Help

Yet another Keychain & Security command line tool question

mbootes
New Contributor II

Posted on β€Ž11-30-2016 09:19 PM

Hey,
One of the regular problems that our helpdesk experiences is incorrect usernames/ passwords being used for printing services. I've been trying to write a script to put in self service that will get a user's wifi username and password from the keychain, remove the old entries for the printers, and then add them again with the WiFi password (which we assume is correct at this stage).

Here is what I have so far...

#!/bin/bash
#Check if there is an "acct" in the response - if not then the wifi credentials for SSID can't be found.
wifi=$(security find-generic-password -D '802.1X Password' -l 'SSID' 2>&1 | grep "acct")

if [ ! -z "$wifi" ]; then
    echo "I found it!"
    #Get the account name used for wifi
    username=$(security find-generic-password -D '802.1X Password' -l 'SSID' -g 2>&1 | grep acct | sed -e 's/.*"(.*)"/1/')
    #get the password used for wifi
    wifipwd=$(security find-generic-password -D '802.1X Password' -l 'SSID' -w)

    #Delete the 4 xerox printers
    security delete-generic-password -l 'Xerox - B&W (AirPrint)'
    security delete-generic-password -l 'Xerox - B&W (Advanced) @ Mac Server 2'
    security delete-generic-password -l 'Xerox - Colour (AirPrint)'
    security delete-generic-password -l 'Xerox - Colour (Advanced) @ Mac Server 2'
    #Recreate the 4 xerox printers
    security add-generic-password -a $username -s "Xerox - B&W (AirPrint)" -w $wifipwd -D 'Network Password' -l 'Xerox - B&W (AirPrint)' -T /System/Library/CoreServices/NetAuthAgent.app -T /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent -T group://NetAuth -T /usr/bin/security -U
    security add-generic-password -a $username -s "Xerox - B&W (Advanced) @ Mac Server 2" -w $wifipwd -D 'Network Password' -l 'Xerox - B&W (Advanced) @ Mac Server 2' -T /System/Library/CoreServices/NetAuthAgent.app -T /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent -T group://NetAuth -T /usr/bin/security -U
    security add-generic-password -a $username -s "Xerox - Colour (AirPrint)" -w $wifipwd -D 'Network Password' -l 'Xerox - Colour (AirPrint)' -T /System/Library/CoreServices/NetAuthAgent.app -T /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent -T group://NetAuth -T /usr/bin/security -U
    security add-generic-password -a $username -s "Xerox - Colour (Advanced) @ Mac Server 2" -w $wifipwd -D 'Network Password' -l 'Xerox - Colour (Advanced) @ Mac Server 2' -T /System/Library/CoreServices/NetAuthAgent.app -T /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent -T group://NetAuth -T /usr/bin/security -U
else
    echo "Its not there!"
fi

Now the problem that I'm having: no matter if I specify an application with the -T option on the security command (give an application permissions to access that keychain item), the user gets a prompt when trying to print for the first time with that same application (NetAuthSysAgent) tries to access the keychain.
If I check my keychain access the application is there in the access control list.
Furthermore I did some testing by dumping the keychain access control list with

 dump-keychain -a login.keychain

Here is the difference between the keychain item that doesn't prompt:

keychain: "/Users/USERNAME/Library/Keychains/login.keychain-db" version: 512 class: "genp" attributes: 0x00000007 <blob>="Xerox - B&W (AirPrint)" 0x00000008 <blob>=<NULL> "acct"<blob>="USERNAME" "cdat"<timedate>=0x32303136313230313031303533385A00 "20161201010538Z�00" "crtr"<uint32>=<NULL> "cusi"<sint32>=<NULL> "desc"<blob>="Network Password" "gena"<blob>=<NULL> "icmt"<blob>=<NULL> "invi"<sint32>=<NULL> "mdat"<timedate>=0x32303136313230313031303533385A00 "20161201010538Z�00" "nega"<sint32>=<NULL> "prot"<blob>=<NULL> "scrp"<sint32>=<NULL> "svce"<blob>="Xerox - B&W (AirPrint)" "type"<uint32>=<NULL> access: 5 entries entry 0: authorizations (1): encrypt don't-require-password description: Xerox - B&W (AirPrint) applications: <null> entry 1: authorizations (6): decrypt derive export_clear export_wrapped mac sign don't-require-password description: Xerox - B&W (AirPrint) applications (4): 0: /System/Library/CoreServices/NetAuthAgent.app (OK) 1: /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent (OK) 2: 0x67726F75703A2F2F4E65744175746800 "group://NetAuth�00" 3: /usr/bin/security (OK) entry 2: authorizations (1): integrity don't-require-password description: e600621541e120ae156b9f5c3e317727b55f61597180255da2e18790eee617b8 applications: <null> entry 3: authorizations (1): partition_id don't-require-password description: apple-tool:, apple: applications: <null> entry 4: authorizations (1): change_acl don't-require-password description: Xerox - B&W (AirPrint) applications (0):

And the keychain that does prompt (before i clicked always allow on the prompt):

keychain: "/Users/USERNAME/Library/Keychains/login.keychain-db" version: 512 class: "genp" attributes: 0x00000007 <blob>="Xerox - B&W (AirPrint)" 0x00000008 <blob>=<NULL> "acct"<blob>="USERNAME" "cdat"<timedate>=0x32303136313230313031333330315A00 "20161201013301Z�00" "crtr"<uint32>=<NULL> "cusi"<sint32>=<NULL> "desc"<blob>="Network Password" "gena"<blob>=<NULL> "icmt"<blob>=<NULL> "invi"<sint32>=<NULL> "mdat"<timedate>=0x32303136313230313031333330315A00 "20161201013301Z�00" "nega"<sint32>=<NULL> "prot"<blob>=<NULL> "scrp"<sint32>=<NULL> "svce"<blob>="Xerox - B&W (AirPrint)" "type"<uint32>=<NULL> access: 5 entries entry 0: authorizations (6): decrypt derive export_clear export_wrapped mac sign don't-require-password description: Xerox - B&W (AirPrint) applications (4): 0: /System/Library/CoreServices/NetAuthAgent.app (OK) 1: /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent (OK) 2: 0x67726F75703A2F2F4E65744175746800 "group://NetAuth�00" 3: /usr/bin/security (OK) entry 1: authorizations (1): encrypt don't-require-password description: Xerox - B&W (AirPrint) applications: <null> entry 2: authorizations (1): integrity don't-require-password description: e600621541e120ae156b9f5c3e317727b55f61597180255da2e18790eee617b8 applications: <null> entry 3: authorizations (1): partition_id don't-require-password description: apple-tool: applications: <null> entry 4: authorizations (1): change_acl don't-require-password description: Xerox - B&W (AirPrint) applications (0):

My testing so far seems to suggest that the -T option just doesn't work... has anybody had any experience with this?

Labels:
0 Kudos
5 REPLIES 5

mm2270
Legendary Contributor II

Posted on β€Ž12-01-2016 07:50 AM

Edit: Oops! Never mind. I see that you do have the full path as well. I didn't scroll over far enough before. Have you tried it with just the full path and not the bundle as well? I'm wondering if its only adding in the first one and ignoring the others.

Leaving original post here just for reference:

I may be wrong, but I believe when using the -T option with security, you need to specify the full path to the actual executable in the app bundle, not the app bundle itself.
In your script, you have the following path after -T

/System/Library/CoreServices/NetAuthAgent.app

I believe it should be:

/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent

Meaning, the full path to the executable inside the 'MacOS' directory. I would try it that way and see if it helps.

0 Kudos

mbootes
New Contributor II

Posted on β€Ž12-01-2016 05:15 PM

Hi,
Thanks for the advice.
I'll give it a go. I hadn't tried that because the items are showing up in both Keychain Manager & the dump.

0 Kudos

Fveja
New Contributor II

Posted on β€Ž11-06-2017 07:41 AM

I know this is an old thread, but just in case someone comes across this looking for an answer.

See entry 3: description line in the security dump-keychain above. The keychain entry that does not prompt has "apple-tool:, apple:" while the keychain entry that prompts only has "apple-tool:".

Does not Prompt:

    entry 3:
        authorizations (1): partition_id
        don't-require-password
 -->    description: apple-tool:, apple:
        applications: <null>

Prompts:

    entry 3:
        authorizations (1): partition_id
        don't-require-password
 -->    description: apple-tool:
        applications: <null>

You can run the following after creating the keychain entry to set the correct partition_id, so the user doesn't get prompted, but you have to provide the keychain password:

security set-generic-password-partition-list -S "apple-tool:,apple:" -s 'Xerox - B&W (AirPrint)' -k $PASSWORD

See Scripting the Macos Keychain partition-ids for more info.

-Florin

0 Kudos

kacey3
Contributor

Posted on β€Ž04-08-2021 08:32 AM

I stumbled up on this article for a similar error. I am trying to push a network password to our computer so that they can connect to an SMB share without prompting.

The only problem I've run into is that when I send the "security set-generic-password-partition-list" command, it returns an error: "security: SecItemCopyMatching: The specified item could not be found in the keychain."

I have double and triple checked that my set-generic-password-partition-list command is using the same -s as the -l in the initial add-generic-password command, and yet no matter what I do, I keep getting that same error. Any thoughts on this?

0 Kudos

kacey3
Contributor

Posted on β€Ž04-08-2021 08:55 AM

I figured out the problem, and I feel kind of dumb about it!

I was using "security set-generic-password-partition-list" when I should have been using "security set-internet-password-partition-list".

0 Kudos
Jamf helps organizations succeed with Apple. By enabling IT to empower end users, we bring the legendary Apple experience to businesses, education and government organizations. Learn about Jamf.