Posted on 09-27-2011 11:39 AM
Hey everyone,
I am about to deploy a user agent and this is the rough idea, please give me feed back, pointers, suggestions, or if you wish to sacrifice some livestock to please the computer gods feel free.
#!/bin/bash
# set user's login.keychain to have our wifi passsword # run this as the user, via user agent
/usr/bin/security find-generic-password -a usd500_wpa
case `/bin/echo $?` in
0 )) hasloginkeychain=yes;; * )) hasloginkeychain=no;; esac
if [[ $hasloginkeychain -eq yes ]]
then /usr/bin/security add-generic-password -a usd500_wpa -s AirPort -D "AirPort network password" -l usd500_wpa -w mypasskey -T /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -T /usr/libexec/airportd -U ~/Library/Keychains/login.keychain
else /usr/bin/security add-generic-password -a usd500_wpa -s AirPort -D "AirPort network password" -l usd500_wpa -w mypasskey -T /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -T /usr/libexec/airportd -A ~/Library/Keychains/login.keychain
fi
exit 0
So I will have a user agent that runs this script. I am not a huge user of user agents, so if I put the script in /Library/Scripts and then have the agent run the script from that location will it be able to run and as that user, as long as the everyone x it is enable right?
Thanks, Tom
Posted on 09-27-2011 01:07 PM
I can't validate your script but your methodology sounds right.
On 9/27/11 1:39 PM, "Thomas Larkin" <tlarki at kckps.org> wrote:
You may want to select a different location for your script.
/Library/Scripts is for AppleScripts that will appear under the
AppleScript menu. Any file that you put there (script or not) will appear
in the menu. I put my scripts in /Library/CompanyName/Scripts.
So long as your launchd item is in /Library/LaunchAgents then it will run
for each user under his own login. And so long as your script is
executable (yes, everyone x) then it should run. In your launchd item I
suggest calling the script as if you were calling it from a command line:
sh /Library/CompanyName/Scripts/myscript.sh
--
William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492
Posted on 09-27-2011 01:17 PM
Any suggestions on how to do this with out putting my wifi passkey in a script?
Posted on 09-27-2011 01:28 PM
does it even matter at that point?
if you're injecting it in the user's keychain, presumably that user can unlock the keychain and see it anyway.
otherwise, you could jump through another hoop and either weakly encrypt it in the script or use curl to read it from a remote server or something.
weigh the overall security requirement of this exercise before you make it harder for yourself.
Posted on 09-27-2011 01:39 PM
Well, needless to say I am slightly confused on how this works. The wifi passkey is added post image to the system keychain via post image script. However, I guess in 10.6 (we just upgraded to 10.6 over the summer, older machines only had 1gig of RAM so we kept 10.5) now anytime the user interacts with anything that involves saved passwords it uses their login.keychain. You are totally right they can unmask the password if they can access their keychain, which as of right now that app is restricted (keychain access.app). I requested documentation on this from Apple direct, our enterprise support, and they cannot give me any. The developer page has a really nice and methodical keychain access page, but it is for xcode and objC. I am not even attempting to write an app to control this, so that is useful but overall not really. So I have spent basically the last 3 to 5 days trying different methods of doing this. Where as before I could just set the system keychain and all was good.
I was trying to export the keychain from the system keychain to the user's login.keychain and also make it so there is zero user interaction, so I ended up with the solution I posted. I am just trying to get feedback from anyone who is using this to deploy login.keychains, or a different method is welcome. I also want to be as secure as possible.
I am not sure if my method I came up with is the best method. Looking for feedback, suggestions, or someone to say that is how they do it too, hahaha
Thanks in advance as always.
-Tom
Posted on 09-28-2011 07:29 AM
Hi Tom,
Certificate method is the one Apple recommends. Using EAP-TTLS or PEAP
with RADIUS.
All you have to do then import your certs into key chain. Ie package them
in /tmp script to import then delete the certs from /tmp.
sudo security add-trusted-cert -d -p basic -k
/Library/Keychains/System.keychain /private/tmp/rootCA.cer
sudo rm /private/tmp/rootCA.cer
Surely no need sudo if its used with Casper Suite
OR
Apple recommends;
Lion client also supports both EAP-TTLS and PEAP.
--missing content--
configuration profiles in a manner similar to iOS. This gives a lot of
flexibility in deploying .1x config among other things, and offers new
client certificate enrolment possibilities compared to 10.6. Have a look
at the Profile Manager docs for more details:
http://www.apple.com/support/lionserver/profilemanager/
I hope this helps
Cem
On 28/09/2011 14:58, "casper-request at list.jamfsoftware.com" <casper-request at list.jamfsoftware.com> wrote:
Date: Tue, 27 Sep 2011 15:39:41 -0500 From: "Thomas Larkin" <tlarki at kckps.org> Subject: Re: [Casper] add login keychain item to user To: "Nate St. Germain" <nate at techsuperpowers.com> Cc: William Smith <William.Smith at merrillcorp.com>, Casper Mailing list <casper at list.jamfsoftware.com> Message-ID: <4E81EE3D0200003900031F37 at pop.kckps.k12.ks.us> Content-Type: text/plain; charset"us-ascii" Well, needless to say I am slightly confused on how this works. The wifi passkey is added post image to the system keychain via post image script. However, I guess in 10.6 (we just upgraded to 10.6 over the summer, older machines only had 1gig of RAM so we kept 10.5) now anytime the user interacts with anything that involves saved passwords it uses their login.keychain. You are totally right they can unmask the password if they can access their keychain, which as of right now that app is restricted (keychain access.app). I requested documentation on this from Apple direct, our enterprise support, and they cannot give me any. The developer page has a really nice and methodical keychain access page, but it is for xcode and objC. I am not even attempting to write an app to control this, so that is useful but overall not really. So I have spent basically the last 3 to 5 days trying different methods of doing this. Where as before I could just set the system keychain and all was good. I was trying to export the keychain from the system keychain to the user's login.keychain and also make it so there is zero user interaction, so I ended up with the solution I posted. I am just trying to get feedback from anyone who is using this to deploy login.keychains, or a different method is welcome. I also want to be as secure as possible.
I am not sure if my method I came up with is the best method. Looking for feedback, suggestions, or someone to say that is how they do it too, hahaha Thanks in advance as always. -Tom
Posted on 09-29-2011 11:04 AM
Well,
Working on getting either RADIUS or some form of 802.1x set up, but for the mean time this is how I am deploying login keychians
here goes my script
#!/bin/bash
/usr/bin/security find-generic-password -a usd500_wpa
if [[ $? -eq 0 ]]; then
# Found it - Update passkey without authorizing more apps
/usr/bin/security add-generic-password -a usd500_wpa -s AirPort -D "AirPort network password" -l usd500_wpa -w mypasskey -U
else
# Not found - Create passkey from scratch
/usr/bin/security add-generic-password -a usd500_wpa -s AirPort -D "AirPort network password" -l usd500_wpa -w mypasskey -U -T /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -T /usr/libexec/airportd -T /usr/bin/security
fi
# script is now done, exiting
exit 0
Here goes my launch agent
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>org.kckps.wireless</string>
<key>ProgramArguments</key>
<array>
<string>/Library/Application Support/Scripts/add_wifi.sh</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
Then I packaged it up and deployed in in Casper, tossed the scripts in a folder in /Library/Application Support/Scripts so for future reference I will put my third party scripts in there that need to be kicked off at various times for various reasons.
-Tom
--missing content--
configuration profiles in a manner similar to iOS. This gives a lot of
flexibility in deploying .1x config among other things, and offers new
client certificate enrolment possibilities compared to 10.6. Have a look
at the Profile Manager docs for more details:
http://www.apple.com/support/lionserver/profilemanager/
I hope this helps
Cem
On 28/09/2011 14:58, "casper-request at list.jamfsoftware.com" <casper-request at list.jamfsoftware.com> wrote:
Date: Tue, 27 Sep 2011 15:39:41 -0500 From: "Thomas Larkin" <tlarki at kckps.org> Subject: Re: [Casper] add login keychain item to user To: "Nate St. Germain" <nate at techsuperpowers.com> Cc: William Smith <William.Smith at merrillcorp.com>,Casper Mailing list <casper at list.jamfsoftware.com> Message-ID: <4E81EE3D0200003900031F37 at pop.kckps.k12.ks.us> Content-Type: text/plain; charset"us-ascii" Well, needless to say I am slightly confused on how this works. The wifi passkey is added post image to the system keychain via post image script. However, I guess in 10.6 (we just upgraded to 10.6 over the summer, older machines only had 1gig of RAM so we kept 10.5) now anytime the user interacts with anything that involves saved passwords it uses their login.keychain. You are totally right they can unmask the password if they can access their keychain, which as of right now that app is restricted (keychain access.app). I requested documentation on this from Apple direct, our enterprise support, and they cannot give me any. The developer page has a really nice and methodical keychain access page, but it is for xcode and objC. I am not even attempting to write an app to control this, so that is useful but overall not really. So I have spent basically the last 3 to 5 days trying different methods of doing this. Where as before I could just set the system keychain and all was good. I was trying to export the keychain from the system keychain to the user's login.keychain and also make it so there is zero user interaction, so I ended up with the solution I posted. I am just trying to get feedback from anyone who is using this to deploy login.keychains, or a different method is welcome. I also want to be as secure as possible. I am not sure if my method I came up with is the best method. Looking for feedback, suggestions, or someone to say that is how they do it too, hahaha Thanks in advance as always. -Tom
Posted on 09-29-2011 11:13 AM
Wow, sorry for that crappy formatting, I copy/pasted the scripts from a web template and I guess the formatting wasn't right...
Lesson learned there
-Tom
--missing content--
configuration profiles in a manner similar to iOS. This gives a lot of
flexibility in deploying .1x config among other things, and offers new
client certificate enrolment possibilities compared to 10.6. Have a look
at the Profile Manager docs for more details:
http://www.apple.com/support/lionserver/profilemanager/
I hope this helps
Cem
On 28/09/2011 14:58, "casper-request at list.jamfsoftware.com" <casper-request at list.jamfsoftware.com> wrote:
Date: Tue, 27 Sep 2011 15:39:41 -0500 From: "Thomas Larkin" <tlarki at kckps.org> Subject: Re: [Casper] add login keychain item to user To: "Nate St. Germain" <nate at techsuperpowers.com> Cc: William Smith <William.Smith at merrillcorp.com>,Casper Mailing list <casper at list.jamfsoftware.com> Message-ID: <4E81EE3D0200003900031F37 at pop.kckps.k12.ks.us> Content-Type: text/plain; charset"us-ascii" Well, needless to say I am slightly confused on how this works. The wifi passkey is added post image to the system keychain via post image script. However, I guess in 10.6 (we just upgraded to 10.6 over the summer, older machines only had 1gig of RAM so we kept 10.5) now anytime the user interacts with anything that involves saved passwords it uses their login.keychain. You are totally right they can unmask the password if they can access their keychain, which as of right now that app is restricted (keychain access.app). I requested documentation on this from Apple direct, our enterprise support, and they cannot give me any. The developer page has a really nice and methodical keychain access page, but it is for xcode and objC. I am not even attempting to write an app to control this, so that is useful but overall not really. So I have spent basically the last 3 to 5 days trying different methods of doing this. Where as before I could just set the system keychain and all was good. I was trying to export the keychain from the system keychain to the user's login.keychain and also make it so there is zero user interaction, so I ended up with the solution I posted. I am just trying to get feedback from anyone who is using this to deploy login.keychains, or a different method is welcome. I also want to be as secure as possible. I am not sure if my method I came up with is the best method. Looking for feedback, suggestions, or someone to say that is how they do it too, hahaha Thanks in advance as always. -Tom