OT: Script to Open Keychain Access -->Change Password for Keychain Login...

krichterjr
Contributor

While it would be nice for users change their password in System Preferences—>Users & Groups so it updates their login.keychain, the reality is we require users to update their password through a webpage that we know propagates to all our systems. The biggest downfall to this process is their keychain don’t get updated automagically. So to make life easier for our users I'm working on an Self Service item that uses AppleScript to automatically open the Keychain Access—>"Change Password for Keychain 'Login’…” box so users can easily update their Keychain.

I have the script working with one caveat. It works as long as when Keychain Access opens it was last on the “Login” keychain and it is unlocked. If Keychain Access is on the System keychain, or System Roots, etc. then it will fail. I’ve played around a lot trying to figure how to get AppleScript to switch to the login keychain but knowing very little about AppleScript I'm not getting it to work

Does anyone know how to get “Login” selected if it is not initially?

tell application "Keychain Access" to activate
tell application "System Events"
    tell process "Keychain Access"
        click menu item "Change Password for Keychain “Login”…" of menu "Edit" of menu bar 1
    end tell
end tell

external image link

Side note(s): 1. I've tried opening the ~/Library/Keychains/login.keychain file after the Applescript opens Keychain Access It will then select it but it’s not consistent as the keychain will be locked. 2. I've also thought about using the ‘security’ CL mixed with CocoaDialog but the built in popup box Apple provides is a much nicer user experience IMHO. 🙂

Thanks!

14 REPLIES 14

krichterjr
Contributor

I've also tried using Accessibility Inspector (from Xcode) coupled with UI elements but I'm no developer and feel like I'm reading a different language 😛

bbass
Contributor

Hey Kenny,

Have you tried the "security" command? Seems like it may do the job for you. Something like:

security set-keychain-password -o oldPassword -p newPassword /Users/<username>/Library/Keychains/login.keychain

Haven't done this myself but I believe it should work. Collecting the input via AppleScript (or CocoaDialog) and passing it to bash shouldn't be too tall an order.

Thanks,
Brian

krichterjr
Contributor

Hey Brian...good to 'see' you.

It's certainly an option if I can't do it this other way.

CocaDialog is nice but I can't make it as "pretty" as Apple does. I like having the logo and layout with all three fields (Old Password, New Password, and Verify) in one screen. Plus it keeps it all directly through Keychain Access and I don't need to pass anything typed by the user from one place to the other.

Cheers!

krichterjr
Contributor

I believe I figured it out. I'm sure I'll tweak it some and maybe add a little bit of logic to make sure it works but this is what I have in case anyone else wants something similar. You will need to sure you enable GUI Scripting for this to work.

tell application "Keychain Access" to activate
tell application "System Events"
    tell process "Keychain Access"
        select row 1 of outline 1 of scroll area 1 of splitter group 1 of splitter group 1 of window "Keychain Access"

        delay 2

        click menu item "Change Password for Keychain “Login”…" of menu "Edit" of menu bar 1
    end tell
end tell

EDIT: Here is a link that talks about enabling GUI Scripting in Mavericks. It's focused on ADPassMon but it will work for other apps as well. http://work.chrisdietrich.de/enabling-accessibility-for-adpassmon-in-mavericks/

mm2270
Legendary Contributor II

@krichterjr][/url - glad you got that figured out, but, just curious. Why not script this to open System Preferences > Users & Groups and click the "Change Password…" button there? I assume users would be more familiar with and therefore more comfortable with System Preferences over something like Keychain Access. And you can get the same "Old Password" "New Password" and "Verify" fields as in Keychain Access. No need to mess with selecting the right keychain item.

tell application "System Preferences"
    activate
    set the current pane to pane id "com.apple.preferences.users"
    reveal anchor "passwordPref" of pane id "com.apple.preferences.users"
    tell application "System Events"
        tell process "System Preferences"
            click button "Change Password…" of tab group 1 of window 1
        end tell
    end tell
end tell

krichterjr
Contributor

@mm2270
I built that same script as well thinking that would be the best experience for our users. However, our 'supported' way is for user's to change their password was through a separate identity management system that propagates to all of our systems and back down to the computer. So this will be an easy way for them to 'fix' their Keychain. I agree though, System Preferences would be a prefered method.

jhbush
Valued Contributor II

Putting this here for any ADPassMon users who need to add it to the Accessibility pref pane.

#!/bin/bash

# Created by Jason Bush 3/6/2014
#
# Enabling Accessibility for ADPassMon in Mavericks
#
# http://work.chrisdietrich.de/enabling-accessibility-for-adpassmon-in-mavericks/

os=$(sw_vers -productVersion | awk -F. '{print $2}')

    echo $os

if [[ ${os} -ge 9 ]]; then

sqlite3 /Library/Application Support/com.apple.TCC/TCC.db "delete from access where client='org.pmbuko.ADPassMon';"

sqlite3 /Library/Application Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceAccessibility','org.pmbuko.ADPassMon',0,1,1,NULL);"

    else

echo "You are not running Mavericks"

fi

ryan_s
New Contributor II

@jhbush1973 ...could you describe this process for Script Editor (adding it to the accessibility pane)? Everything I am googling shows me GUI-only 😞

bentoms
Honored Contributor III
Honored Contributor III

@rseys can you expand what you're looking to do?

ryan_s
New Contributor II

Hey @bentoms ! In my particular case, I am looking to enable "Script Editor (AppleScript)" to the assistive devices in Yosemite. Or in other words, I want to enable the checkbox next to Script Editor in SysPrefs > Security & Privacy > "privacy" tab ...

Using your logic that was created for ADPassMon, the syntax (and variations) I've attempted is this:

sqlite3 /Library/Application Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceAccessibility','/Applications/Utilities/Script Editor',1,1,1,NULL)"

But that doesn't seem to do the trick...I feel like I am just overlooking something obvious

mm2270
Legendary Contributor II

@rseys I believe when adding items into the Accessibility settings like that, you need to use the app's Bundle Identifier, not the application path. So doing the following on AppleScript Editor.app

defaults read /Applications/Utilities/AppleScript Editor.app/Contents/Info.plist CFBundleIdentifier

I get:
com.apple.ScriptEditor2

Try replacing:
`'/Applications/Utilities/Script Editor' in your script line above with:
'com.apple.ScriptEditor2'
and see if it works then.

bentoms
Honored Contributor III
Honored Contributor III

@rseys Have you seen my ADPassMon fork?

It can be used without enabling access to accessibility.

ryan_s
New Contributor II

@bentoms

I have read about it yes and it looks like a phonemail tool! Unfortunately, my task here is to exhaust built-in options (without 3rd party solutions) before proceeding down that road. If I can't get AppleScripting to do what I want it to do, rest assured that ADPassMon is next on my list!

@mm2270

I'm giving that a shot right now! Thank you sir (and you also answered how you found it...it's helpful. Thanks)

EDIT: @mm2270 works perfectly -- thanks for not only the help but the rhyme/reason behind it!

jsauer
New Contributor

Anyone else getting an error message that this script is unable to access /Library/Application Support/com.apple.TCC/TCC.db on 10.10? Worked flawlessly until now. 😐