Posted on 09-17-2015 12:48 PM
Just like everyone else we are dealing with keychain issues for our AD accounts. I have a lab where students login with their AD credentials and they are constantly complaining about the keychain prompts.
The building consultant wanted me to script something that would remove the users keychain folder contents after each logout. I understand this may not be best practice but I can't for the life of me get it to work through Casper's login/logout hooks.
I'm using this script: http://www.amsys.co.uk/2015/02/delete-keychains-logout/
#!/bin/sh
rm -Rf /Users/$USER/Library/Keychains/*
exit 0
When I run it from terminal manually it works like a charm. When I run it via event/logout hook it completes "successfully" but the folders remain. Anyone have any ideas why its not delete the contents? Any suggestions on how to deal with keychains on lab machines other than ADPassmon? Thanks
Solved! Go to Solution.
Posted on 09-17-2015 01:02 PM
The $USER variable from the shell isn't going to evaluate correctly when a policy runs via Casper. It tends to run scripts as the root account, not as the logged in user.
If you are doing these policies at logout, you can replace it with $3, which by default Casper Suite will assign to the current logged in user.
But I would personally just replace it with another variable to get the logged in user and then pass that to the command, just to be safe.
#!/bin/sh
loggedInUser=$(stat -f%Su /dev/console)
rm -Rf /Users/$loggedInUser/Library/Keychains/*
Taking it back a step though, I'd be cautious about just blowing away all files/folders in the Keychains directory. There may be other items there you (or the client) don't want deleted. For example, you can create additional keychains within Keychain Access.app and store data in there which can have their own unique passwords. But it's up to you. It should be fine to target to the login.keychain and the Local Items Keychain directory only for deletion in my experience.
EDIT: Never mind the above on not deleting all items in Keychains. I didn't read close enough that these are lab machines, so removing everything is probably the better approach in this case.
Posted on 09-17-2015 12:55 PM
I think it's attempting to remove the management account's keychains...
Try:
#!/bin/sh
#variable for storing the current users name
currentuser=`stat -f "%Su" /dev/console`
#remove logged in users keychains
rm -r /Users/$currentuser/Library/Keychains/*
Posted on 09-17-2015 01:02 PM
The $USER variable from the shell isn't going to evaluate correctly when a policy runs via Casper. It tends to run scripts as the root account, not as the logged in user.
If you are doing these policies at logout, you can replace it with $3, which by default Casper Suite will assign to the current logged in user.
But I would personally just replace it with another variable to get the logged in user and then pass that to the command, just to be safe.
#!/bin/sh
loggedInUser=$(stat -f%Su /dev/console)
rm -Rf /Users/$loggedInUser/Library/Keychains/*
Taking it back a step though, I'd be cautious about just blowing away all files/folders in the Keychains directory. There may be other items there you (or the client) don't want deleted. For example, you can create additional keychains within Keychain Access.app and store data in there which can have their own unique passwords. But it's up to you. It should be fine to target to the login.keychain and the Local Items Keychain directory only for deletion in my experience.
EDIT: Never mind the above on not deleting all items in Keychains. I didn't read close enough that these are lab machines, so removing everything is probably the better approach in this case.
Posted on 09-17-2015 01:05 PM
Thank's guys appreciate the help, save me a lot of searching time.
Posted on 09-17-2015 01:09 PM
This has worked flawlessly for us.
rm -rf /Users/$3/Library/Keychains/login.keychain
rm -rf /Users/$3/library/keychains/????????-????-????-????-????????????
echo "Deleted"
edit: should have refreshed before submitting :p
Posted on 08-07-2018 08:29 AM
@mm2270 thank you for the information and script, it worked like a dream!
Xavier
Posted on 10-03-2018 09:21 AM
@mm2270 I just wanna say that it's over 2 years later and your script still works.
Just saved me a headache re: Password management! Thank you for contributing.