Skip to main content
Solved

Keychain removal on Lab Machines

  • September 17, 2015
  • 6 replies
  • 29 views
farverk
Forum|alt.badge.img+6

Just like everyone else we are dealing with keychain issues for our AD accounts. I have a lab where students login with their AD credentials and they are constantly complaining about the keychain prompts.

The building consultant wanted me to script something that would remove the users keychain folder contents after each logout. I understand this may not be best practice but I can't for the life of me get it to work through Casper's login/logout hooks.

I'm using this script: http://www.amsys.co.uk/2015/02/delete-keychains-logout/

#!/bin/sh

rm -Rf /Users/$USER/Library/Keychains/*

exit 0

When I run it from terminal manually it works like a charm. When I run it via event/logout hook it completes "successfully" but the folders remain. Anyone have any ideas why its not delete the contents? Any suggestions on how to deal with keychains on lab machines other than ADPassmon? Thanks

Best answer by mm2270

The $USER variable from the shell isn't going to evaluate correctly when a policy runs via Casper. It tends to run scripts as the root account, not as the logged in user.

If you are doing these policies at logout, you can replace it with $3, which by default Casper Suite will assign to the current logged in user.
But I would personally just replace it with another variable to get the logged in user and then pass that to the command, just to be safe.

#!/bin/sh

loggedInUser=$(stat -f%Su /dev/console)

rm -Rf /Users/$loggedInUser/Library/Keychains/*

Taking it back a step though, I'd be cautious about just blowing away all files/folders in the Keychains directory. There may be other items there you (or the client) don't want deleted. For example, you can create additional keychains within Keychain Access.app and store data in there which can have their own unique passwords. But it's up to you. It should be fine to target to the login.keychain and the Local Items Keychain directory only for deletion in my experience.

EDIT: Never mind the above on not deleting all items in Keychains. I didn't read close enough that these are lab machines, so removing everything is probably the better approach in this case.

    6 replies

    H
    Forum|alt.badge.img+16
    • hkabik
    • Honored Contributor
    • September 17, 2015

    I think it's attempting to remove the management account's keychains...

    Try:

    #!/bin/sh

#variable for storing the current users name
currentuser=`stat -f "%Su" /dev/console`

#remove logged in users keychains
rm -r /Users/$currentuser/Library/Keychains/*
    mm2270
    Forum|alt.badge.img+24
    • mm2270
    • Legendary Contributor
    • Answer
    • September 17, 2015

    The $USER variable from the shell isn't going to evaluate correctly when a policy runs via Casper. It tends to run scripts as the root account, not as the logged in user.

    If you are doing these policies at logout, you can replace it with $3, which by default Casper Suite will assign to the current logged in user.
    But I would personally just replace it with another variable to get the logged in user and then pass that to the command, just to be safe.

    #!/bin/sh

loggedInUser=$(stat -f%Su /dev/console)

rm -Rf /Users/$loggedInUser/Library/Keychains/*

    Taking it back a step though, I'd be cautious about just blowing away all files/folders in the Keychains directory. There may be other items there you (or the client) don't want deleted. For example, you can create additional keychains within Keychain Access.app and store data in there which can have their own unique passwords. But it's up to you. It should be fine to target to the login.keychain and the Local Items Keychain directory only for deletion in my experience.

    EDIT: Never mind the above on not deleting all items in Keychains. I didn't read close enough that these are lab machines, so removing everything is probably the better approach in this case.

      farverk
      Forum|alt.badge.img+6
      • farverk
      • Author
      • Contributor
      • September 17, 2015

      Thank's guys appreciate the help, save me a lot of searching time.

      A
      Forum|alt.badge.img+14
      • Aziz
      • Contributor
      • September 17, 2015

      This has worked flawlessly for us.

      rm -rf /Users/$3/Library/Keychains/login.keychain

rm -rf /Users/$3/library/keychains/????????-????-????-????-????????????

echo "Deleted"

      edit: should have refreshed before submitting :p

        dvasquez
        Forum|alt.badge.img+16
        • dvasquez
        • Valued Contributor
        • August 7, 2018

        @mm2270 thank you for the information and script, it worked like a dream!

        Xavier

        J
        Forum|alt.badge.img+4
        • jdye
        • Contributor
        • October 3, 2018

        @mm2270 I just wanna say that it's over 2 years later and your script still works.

        Just saved me a headache re: Password management! Thank you for contributing.

          Terms & ConditionsCookie settingsAccessibility statement