Skip to main content
Question

[Feature request] run as user, modify keychains

  • September 20, 2011
  • 6 replies
  • 2 views
T
Forum|alt.badge.img+31
  • tlarkin
  • Honored Contributor
  • 2721 replies

hello,

This is a multi feature request. I will just get to the point:

1) run as user - pretty self explanatory. I would like the ability to run a script, command, whatever as the user that is logged in. Much like a user agent. I know you can script this out, but really I would like to be able to tell a script by a check box to just say run as user, then I wouldn't have to deploy user agents. Then make them available offline, and also be able to say run at login or start up, or whatever.

2) I am surprised this isn't a feature of Casper just yet, but I would like to see a set of keychain tools. I am going through the process right now of adding keychain items and it is a pain in the butt. This feature request is sort of two fold, since if Casper had the ability to run as user, I could use that to modify a user's keychain and not need their keychain password. Also, when a user changes their password it doesn't always change the password of their keychain, which also causes issues. So I can deploy user agents but then I have scripts with passwords or have to put the password/commands in the user agent itself and well, that is just not all that well in the concept of security.

As of right now I am basically working with commands like this:

/usr/sbin/networksetup -addpreferredwirelessnetworkatindex Airport usd500_wpa 0 WPA2 mypasskey

# on this below usd500_wpa is my SSID of my wifi network

/usr/bin/security add-generic-password -a usd500_wpa -s AirPort -D "AirPort network password" -l usd500_wpa -w mypasskey -T /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -T /usr/libexec/airportd -U ~/Library/Keychains/login.keychain

This seems to work for me post image script and as a user agent, but I think Casper should make it easy for me and just add this in the framework. So I can go in and say all users get this added to their keychains and then Casper just does it for me. I am also looking at adding Internet passwords for our online text books and such, which also uses the security command.

Thoughts?

Thanks, tom

    6 replies

    bentoms
    Forum|alt.badge.img+35
    • bentoms
    • Legendary Contributor
    • 4331 replies
    • September 20, 2011

    I have used Keychain Minder to remind users to update their keychain password at login.

    It helps nagging those that ignore the inbuilt login prompt.

    Regards,

    Ben.

    T
    Forum|alt.badge.img+31
    • tlarkin
    • Author
    • Honored Contributor
    • 2721 replies
    • September 20, 2011

    Yes, but if you can run as user, you can update their keychain and you can also change it when they change their password....Just seems like a good set of features to have if you ask me

    R
    Forum|alt.badge.img+13
    • rockpapergoat
    • Contributor
    • 427 replies
    • September 20, 2011

    keychain minder handles a separate issue.

    can you get by with adding items to the system keychain, setting trust, and allowing all users access? i haven't tried this with web page logins, but it seems like it would work.

    as for features, i'd like to see better reporting in general and better search for policies…

    T
    Forum|alt.badge.img+31
    • tlarkin
    • Author
    • Honored Contributor
    • 2721 replies
    • September 20, 2011

    I originally tried using the system keychain, it seems the
    login.keychain overrides it and causes the system keychain to "lose" the
    passkeys I set up. Apple verified this via enterprise support. Do
    you have any keychain tools Nate you could share?

    Thanks, Tom

    bentoms
    Forum|alt.badge.img+35
    • bentoms
    • Legendary Contributor
    • 4331 replies
    • September 20, 2011

    I've used the method Nate's described for Certs.

    No idea about passwords. Sorry.

    Regards,

    Ben.

    R
    Forum|alt.badge.img+13
    • rockpapergoat
    • Contributor
    • 427 replies
    • September 20, 2011

    I don't have anything special in my bg of tricks; just use security to add items as needed. as I see it, the options are to roll up scripts based on the security binary to manipulate keychains or use the security framework to do the same. the results should be about identical. hooking into the framework directly may allow for more elegant app-like experiences, though.

    if you haven't yet, try to pass the passwords in variables Casper can handle ($4, $5, etc.) instead of in plain text within your scripts. the passwords may be logged in plain text on the client side if you're not careful, though.

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings