Skip to main content
Question

While running script: security wants to use the "login" keychain

M
Forum|alt.badge.img+6

Dear all.

I have created this script, in order to prompt user for his password and use this to add three internet passwords to his/her login keychain:

#!/bin/sh
## postinstall

pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3

# Your company's logo, in ICNS format. (For use in AppleScript messages.)
# Use standard UNIX path format:  /path/to/file.icns
logoIcns="/usr/local/jamf/bin/app.icns"

# The title of the message that will be displayed to the user.
# Not too long, or it'll get clipped.
promptTitle="App Setup"

# Convert POSIX path of logo icon to Mac path for AppleScript
logoIcns="$(osascript -e 'tell application "System Events" to return POSIX file "'"$logoIcns"'" as text')"

userName=$(stat -f%Su /dev/console)

# Check the OS version.
osMajor=$(sw_vers -productVersion | awk -F . '{print $1}')
osMinor=$(sw_vers -productVersion | awk -F . '{print $2}')
if [[ "$osMajor" -ne 10 || "$osMinor" -lt 9 ]]; then
    echo "[ERROR] OS version not 10.9+ or OS version unrecognized."
    sw_vers -productVersion
    BAIL=true
fi

# Get information necessary to display messages in the current user's context.
userId=$(id -u "$userName")
if [[ "$osMajor" -eq 10 && "$osMinor" -le 9 ]]; then
    lId=$(pgrep -x -u "$userId" loginwindow)
    lMethod="bsexec"
elif [[ "$osMajor" -eq 10 && "$osMinor" -gt 9 ]]; then
    lId=$userId
    lMethod="asuser"
fi

sleep 10

userPassword="$(launchctl "$lMethod" "$lId" osascript -e 'display dialog "App needs your user password for adding necessary entries to your login keychain. Please enter your user password:" default answer "" with title "'"${promptTitle//"/\\"}"'" giving up after 86400 with text buttons {"OK"} default button 1 with hidden answer with icon file "'"${logoIcns//"/\\"}"'"' -e 'return text returned of result')"

security unlock-keychain -p $userPassword /Users/$userName/Library/Keychains/login.keychain

security add-internet-password -l site1.ourserver.com -a $userName -w $userPassword -r "htps" -s site1.ourserver.com -A
security add-internet-password -l site2.ourserver.com -a $userName -w $userPassword -r "http" -s site2.ourserver.com -A
security add-internet-password -l site3.ourserver.com -a $userName -w $userPassword -r "htps" -s site3.ourserver.com -A

exit 0      ## Success
exit 1      ## Failure

However, it gives me this additional system prompt, which I find surprising:

Does anyone of you have an idea which bit might be missing? :-)

Thank you and best regards
Christian

    5 replies

    M
    Forum|alt.badge.img+6
    • mucgyver-old
    • Author
    • Contributor
    • 21 replies
    • June 12, 2019

    Any ideas anyone?

    PaulHazelden
    Forum|alt.badge.img+12
    • PaulHazelden
    • Jamf Heroes
    • 378 replies
    • June 12, 2019

    I am inclined t think its this..
    https://stackoverflow.com/questions/49300975/security-unlock-keychain-from-a-bash-script

    You need to explicitly let your script access your keychain.
    Open the Keychain Access
    Right click on the private key
    Select "Get Info"
    Select "Access Control" tab
    Click "Allow all applications to access this item"
    Click "Save Changes"
    Enter your password

    But getting that sorted by script for multiple machines and users, is going to be the hard bit.

    Hugonaut
    Forum|alt.badge.img+15
    • Hugonaut
    • Esteemed Contributor
    • 574 replies
    • June 12, 2019

    i think you need to make a pppc profile https://carlashley.com/2018/09/23/code-signing-scripts-for-pppc-whitelisting/

    Looking for a Jamf Managed Service Provider? Look no further than Rocketman Tech! Virtual MacAdmins Monthly Meetup - First Friday, Every Month
    mm2270
    Forum|alt.badge.img+16
    • mm2270
    • Legendary Contributor
    • 7880 replies
    • June 12, 2019

    Is it necessary to use security unlock-keychain in this script? Shouldn't the user's login.keychain already be unlocked by default?
    Also, is it intentional that these internet password entries all will have the user's actual account password in them? I'm just trying to understand the overall purpose and goal of this.
    Finally, using the -A option for something like this is insecure, especially since, as above, it looks like the internet password entries will have the user's account password in it. It means any application can read that keychain entry and access their password. Are you sure you really want to do that?

    M
    Forum|alt.badge.img+6
    • mucgyver-old
    • Author
    • Contributor
    • 21 replies
    • June 21, 2019

    Okay, somehow, the "security wants to use the 'login' keychain" message magically vanished. But, next strange thing:
    The script obviously does what it is supposed to do. It generates internet password entries for the specified (internal) websites.
    However, when I try to access the sites afterwards, it is still prompting for the credentials, just ignoring the already existing entries. When I enter the credentials and tick "remember my password"; it generates new entries in the keychain that look like exact duplicates of the ones previously generated via script. Does anyone have a clue why this might be happening? Anything else I need to do? (Script is still the same as above...)
    Thank you and enjoy your weekend, folks.
    Chris

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings