I stumbled upon this using Tunnelblick and Viscosity. Adding a configuration to those VPN tools it is possible in the GUI during the first connect to specify user&pass and save them in the keychain. The next connections will then use the saved credentials from keychain.
However if I change the password in the keychain using the security terminal command (add-generic-password -U-s-a-w) or via keychain access application, afterwards both Tunnelblick and Viscosity will show the "Permission to access keychain: [Allow, Allow always, cancel]"-dialog if I try connecting the next time.
Is there any way to prevent this dialog?
- I looked a bit in the Tunnelblick source code, but couldn't find a check for "keychain tampering" or anything that could force this dialog from Tunnelblick's side.
- If it is an configurable OS level protection?
Best Answer
For macOS Sierra:
To add an object and allow access (with user prompt), use the "-T Application" option. (Several applications can be used)
Then to allow access without user prompt you need to modify the ACL for the object:
The partition-list syntax is not very well documented. You might be able to see how Tunnelblick uses the ACL from the output of "security dump-keychain".
Source: man security