script to modify keychain

lwindram
Contributor

Hi All,

I recently transitioned our imaging workflow from an OS packaged with composer to an installer created with autoDMG. I am using part of Rich Trouton's first run script to set up the WiFi. This results in the wifi being *almost* set up properly - it works everywhere except at the login window.

I installed 10.9.2 from the restore partition and found that the AirPort Network password keychain was granting access to /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/updatesprefs. I manually granted the AirPort keychain access to this application on one of my imaged machines and the wifi stays enabled at the login window.

Anybody familiar with the command line interface for modifying the keychain? I found some info on extracting passwords, but none on modifying access control.

Thanks in advance

3 REPLIES 3

mm2270
Legendary Contributor III

I'm not certain if what you'd need to create is a generic keychain password or an internet password or something else entirely for this, but you should take a look at the manpage for "security"

As an example, when adding a generic password entry, these items are available to you-

add-generic-password [-h] [-a account] [-s service] [-w password]
     [options...] [keychain]
            Add a generic password item.

            -a account      Specify account name (required)
            -c creator      Specify item creator (optional four-character
                            code)
            -C type         Specify item type (optional four-character code)
            -D kind         Specify kind (default is "application password")
            -G value        Specify generic attribute value (optional)
            -j comment      Specify comment string (optional)
            -l label        Specify label (if omitted, service name is used as
                            default label)
            -s service      Specify service name (required)
            -p password     Specify password to be added (legacy option,
                            equivalent to -w)
            -w password     Specify password to be added
            -A              Allow any application to access this item without
                            warning (insecure, not recommended!)
            -T appPath      Specify an application which may access this item
                            (multiple -T options are allowed)
            -U              Update item if it already exists (if omitted, the
                            item cannot already exist)

Specifically, the -T option which lets you specify an application that can access the keychain entry without asking for authorization, may be what you're after.

bradtchapman
Valued Contributor II

Hey folks, this dropped on Reddit today. The security analyst appears to have found a private key hidden inside AOSKit (it works on any Mac), but the exploit works in large part because of user security fatigue, tricking the unsuspecting person into allowing the request into Keychain.

https://www.reddit.com/r/netsec/comments/5bbl9j/decrypting_icloud_authorization_tokens_on_macos/

This is why we can't have nice things.

digitc6mdm
New Contributor II

Hi, Who can help me with script that could do this Open Keychain Access.
- Find my internet password keychain
- Double-click, goto Acces Control tab.
- Select ‘Allow all applications to access this item’.
- Save the changes.