Archive for category: InstaDMG

InstaDMG: Image Creation Revolution Webcast

The group will be presenting a Webcast on InstaDMG: Image Creation Revolution on April 15, 2008 at 1:00pm EDT (10:00am PDT).

InstaDMG is revolutionizing the way that Mac sysadmins create ASR deployment images and it can help you too. More than just a tool, InstaDMG is actually a methodology for deployment image creation and testing. In this webcast we will cover both the methodology and the reference tool in detail, including a roadmap of the reference script feature set.

For more information on how to view the webcasts, please visit:


The login ID for April 15th Webcast : MacEnterprise

Passcode for April 15th Webcast is : 724412

Go to the following web page 5-10 minutes prior to the webcast start time:


Webcast Coordinator

Read more

Creating a shadow hash file

When creating an image, you typically have user creation as part of the build process. If you're doing this as part of a install and capture (aka the "Old Way") you simply create the user as part of the Setup Assistant, or use SysPrefs after the install to set it up.

Under Leopard, we have the very intriguing possibility of simply creating a series of files in the /var/db/dslocal folder structure that is very friendly for reproducing. This is especially handy for a package based, non-interactive imaging process like our friend InstaDMG. The problem is creating the password. You obviously can't run the passwd(1) command since that will change passwords on the existing machine. You need to create a shadow hash file that contains the password. In leopard and tiger, this file contains possibly quite a few password types, but the standard type is a salted SHA1 digest of the password (the salt is a random 4 byte integer).

Most people in the past have simply created a new account with the associated password, and saved the resuling hash file in the folder. This is nice, but can result in a shadow file that is consistant for all times. Since the hash is salted with a random integer, we can generate a new hash anytime we want, but will still have the same password. This way, over time, even if the passwords are the same, the hashes will be different. This is why if you compare a hash file with the same password, you still may get very different hashes.

I have created a simple PHP script that takes 1 parameter, a string password. It will then output a string that is suitable to be saved as a password hash file to standard output. The resulting string could be redirected to a file whose name is the GUID of the user who's password you wish to save. This hash file is valid for 10.4 and 10.5

In the future, I plan on making a script that automates the creation of this directory structure so it is suitable for packaging/automation with a non-booted volume. Obviously if this was a
booted volume, you'd just use dscl/passwd and be done with it.

Check out the script here

Comments/suggestions welcome.

Read more