Jamf Nation Community

Manu · ‎05-22-2017

Hello,

I am new to this discussions, but I have already found here so many solution in the last few months that I decided to create an account in the hope that someone will be able to help me on an issue that I have and for which I haven't been able to find a solution on Google.

At work, we have 3 WiFi SSID, One for laptops, one for smartphone and one for guest.
The smartphone and laptop wifi have a lot of security and uses the AD account for connection.
However, for the guest WiFi, it has a standard password and is "outside" our network.

With these command line:

security delete-generic-password -D "802.1X Password" -s com.apple.network.eap.user.item.wlan.ssid.Laptop

security delete-generic-password -D "802.1X Password" -s com.apple.network.eap.user.item.wlan.ssid.Smartphone

We are able to remove the Laptop wifi password on Keychain Access. For both Laptop and Smartphone. However, we are having an issue for the guest network.
Unlike Smartphone and Laptop WiFi, as well as having the System Keychain, the Guest has the Local Items.
And if I run this command:

security delete-generic-password -a "Guest" -D "AirPort network password"

I am able to delete the Keychain password for the System, but not for Local Items.

I have been looking for a week on this website and on Google, and I haven't found a way to delete this Local Items password. The only solution that I have which seems a bit drastic would be to delete the Local Items directory ~LibraryKeychains"The Long numbers"keychain-2.db but by doing so, I will also remove the users home WiFi password which I would like to avoid if possible...

So if someone knows how to help me, I would really appreciate.

Thank you in advance for your help.

typeraj · ‎05-22-2017

Hey Manu,

I was looking at something similar yesterday and figured out that you can specify which keychain to look at for most Security commands. This is from the man page for Security:

delete-generic-password [-h] [-a account] [-s service] [-options...] [-keychain...]

I hope this helps.

typeraj · ‎05-22-2017

So I think you can try something like this:

security delete-generic-password -a "Guest" -D "AirPort network password" /Path/To/Keychain.db

Manu · ‎05-23-2017

Hello typeraj,

Thank you for your quick response. I appreciate the time and effort you are spending on my behalf.
I have tried your suggestion, but unfortunately, it comes up with an error:
When I typed this on the Terminal:

sudo security delete-generic-password -a "Guest" -D "AirPort network password" /Users/Manu/Library/Keychains/970CC5A9-EA6E-54E4-BD8F-F4064AEF93D1/keychain-2.db

I got this error message:

security: SecKeychainSearchCopyNext: The specified item could not be found in the keychain.

So I removed the path to make sure that my command line was correct

sudo security delete-generic-password -a "Guest" -D "AirPort network password"

And this removed the System Keychain. And I know the path is correct because i simply dropped the keychain-2.db file on to the Terminal window. (I made sure there was a space between ....password" and /Users...

At the moment, I am guessing that the command line we are using is not the correct one and it is not able to read that .db file.
After all, on this link, the guy does mention that it is a directory and not a file and it would explain why it can't read and delete the content?
But then how can I delete some content of this file?

Thank you once again for your help and I hope I am not facing a situation where there isn't any solution?

typeraj · ‎05-23-2017

Hey Manu,

What do you see when you run:

security list-keychains

Raj.

bentoms · ‎05-24-2017

The security binary is not "local-items" keychain aware, sadly.

Manu · ‎05-25-2017

Thank you typeraj and bentoms for your reply.
It seems that there isn't any solution for my issue.

Nevertheless, we have decided to go for a work around in my company.
We will delete the "Guest" system keychain using this command and then we will remove the keychain-2.db using this command:

loggedInUser=$(stat -f%Su /dev/console)
security delete-generic-password -a "Guest" -D "AirPort network password"

icloudKeychainCheck=$(ls /Users/${loggedInUser}/Library/Keychains | grep ........-....-....-....-............)
if [[ $icloudKeychainCheck != "" ]]; then
    rm -r  /Users/"$loggedInUser"/Library/Keychains/"$icloudKeychainCheck"/keychain-2.db
    echo "deleting local items keychain"
    else 
    echo "No keychain-2.db to delete!"
fi

I found the above command on this link.

It will delete all the local items keychain (including the personal password) but at least the login and system keychain password remains.
I have tested it with my computer and I was able to remove the "Guest" WiFi (enterprise) and the computer connected to my personal WiFi straight away without prompting for a password. So I guess it will do for now.

However, if anyone has the solution to delete a "local items" keychain please feel free to update this discussion.
Thank you everyone for looking into this issue.

bentoms · ‎05-25-2017

@Manu huh.. that grep is interesting.. the localitems keychain is named as per the Macs UUID (see this)

listec · ‎04-11-2018

Yes, this is frustrating for me too. I can delete a wifi network from the preferred list and I can delete the password from the system and login keychains, but I can't remove it from the local items keychain, so if the user tries to connect to the SSID again, the (super secret) credentials are cached in the local items and they can connect to the SSID. I absolutely do not want that to ever happen, but I can't stop it unless I delete the local items.

By the way, it is just as safe to delete the whole folder as it is to delete the contents.

Also you can do a more precise (only allowing hex characters) grep with...

grep -E '[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}'

or, even more concisely with...

grep -i -E '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}'

Deku91 · ‎05-28-2024

Certainly! Here's a revised version with corrected grammar:

"Hi,

I needed to forget an SSID for my company's Mac, and after some research and help from Chat-GPT, along with some trial and error, I was finally able to make it work. Hopefully, it's useful to someone else. I used a portion of @Manu script.

This will forget the SSID and delete the "Local Items" entry and the "System" Keychain Entry as well."

#!/bin/bash

# Get the logged-in user
loggedInUser=$(stat -f%Su /dev/console)

# Define the name of the network to delete
network_name="YOUR-SSID"

# Delete the specific item from the user's login keychain
security delete-generic-password -l "$network_name" /Users/"$loggedInUser"/Library/Keychains/login.keychain-db

# Check if iCloud keychain exists
icloudKeychainCheck=$(ls /Users/${loggedInUser}/Library/Keychains | grep ........-....-....-....-............)
if [[ $icloudKeychainCheck != "" ]]; then
# Delete the keychain-2.db file
rm -r /Users/"$loggedInUser"/Library/Keychains/"$icloudKeychainCheck"/keychain-2.db
echo "Deleting iCloud keychain"
else
echo "No iCloud keychain to delete!"
fi

# Delete the network from the list of known networks
networkservice=$(networksetup -listallhardwareports | awk '/Wi-Fi|AirPort/{getline; print $2}')
/usr/sbin/networksetup -removepreferredwirelessnetwork "$networkservice" "$network_name"

# Delete the network from the System keychain if it exists
security delete-generic-password -l "$network_name" "/Library/Keychains/System.keychain"

echo "Network '$network_name' deleted from the preferred networks list and both user's login keychain and System keychain."

Jamf Nation Community

Delete a local Items password on Keychain Access