Keychain removal on Lab Machines

farverk
New Contributor III

Just like everyone else we are dealing with keychain issues for our AD accounts. I have a lab where students login with their AD credentials and they are constantly complaining about the keychain prompts.

The building consultant wanted me to script something that would remove the users keychain folder contents after each logout. I understand this may not be best practice but I can't for the life of me get it to work through Casper's login/logout hooks.

I'm using this script: http://www.amsys.co.uk/2015/02/delete-keychains-logout/

#!/bin/sh

rm -Rf /Users/$USER/Library/Keychains/*

exit 0

When I run it from terminal manually it works like a charm. When I run it via event/logout hook it completes "successfully" but the folders remain. Anyone have any ideas why its not delete the contents? Any suggestions on how to deal with keychains on lab machines other than ADPassmon? Thanks

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

The $USER variable from the shell isn't going to evaluate correctly when a policy runs via Casper. It tends to run scripts as the root account, not as the logged in user.

If you are doing these policies at logout, you can replace it with $3, which by default Casper Suite will assign to the current logged in user.
But I would personally just replace it with another variable to get the logged in user and then pass that to the command, just to be safe.

#!/bin/sh

loggedInUser=$(stat -f%Su /dev/console)

rm -Rf /Users/$loggedInUser/Library/Keychains/*

Taking it back a step though, I'd be cautious about just blowing away all files/folders in the Keychains directory. There may be other items there you (or the client) don't want deleted. For example, you can create additional keychains within Keychain Access.app and store data in there which can have their own unique passwords. But it's up to you. It should be fine to target to the login.keychain and the Local Items Keychain directory only for deletion in my experience.

EDIT: Never mind the above on not deleting all items in Keychains. I didn't read close enough that these are lab machines, so removing everything is probably the better approach in this case.

View solution in original post

6 REPLIES 6

hkabik
Valued Contributor

I think it's attempting to remove the management account's keychains...

Try:

#!/bin/sh

#variable for storing the current users name
currentuser=`stat -f "%Su" /dev/console`

#remove logged in users keychains
rm -r /Users/$currentuser/Library/Keychains/*

mm2270
Legendary Contributor III

The $USER variable from the shell isn't going to evaluate correctly when a policy runs via Casper. It tends to run scripts as the root account, not as the logged in user.

If you are doing these policies at logout, you can replace it with $3, which by default Casper Suite will assign to the current logged in user.
But I would personally just replace it with another variable to get the logged in user and then pass that to the command, just to be safe.

#!/bin/sh

loggedInUser=$(stat -f%Su /dev/console)

rm -Rf /Users/$loggedInUser/Library/Keychains/*

Taking it back a step though, I'd be cautious about just blowing away all files/folders in the Keychains directory. There may be other items there you (or the client) don't want deleted. For example, you can create additional keychains within Keychain Access.app and store data in there which can have their own unique passwords. But it's up to you. It should be fine to target to the login.keychain and the Local Items Keychain directory only for deletion in my experience.

EDIT: Never mind the above on not deleting all items in Keychains. I didn't read close enough that these are lab machines, so removing everything is probably the better approach in this case.

farverk
New Contributor III

Thank's guys appreciate the help, save me a lot of searching time.

Aziz
Valued Contributor

This has worked flawlessly for us.

rm -rf /Users/$3/Library/Keychains/login.keychain

rm -rf /Users/$3/library/keychains/????????-????-????-????-????????????

echo "Deleted"

edit: should have refreshed before submitting :p

dvasquez
Valued Contributor

@mm2270 thank you for the information and script, it worked like a dream!

Xavier

jdye
New Contributor III

@mm2270 I just wanna say that it's over 2 years later and your script still works.

Just saved me a headache re: Password management! Thank you for contributing.