Keychain ACL's scriptable

Matt
Valued Contributor

Is there a way to add and remove programs from the keychain ACL through script rather than manually?

22 REPLIES 22

mostlikelee
Contributor

Any luck with this? I opened up a ticket with apple enterprise support for some help here. You are able to use security import with the -T flag to specify applications, but I have yet to find a way to modify ACLs on existing keys.

mm2270
Legendary Contributor III

You can do it from security, but you need to include the -U flag to indicate updating an existing keychain item.
The only problem is I believe it will always require the end user to authorize the change to the keychain item with a dialog that pops up. Its a security thing, to prevent applications from granting themselves access to your keychain items without you knowing it. Even when done as root it pops up a dialog with something like "security wants to change access permissions of the <name> item in your keychain."

alexjdale
Valued Contributor III

We're seeing what @mm2270 is saying, it is possible but prompts the user to allow it and requires admin credentials. Huge pain, we are trying to give our VPN app access to an issued cert/private key.

bentoms
Release Candidate Programs Tester

@alexjdale, Global Protect by chance?

alexjdale
Valued Contributor III

@mm2270, F5 BIG-IP VPN client, similar use case I bet.

mostlikelee
Contributor

assuming the cert ACL you all are modifying exists in the user's login keychain?

mm2270
Legendary Contributor III

I have only tried this in tests, and I was testing with a simple generic password keychain item. I wasn't attempting to modify a cert/private key.
IOW, I created a simple generic keychain item directly in Keychain Access, left the default ACL setting of "Confirm before allowing access" and no applications added to the list.
I then ran a command using security with the -U flag to update the keychain item by its label, and the -T flag with the path of the application to grant access to it, and I get prompted in the GUI to allow the change and enter my password. If I authenticate, it successfully adds it in. If I cancel, it leaves it as is. So it works, but can't be done silently.

Again, I believe I understand the reasoning behind this and it makes perfect sense. If it wasn't this way, an app you download could ask for your credentials and then silently grant itself access to any keychain items it finds in your login.keychain and be able to read them at will, including any passwords, account names, etc. Perfect way for malware to steal your information. Not good. So I get why Apple doesn't allow that.

mostlikelee
Contributor

thanks @mm2270 , from the man page it looks like the -U flag is only for use with password items, no similar flag for certs. I'll post my findings as i test, i'm hoping i don't run into the password prompt, as I'll be running the script as root on certs in the system keychain.

kboparai1
New Contributor II

@timkalee Was wondering if you, or anyone else, could post any findings you may have come across?
Best,
Kamal

mostlikelee
Contributor

@kboparai1 I found a couple workflows that work well when running as root for modifying the user keychain without prompt. I'll post them as soon as I "generify" the code, but they all involve removing and re-adding/importing keychain items with the proper ACLs. There's another post floating around on jamfnation where I posted code on finding the SHA on a certificate's private key to populate the AnyConnect config file if that's one of your issues.

kboparai1
New Contributor II

That would be greatly appreciated, @timkalee!

My situation is that we would like to add two applications to the jss private key for another layer of security when accessing our VPN. This will allow us to only let computers with the jss private key/certificate to access our data center.

Doing the task manually is easy enough.. find the private key in the system keychain, head to the access control tab, hit the + and add the applications we want. It would be ideal to script something like this but so far, my research is coming up short...

mostlikelee
Contributor

@kboparai1 Interesting workflow, your best bet may be to export the certificate, delete it, and reimport it with the proper ACLs. I'm curious if that would work myself...

tep
Contributor II

@kboparai1 I am also trying to script this, and falling short. Have you come up with anything?

typeraj
New Contributor III

@bentoms You mentioned GlobalProtect, have you had any experience with it? We are trying to implement it in our environment and use cert based authentication to connect. But every time the client tries to connect we get the Keychain prompt asking to unlock the System keychain.

alexyu650
New Contributor III

@typeraj this is the workaround to get past the unlock System Keychain . https://live.paloaltonetworks.com/t5/Management-Articles/GlobalProtect-Requests-System-Keychain-Access-on-Mac-OS-X/ta-p/53332

Now I need to find a way to script this work around. Any help would be appreciated!

The below keychain would be the keychain you would allow access to the pan.gps file.
3b475d4c19a74057a5bdf7da495d9171

buckybadger
New Contributor

Same issue over here. Every time a new machine cert is issued GlobalProtect wants to access it, doesn't have permission, and requires us to manually enter admin credentials. It's easy enough to do through the GUI but it's definitely a pain that the user's VPN breaks every time they get a new cert.

abrahamT
New Contributor III

@typeraj & @buckybadger At this time, there is no way to assign or provide access to a private key in the keychain programmatically if the cert/privkey already exist in the keychain. As suggested above by @mostlikelee, you would have to export the cert/privkey then reimport while providing access in the import command.

Something like this:

Export security export -k /path/to/users/keychain.keychain -t identities -P 'password here' -f pkcs12 -o /output/path/here.pem Import security import /output/path/here.pem -k /path/to/users/keychain.keychain -T "" -T "/Applications/GlobalProtect.app/Contents/Resources/PanGPS"

alexyu650
New Contributor III

@buckybadger What you need to do is deploy the your company's Root.CA cert to the user login keychain, once you do that it should not prompt for a admin username and password. Where I am having issues is doing that via script since we do not have Jamf in our environment the script part is failing for me. I was able to test this out throughly on my test machine and exporting the cert from the System keychain and then import the Root.CA cert to the user login keychain.

buckybadger
New Contributor

I'll apologize in advance as I spend most of my time on the PC side of things so my total knowledge of how Keychain works is probably rudimentary at best.

When our CA issues a new machine certificate out to an endpoint how would having our root cert in keychain change the "Access Control" settings for the new machine cert?

That's ultimately the problem we have - by default the new machine cert comes into OSX with "Access Control" set to "Confirm before allowing access" and since we don't give our users admin rights they get stuck trying to allow the Global Protect client to access the new cert. In this environment we require the Palo Alto to check for a valid machine cert from our CA before the connection can continue so the VPN client has to be able to access the private key on the cert.

Ultimately I need a programmatic way to either default the private key access control to "Allow all applications to access this item" or figure out a way to add Global Protect to the list of allowed applications.

turbonj1
New Contributor

@buckybadger Did you every find a solution for this? Im running into the same issue.

alexjdale
Valued Contributor III

@buckybadger, how are you issuing the certs? Our AD certs are requested by a configuration profile, and there is a checkbox for AD cert payloads to make the private key accessible to all apps.

As far as I know, it's impossible to change the ACLs programmatically after the cert is imported.

sardeeplakhera
New Contributor

@mm2270 did you get any success in updating the ACL of an existing keychain item using -U and -T flags? If yes, could you please help, I am facing a similar issue?