Keychain Access – Remote Management via Command Line

keychainsshterminal

I am storing various passwords (e.g. for remote email servers) in my keychain.
From the command line, when logged in locally, I can retrieve these via:

security unlock-keychain ~/Library/Keychains/login.keychain
<enter password>
security find-internet-password -s smtp.gmail.com -a foo@gmail.com
<dumps keychain attributes, not including password>
security find-internet-password -s smtp.gmail.com -a foo@gmail.com -g
<dumps keychain attributes, including password>

However, the results cannot be achieved when run remotely (ssh'ing in to the
box from somewhere else):

security unlock-keychain ~/Library/Keychains/login.keychain
<enter password>
security find-internet-password -s smtp.gmail.com -a foo@gmail.com
<dumps keychain attributes, not including password>
security find-internet-password -s smtp.gmail.com -a foo@gmail.com -g
<nothing printed, to stdout or stderr>

Moreover, the return value of the final command (using -g) is 36.

I've dumped the output of set from a local login and compared it to a remote
one, and the missing environment variables are:

Apple_PubSub_Socket_Render
GPG_AGENT_INFO
SECURITYSESSIONID
TERM_PROGRAM
TERM_PROGRAM_VERSION
TERM_SESSION_ID
XPC_FLAGS
XPC_SERVICE_NAME

What am I missing? I do have SSH_AUTH_SOCK set to a valid value (returned
from ssh-agent).

Best Answer

In reproducing this to investigate, I notice that I have my keychain configured to “Confirm before allowing access.” So when I perform the find-internet-password locally with the -g flag, I get a dialog box stating security wants to use your confidential information stored in “smtp.gmail.com” in your keychain. If I click “Allow” then it works, if I click “Deny” it fails similarly to the ssh case, with a return code of 51. Access confirmation dialog

When I try the command remotely via ssh, the -g immediately results in failure, with the status of 36 that you are reporting.

I suspect that this is because, when you ssh in, there is no way for the system to pop up a dialog box allowing you to confirm that you want to allow the security command to access this information.

I was able to get the command to work while connected by ssh by first clicking the “Always Allow” option when running the command locally. This updates the permissions in Keychain so that I no longer need to respond to the dialog (even locally), which allows it to work remotely too.

I don’t know if this will be entirely helpful to you, however, as I think it means you will need to preemptively grant the security program access to any keychain items you may want to access remotely. It may be possible to write a script to do this?

If you are experimenting with this manually and later want to revoke this access, you can go to the affected item in Keychain Access, choose Get Info and look at the Access Control tab. You will see an entry for security there, which you can delete: Access Control Dialog

Related Solutions

How to choose keys in keychain access

Put your per-server SSH-configuration into ~/.ssh/config like this:

Host useKeyOnly.net
user sshuser 
Identityfile ~/.ssh/mykey1
IdentitiesOnly yes

Host usePasswordOnly.org
PubkeyAuthentication no
Port 53221
user root

What’s the password to the System keychain

The login (user account) password isn't stored in keychain access, but keychain access automatically adopts the user account password as the keychain access password by default.

So, your password for keychain access is most likely the same as the login password.

There is no default password in mac, the user creates one on install. If your mac was provided already installed, there was likely an assigned password created by the admin, perhaps associated with AD. If you reinstalled OSX, it would not have wiped the password, but if you formatted the harddrive, then reinstalled OSX, you would have created a new password.

Best Answer

Related Solutions

How to choose keys in keychain access

What’s the password to the System keychain

Related Question