Skip to main content
Question

script to modify keychain

L
Forum|alt.badge.img+9

Hi All,

I recently transitioned our imaging workflow from an OS packaged with composer to an installer created with autoDMG. I am using part of Rich Trouton's first run script to set up the WiFi. This results in the wifi being *almost* set up properly - it works everywhere except at the login window.

I installed 10.9.2 from the restore partition and found that the AirPort Network password keychain was granting access to /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/updatesprefs. I manually granted the AirPort keychain access to this application on one of my imaged machines and the wifi stays enabled at the login window.

Anybody familiar with the command line interface for modifying the keychain? I found some info on extracting passwords, but none on modifying access control.

Thanks in advance

    3 replies

    mm2270
    Forum|alt.badge.img+16
    • mm2270
    • Legendary Contributor
    • 7880 replies
    • April 17, 2014

    I'm not certain if what you'd need to create is a generic keychain password or an internet password or something else entirely for this, but you should take a look at the manpage for "security"

    As an example, when adding a generic password entry, these items are available to you-

    add-generic-password [-h] [-a account] [-s service] [-w password]
     [options...] [keychain]
            Add a generic password item.

            -a account      Specify account name (required)
            -c creator      Specify item creator (optional four-character
                            code)
            -C type         Specify item type (optional four-character code)
            -D kind         Specify kind (default is "application password")
            -G value        Specify generic attribute value (optional)
            -j comment      Specify comment string (optional)
            -l label        Specify label (if omitted, service name is used as
                            default label)
            -s service      Specify service name (required)
            -p password     Specify password to be added (legacy option,
                            equivalent to -w)
            -w password     Specify password to be added
            -A              Allow any application to access this item without
                            warning (insecure, not recommended!)
            -T appPath      Specify an application which may access this item
                            (multiple -T options are allowed)
            -U              Update item if it already exists (if omitted, the
                            item cannot already exist)

    Specifically, the -T option which lets you specify an application that can access the keychain entry without asking for authorization, may be what you're after.

    bradtchapman
    Forum|alt.badge.img+20
    • bradtchapman
    • Valued Contributor
    • 588 replies
    • November 6, 2016

    Hey folks, this dropped on Reddit today. The security analyst appears to have found a private key hidden inside AOSKit (it works on any Mac), but the exploit works in large part because of user security fatigue, tricking the unsuspecting person into allowing the request into Keychain.

    https://www.reddit.com/r/netsec/comments/5bbl9j/decrypting_icloud_authorization_tokens_on_macos/

    This is why we can't have nice things.

    D
    Forum|alt.badge.img+3
    • digitc6mdm
    • New Contributor
    • 8 replies
    • September 2, 2019

    Hi, Who can help me with script that could do this Open Keychain Access.
    - Find my internet password keychain
    - Double-click, goto Acces Control tab.
    - Select ‘Allow all applications to access this item’.
    - Save the changes.

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings