I am storing various passwords (e.g. for remote email servers) in my keychain.
From the command line, when logged in locally, I can retrieve these via:
security unlock-keychain ~/Library/Keychains/login.keychain
<enter password>
security find-internet-password -s smtp.gmail.com -a foo@gmail.com
<dumps keychain attributes, not including password>
security find-internet-password -s smtp.gmail.com -a foo@gmail.com -g
<dumps keychain attributes, including password>
However, the results cannot be achieved when run remotely (ssh'ing in to the
box from somewhere else):
security unlock-keychain ~/Library/Keychains/login.keychain
<enter password>
security find-internet-password -s smtp.gmail.com -a foo@gmail.com
<dumps keychain attributes, not including password>
security find-internet-password -s smtp.gmail.com -a foo@gmail.com -g
<nothing printed, to stdout or stderr>
Moreover, the return value of the final command (using -g) is 36.
I've dumped the output of set
from a local login and compared it to a remote
one, and the missing environment variables are:
Apple_PubSub_Socket_Render
GPG_AGENT_INFO
SECURITYSESSIONID
TERM_PROGRAM
TERM_PROGRAM_VERSION
TERM_SESSION_ID
XPC_FLAGS
XPC_SERVICE_NAME
What am I missing? I do have SSH_AUTH_SOCK
set to a valid value (returned
from ssh-agent
).
Best Answer
In reproducing this to investigate, I notice that I have my keychain configured to “Confirm before allowing access.” So when I perform the
find-internet-password
locally with the-g
flag, I get a dialog box stating security wants to use your confidential information stored in “smtp.gmail.com” in your keychain. If I click “Allow” then it works, if I click “Deny” it fails similarly to thessh
case, with a return code of51
.When I try the command remotely via
ssh
, the-g
immediately results in failure, with the status of36
that you are reporting.I suspect that this is because, when you
ssh
in, there is no way for the system to pop up a dialog box allowing you to confirm that you want to allow thesecurity
command to access this information.I was able to get the command to work while connected by
ssh
by first clicking the “Always Allow” option when running the command locally. This updates the permissions in Keychain so that I no longer need to respond to the dialog (even locally), which allows it to work remotely too.I don’t know if this will be entirely helpful to you, however, as I think it means you will need to preemptively grant the
security
program access to any keychain items you may want to access remotely. It may be possible to write a script to do this?If you are experimenting with this manually and later want to revoke this access, you can go to the affected item in Keychain Access, choose Get Info and look at the Access Control tab. You will see an entry for
security
there, which you can delete: