Removing keychain entries

Mr_Meaves
New Contributor II

We've recently been trying to get users to update passwords more regularly and with that of course, is keychain issues. I was trying to create a script to remove local wifi connections and server connections so when they accessed them, they could just recreate it by typing in their password. I've been struggling with this for a couple of days and had success locally, but not when deployed, and now I've broken it completely again.

#!/bin/bash

security delete-internet-password -l "cwinprint" ~/Library/Keychains/login.keychain
security delete-internet-password -l "pwinfile" ~/Library/Keychains/login.keychain
security delete-internet-password -l "cwinfile" ~/Library/Keychains/login.keychain
security delete-internet-password -l "fwinfile" ~/Library/Keychains/login.keychain
security delete-generic-password -l "IS-EMP" -s com.apple.network.eap.user.item.wlan.ssid.IS-EMP
security delete-generic-password -l "CO-EMP" -s com.apple.network.eap.user.item.wlan.ssid.CO-EMP

Looking to use this as a script to use in jamf remote or a policy I can create to add machines to if the users are known to be hard to get a hold of. Any assistance would be appreciated

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

The thing about the "~" character when running shell commands is that it expands to the home directory of the account running the command. Since those commands will get run as root from a Jamf policy, you are really telling it to look in /private/var/root/Library/Keychains/login.keychain, which clearly isn't what you intended.

Instead, get the current or logged in user first, then use that as part of the path to the keychain file you want the security command to search in.

 

## Logged in username
logged_in_user=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name : / && ! /loginwindow/ {print $3}')

/usr/bin/security delete-internet-password -l "cwinprint" /Users/$logged_in_user/Library/Keychains/login.keychain
...

 

Something like the above may do the trick, but test of course.

Also, be sure you're using the correct actual name of the login keychain. I've seen it named somewhat differently at times, like "login.keychain-db"

View solution in original post

2 REPLIES 2

mm2270
Legendary Contributor III

The thing about the "~" character when running shell commands is that it expands to the home directory of the account running the command. Since those commands will get run as root from a Jamf policy, you are really telling it to look in /private/var/root/Library/Keychains/login.keychain, which clearly isn't what you intended.

Instead, get the current or logged in user first, then use that as part of the path to the keychain file you want the security command to search in.

 

## Logged in username
logged_in_user=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name : / && ! /loginwindow/ {print $3}')

/usr/bin/security delete-internet-password -l "cwinprint" /Users/$logged_in_user/Library/Keychains/login.keychain
...

 

Something like the above may do the trick, but test of course.

Also, be sure you're using the correct actual name of the login keychain. I've seen it named somewhat differently at times, like "login.keychain-db"

Mr_Meaves
New Contributor II

So you were correct on all points. Part of where I had gotten messed up was while I was editing it and re running, my Keychain window had not updated so I had deleted some parts as "not working" even though it was updating the file. Lesson learned. Thanks for the assist!