e.g. any CLI editor used with sudo, or a GUI editor like TextWrangler if done in advance. It is not necessary to log out or restart. In fact if you visit a machine that is locked in this way and have SSH access to it you can modify this file and then unlock the screensaver using your admin account.

[crarko adds: I tested this, and it works as described.]
    •    
  • Currently 4.50 / 5
  You rated: 4 / 5 (10 votes cast)
 
[16,802 views]  

10.6: Unlock screens using any admin password | 22 comments | Create New Account
Click here to return to the '10.6: Unlock screens using any admin password' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.6: Unlock screens using any admin password
Authored by: Unsoluble on Nov 04, '10 09:38:32AM

Now if only there was a way to let admin users masquerade as others through the OD login window (you can mount AFP shares with an admin password, but can't actually log into another user's account as far as I know).

This would be soooooo useful for testing Workgroup Manager settings, when something is not working properly for a particular user. Right now, my only option is to change the user's password first, then have them change it back when I'm done. Anyone know of anything better?



[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: mvgfr on Nov 04, '10 11:19:24AM

if only there was a way to let admin users masquerade as others through the OD login...

There's actually a pretty slick way of doing this: In OD, the password is stored via one level of indirection; a "pointer" to a password entry.

So:

  • save the value aside, for the account you need to log in as
  • overwrite it with one of your choosing (say, what's used for an admin account)
  • log in as that user to do what you need
  • restore the password with what was saved in the first step
Some enterprising person could code this up pretty quickly, to make it even simpler.

[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: Unsoluble on Nov 04, '10 02:48:28PM

Wait, how do you actually do the saving of the original password, though? As far as I can tell, there's no way to extract the actual password data from an account, especially when using Kerberos... am I missing something?



[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: mvgfr on Nov 04, '10 02:56:41PM

Right; you can't read a password, but you CAN read/write the "pointer" to it, and that's all you need.



[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: Unsoluble on Nov 04, '10 08:29:16PM

Care to explain how to do this?



[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: mvgfr on Nov 08, '10 12:37:28PM

It can be done via "Workgroup Manager" (GUI; does not require Mac OS X Server) or via command-line - look for the "AuthenticationAuthority" attributes.

It's "advanced" (you won't even see that attribute until you enable WorkGroup Manager's "Inspector") and all the standard warnings apply; you can make a mess of things at this level.



[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: vengjence on Nov 05, '10 01:11:36AM
Does the difference cause it to not work? Is it that significant? I wonder because I totally dread these kinds of issues :(

[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: afingal on Nov 05, '10 12:14:08PM

Right, with Kerberos, the password information is not even on your machine. Your password is checked against a key server which assigns a Kerberos ticket to your session on the machine and it is only good for that session. You would have to either catch the action of authentication against the key server or crack the key server, itself. Without Kerberos, a password can be cracked with a chosen text attack, which is more or less difficult depending on the strength of the one way hashing algorithm used to encrypt the password and on how strong the user's password is. See my reply to one of the other messages below for more about this.



[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: Unsoluble on Nov 05, '10 01:31:05PM

Right, which makes me wonder what mvgfr (above) is talking about.



[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: mvgfr on Nov 08, '10 12:43:10PM

You simply replace the *reference* to the password (the text string in the AuthenticationAuthority attribute, if I recall), which tells OD where to find the password.

And then put the old *reference* back when you're done.

No actual passwords are read or changed.



[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: ghwelker on Nov 08, '13 04:42:56AM

I just upgraded to "Mavericks" and have 3 major issues with it:

First and foremost I lost my IMac admin. ID and password.

After trying everything I could, I still can't recover them, including using UNIX, as recommended on these sites:

http://www.hackmac.org/tutorials/decrypt-os-x-user-account-passwords/

http://www.hackmac.org/tutorials/how-to-create-a-new-administrator-account/

http://www.wikihow.com/Reset-a-Lost-Admin-Password-on-Mac-OS-X

http://osxdaily.com/2011/08/24/reset-mac-os-x-10-7-lion-password/

http://osxdaily.com/2010/08/10/forgot-mac-password-how-to-reset-mac-password/

http://support.apple.com/kb/HT4718[/B]

http://www.macworld.com/article/2056561/how-to-make-a-bootable-mavericks-install-drive.html

http://www.macworld.com/article/1167855/installing_mountain_lion_what_you_need_to_know.html

No matter how hard I try, it just doesn't work.

I thought I had when I used "resetpassword", but when I used it again it said: "Please use install disk which doesn't exist now".

Also, Safari 7.0 starts to come up, then quits. Only pace it worked was in "Recovery" mode.

Likewise when I want to print to a PDF file, "Preview" starts, then quits. It seems to run on it's own!

There may be "200" new and better features, but I haven't got to them yet!

I wanted to keep Mountain Lion, but wasn't given that choice on one of my two external drives, because they both were treated like backup drives!!

Any advice is deeply appreciated.

Thanks,

Glenn Welker

ghwelker3@comcast.net



[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: mvgfr on Nov 08, '10 12:47:47PM

Caveat: The "replace the password reference" trick did work in prior versions of OS X, however I haven't tested in 10.6.

However, after a brief check via Workgropup Manager, it looks like it may not work in 10.6.

Personally, I consider that a good thing, since it's more secure.



[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: dfbills on Nov 04, '10 09:56:30AM

This is a great hint! I've been wondering about this since 10.6 was released.

---
-d



[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: afingal on Nov 04, '10 10:46:19AM

If you're doing something which doesn't actually require being logged in as the user, then fast user switching is probably the best answer. If I remember correctly, there is a way to auto logout users after a period of inactivity so that rebooting isn't an issue with still having someone logged in.

I guess this hint is for something like troubleshooting an email account issue, where you really have to be logged in as the user. Our policy for that situation is that the user is supposed to be present when you're poking around in their account. It's true that a lot of users don't know this or don't care about the policy and, especially the big shots, want stuff done while they're gone. We always assume that there could be PHI (HIPAA regulated data) hidden by the locking screen saver (that's why we require locking screen savers in the first place.) The user needs to clear that stuff away so that the desktop tech doesn't see it by mistake. If you don't have such an issue, like HIPAA, payroll stuff, etc. where you need to hide one employee's data from another, then why enable the lock on the screensaver? My point is that there will often be policy reasons not to follow this hint.



[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: Unsoluble on Nov 04, '10 11:48:33AM

Auto log-out is pretty unreliable, because any modal dialog will prevent it from happening. Also I'm pretty sure you can't fast-user-switch when the screen is locked; you'd have to unlock the screen before you can access the FUS menu.



[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: j-beda on Nov 04, '10 01:02:21PM

Fast-user-switching is available from the screen unlock dialogue, my kids use it all the time to log into their account when I have not logged out and the screen has been locked.



[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: Unsoluble on Nov 04, '10 02:46:37PM

Ahh, good to know! Hadn't noticed that before. Might come in handy too, thanks.

Still need to be able to see other users' accounts from within a lot of the time, especially in an MCX environment where you're trying to propagate prefs and restrictions -- just can't verify that an account is working properly until you see it for yourself.



[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: CamelJockey on Nov 04, '10 01:45:07PM

when i go to the com.apple.ical.plist, the window opens then closes How do i change anything to do with the alarms if that won't stay open?

Help?



[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: hrbrmstr on Nov 07, '10 09:53:43AM
If you are uncomfortable on the command-line (e.g. "sudo vi" doesn't cut it fer ya) then you can just drag your favorite GUI text editor on top of this - http://dl.dropbox.com/u/43553/%C3%9CberDo/%C3%9CberDo.app.zip - little app (ÜberDo) and it will prompt you for your credentials and be able to work with any system file. Built-on and only tested-on 10.6 Intel. (You'll prbly need to unzip it first)
---
Mind the gap...


[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: joelbruner on Nov 22, '10 09:19:41AM
Awesome! I've been wondering about this!
Here's the command line version:
cat /etc/pam.d/screensaver | sed 's/account    required       pam_group.so no_warn group/account    sufficient     pam_group.so no_warn group'/ > /Users/Shared/screensaver.new.txt
sudo mv /etc/pam.d/screensaver /Users/Shared/screensaver.old.txt
sudo cp /Users/Shared/screensaver.new.txt /etc/pam.d/screensaver
open /Users/Shared/
Both files are saved in /Users/Shared, which is opened after completion so changes can be verified.

[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: treydock on Oct 11, '11 02:02:11PM
A shorter way to do this would be use the -i flag to create a backup...

sed -i '.bak' 's#account    required       pam_group.so no_warn group=admin,wheel fail_safe#account    sufficient       pam_group.so no_warn group=admin,wheel fail_safe#g' /etc/pam.d/screensaver
That will create a backup of the original at /etc/pam.d/screensaver.bak - Trey

[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: bryan_g on Jan 07, '11 08:44:31AM
I may have done something wrong, but I just implemented this and it looks like non-admin users are now able to unlock each other's accounts as well. I am in a setting where this is definitely undesired behavior (as I imagine it would be in most cases). I played with it a little bit and ended up using this in /etc/pam.d/screensaver:

# screensaver: auth account
auth       optional       pam_krb5.so
auth       required       pam_opendirectory.so nullok
account    required       pam_opendirectory.so
account    sufficient     pam_self.so
account    required       pam_group.so no_warn group=admin,wheel fail_safe
account    sufficient     pam_group.so no_warn deny group=admin,wheel ruser fail_safe
As far as I can tell, it lets admins unlock any screen and only allows non-admins to unlock their own.

[ Reply to This | # ]