Deleting SSID passwords from Local Item keychain

ScottyBeach
Contributor
Hi folks. I'm trying to remove a password from Keychains for an SSID. We use a limited SSID just for device onboarding and occaisional emergency use. We don't want users selecting, using and saving it or its password past the initial onboarding. Usually they don't but as a precaution so our Deskside Support team doesn't get calls about semi-functional wifi, I'd like a mainenance script to just delete it.
Thanks to @mm2270  and their tips in 257493 and @bentoms for the-local-items-keychain-in-mavericks 

If I issue this (less anonymized) command:
security find-generic-password -l my-SSID /Users/user.name/Library/Keychains/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/keychain-2.db
That returns:
security: SecKeychainSearchCopyNext: The specified item could not be found in the keychain.

This is puzzling because if I look in Keychain Access, I see the password saved in the "Local Items" (as well as the "System") keychain. Why can't it be found by the command? I've checked my spelling etc.
 
The script I've borrowed (from one of you here - thanks) that's trying to check in both Local Items and Login keychains:

#!/bin/bash

## $4 is the name of the SSID and whose password is to be removed.

## Logged in username
logged_in_user=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name : / && ! /loginwindow/ {print $3}')
mac_UUID=$(system_profiler SPHardwareDataType | grep 'Hardware UUID' | awk '{print $3}')
if (security find-generic-password -l $4 /Users/$logged_in_user/Library/keychains/login.keychain-db|grep -o $4)
then
security delete-generic-password -l $4 /Users/$logged_in_user/Library/keychains/login.keychain-db
keychain: "/Users/$logged_in_user/Library/Keychains/login.keychain-db"
echo "Removed saved PW for #4 from Login Keychain."
elif (security find-generic-password -l $4 /Users/$logged_in_user/Library/keychains/$mac_UUID/keychain-2.db|grep -o $4)
then
security delete-generic-password -l $4 /Users/$logged_in_user/Library/keychains/$mac_UUID/keychain-2.db
keychain: "/Users/$logged_in_user/Library/Keychains/$mac_UUID/keychain-2.db"
echo "Removed saved PW for $4 from local items Keychain."
fi

Thanks much.

- Scott

7 REPLIES 7

Bol
Valued Contributor

Have you tried;

-a  Match "account" string

That's worked for me in the past eg. security delete-generic-password -a "$4"

Bol:

No, sorry, even using the -a switch it can't find the password in the keychain. Thanks for the suggestion.

- Scott

AVmcclint
Honored Contributor

Take a look at the script I posted here https://community.jamf.com/t5/jamf-pro/remove-wireless-network-ssid/m-p/137084 It's designed to delete the remembered SSIDs except for a specific, required SSID, and whatever WiFi you happen to be on at the time the script is run. I have found that when you run this, not only does it delete the SSID, it also seems to forget the passwords. You can play around with it and see if it accomplishes what you need.

I use a script similar to that (may have originally been based off of it). In my case it seems to forget the password as well. Although, I have it set to run at login and have noticed, if the device is connected to the SSID that is deleted, it will stay connected until a different SSID is switched to or a log out.

Thanks @Fluffy,  In my testing I found that if I deleted an SSID from the saved list while connected to that SSID, it disconnected me immediately. I wonder what would account for the difference in our experiences?

- Scott

Interesting. For comparison, here is the script I use:

RemoveSSID="your_ssid_here"

## Get the wireless port ID
WirelessPort=$(networksetup -listallhardwareports | awk '/Wi-Fi|AirPort/{getline; print $NF}')

## Run a SSID removal if its present
networksetup -removepreferredwirelessnetwork $WirelessPort "$RemoveSSID" 2>/dev/null

@AVmcclint , Thanks very much for that. I've gone and fetched your script and will try it out. For our purposes, removing all but one SSID may be a bit much. We'd like to remove just one or two and their associated passwords. I'll see if I can figure out how to adapt it. Thanks again.

- Scott