Jamf Nation Community

mucgyver-old · ‎05-23-2019

Dear all.

I have created this script, in order to prompt user for his password and use this to add three internet passwords to his/her login keychain:

#!/bin/sh
## postinstall

pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3

# Your company's logo, in ICNS format. (For use in AppleScript messages.)
# Use standard UNIX path format:  /path/to/file.icns
logoIcns="/usr/local/jamf/bin/app.icns"

# The title of the message that will be displayed to the user.
# Not too long, or it'll get clipped.
promptTitle="App Setup"

# Convert POSIX path of logo icon to Mac path for AppleScript
logoIcns="$(osascript -e 'tell application "System Events" to return POSIX file "'"$logoIcns"'" as text')"

userName=$(stat -f%Su /dev/console)

# Check the OS version.
osMajor=$(sw_vers -productVersion | awk -F . '{print $1}')
osMinor=$(sw_vers -productVersion | awk -F . '{print $2}')
if [[ "$osMajor" -ne 10 || "$osMinor" -lt 9 ]]; then
    echo "[ERROR] OS version not 10.9+ or OS version unrecognized."
    sw_vers -productVersion
    BAIL=true
fi

# Get information necessary to display messages in the current user's context.
userId=$(id -u "$userName")
if [[ "$osMajor" -eq 10 && "$osMinor" -le 9 ]]; then
    lId=$(pgrep -x -u "$userId" loginwindow)
    lMethod="bsexec"
elif [[ "$osMajor" -eq 10 && "$osMinor" -gt 9 ]]; then
    lId=$userId
    lMethod="asuser"
fi

sleep 10

userPassword="$(launchctl "$lMethod" "$lId" osascript -e 'display dialog "App needs your user password for adding necessary entries to your login keychain. Please enter your user password:" default answer "" with title "'"${promptTitle//"/\"}"'" giving up after 86400 with text buttons {"OK"} default button 1 with hidden answer with icon file "'"${logoIcns//"/\"}"'"' -e 'return text returned of result')"

security unlock-keychain -p $userPassword /Users/$userName/Library/Keychains/login.keychain

security add-internet-password -l site1.ourserver.com -a $userName -w $userPassword -r "htps" -s site1.ourserver.com -A
security add-internet-password -l site2.ourserver.com -a $userName -w $userPassword -r "http" -s site2.ourserver.com -A
security add-internet-password -l site3.ourserver.com -a $userName -w $userPassword -r "htps" -s site3.ourserver.com -A

exit 0      ## Success
exit 1      ## Failure

However, it gives me this additional system prompt, which I find surprising:

Does anyone of you have an idea which bit might be missing? :-)

Thank you and best regards
Christian

mucgyver-old · ‎06-12-2019

Any ideas anyone?

PaulHazelden · ‎06-12-2019

I am inclined t think its this..
https://stackoverflow.com/questions/49300975/security-unlock-keychain-from-a-bash-script

You need to explicitly let your script access your keychain.
Open the Keychain Access
Right click on the private key
Select "Get Info"
Select "Access Control" tab
Click "Allow all applications to access this item"
Click "Save Changes"
Enter your password

But getting that sorted by script for multiple machines and users, is going to be the hard bit.

Hugonaut · ‎06-12-2019

i think you need to make a pppc profile https://carlashley.com/2018/09/23/code-signing-scripts-for-pppc-whitelisting/

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________

Virtual MacAdmins Monthly Meetup - First Friday, Every Month

mm2270 · ‎06-12-2019

Is it necessary to use security unlock-keychain in this script? Shouldn't the user's login.keychain already be unlocked by default?
Also, is it intentional that these internet password entries all will have the user's actual account password in them? I'm just trying to understand the overall purpose and goal of this.
Finally, using the -A option for something like this is insecure, especially since, as above, it looks like the internet password entries will have the user's account password in it. It means any application can read that keychain entry and access their password. Are you sure you really want to do that?

mucgyver-old · ‎06-21-2019

Okay, somehow, the "security wants to use the 'login' keychain" message magically vanished. But, next strange thing:
The script obviously does what it is supposed to do. It generates internet password entries for the specified (internal) websites.
However, when I try to access the sites afterwards, it is still prompting for the credentials, just ignoring the already existing entries. When I enter the credentials and tick "remember my password"; it generates new entries in the keychain that look like exact duplicates of the ones previously generated via script. Does anyone have a clue why this might be happening? Anything else I need to do? (Script is still the same as above...)
Thank you and enjoy your weekend, folks.
Chris

Jamf Nation Community

While running script: security wants to use the "login" keychain