Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.4: AirPort and System.keychain password solution Network
Tiger only hintI, like many other users, have had the mysterious "Mac OS X wants to use keychain system" dialog box after each reboot, when AirPort tried to access the wireless network for the first time, that refused to accept any known password. There have been some users out there who solved the problem by simply removing the System.keychain from /Library/Keychains/. Some other users suggested creating a new System.keychain with a known password.

I didn´t feel comfortable using one of those solutions, because I had the feeling that there must be (1) a reason that there is a System.keychain, and (2) that it doesn't have a keyword that is known by the user. Digging a bit deeper into the system (BTW, I'm a designer and no programmer), I found out that the initial installation of 10.4 (and every subsequent update) contains a postflight script that will create this particular keychain. So my solution was quickly found.

You need to have admin-rights on the Mac you want to update using this hint. Then just:
  1. Make a backup copy of your current System.keychain. In Terminal, type:
    sudo mv /Library/Keychains/System.keychain /Library/Keychains/System.keychain.bak
  2. Use the command from the postflight script to let the system create a fresh keychain:
    sudo /usr/sbin/systemkeychain -C
  3. Reboot.
Since taking these three simple steps, all I had to do was enter the information for my WPA protected AirPort networks once, and everything was up and running like it should be.
    •    
  • Currently 2.67 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (3 votes cast)
 
[44,990 views]  

10.4: AirPort and System.keychain password solution | 22 comments | Create New Account
Click here to return to the '10.4: AirPort and System.keychain password solution' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: AirPort and System.keychain password solution
Authored by: mindsnare1349 on Mar 23, '06 07:45:36AM

wasnt exactly this hint posted here a year ago already? i remember i had this problem and got the solution from here ;-)



[ Reply to This | # ]
10.4: AirPort and System.keychain password solution
Authored by: mtimmsj on Mar 23, '06 08:43:43AM
There is really no reason to move the system keychain. If it's not being unlocked properly you won't have a use for it after you have moved it. So simply do:
sudo systemkeychain -vfcC
The options are documented here:

http://darwinsource.opendarwin.org/Current/security_systemkeychain-11/src/systemkeychain.cpp

Once you have recreated the keychain you can test if it unlocks properly with:
systemkeychain -vt
The options above have the following meanings:
  • -v = verbose
  • -f = force
  • -c = create if needed
  • -C = setup system
  • -t = test unlock


[ Reply to This | # ]
10.4: AirPort and System.keychain password solution
Authored by: wuf810 on Mar 23, '06 03:14:46PM

Does Keychain First Aid not fix this?



[ Reply to This | # ]
10.4: AirPort and System.keychain password solution
Authored by: mtimmsj on Mar 23, '06 08:12:37PM

I'm not sure. I wouldn't use it. According to the Apple download software site for it, it's for MacOSX 10.1 through 10.2.x.



[ Reply to This | # ]
10.4: AirPort and System.keychain password solution
Authored by: irudi on Mar 24, '06 06:07:29AM

Keychain First Aid is included in the Keychain Access application now (at least in 10.4)!



[ Reply to This | # ]
10.4: AirPort and System.keychain password solution
Authored by: mtimmsj on Mar 24, '06 09:08:17AM

Ahh... it looks like it checks the login keychain and something it calls the default keychain. I'm not sure it will check and fix the system keychain.



[ Reply to This | # ]
10.4: Keychain First Aid
Authored by: sjk on Mar 24, '06 10:56:07PM
I get output like this running Keychain First Aid (with Verify checked) on 10.4.5:
Verification started
Checking keychain configuration for Know Body (user ID=501)
Home directory is /Users/nobody
Checked login keychain
Checked default keychain
Checked keychain search list
Checked contents of ~/Library/Keychains/login.keychain
Checked contents of ~/Library/Keychains/nobody.keychain
Checked contents of /System/Library/Keychains/X509Anchors
No problems found
Verification completed
I don't know if the System keychain is always excluded or if it was because it's empty on this system.

[ Reply to This | # ]
10.4: AirPort and System.keychain password solution
Authored by: Strych9 on May 20, '06 09:19:12AM

Hello,

When I got this problem, I was tired and delete the System keychain, the problem was solved but the system.log was showing some errors...

Now, I have done the following and it solves partly my problem. Thanks to mtimmsj !!! :-)

sudo systemkeychain -vfcC
systemkeychain -vt
System unlock is working

Here is what I have after 2 reboots (one cmd-s then a normal with cmd-v).
I very my keychain via the menu : OK
I very the Auth. via Disk Utility Authorisation OK.

BEFORE REPAIRING I GOT THIS
SystemStarter[9892]: authentication service (9902) did not complete successfully
SystemStarter[9892]: The following StartupItems failed to properly start:
SystemStarter[9892]: /System/Library/StartupItems/AuthServer
SystemStarter[9892]: - execution of Startup script failed
...
kernel[0]: AirPort: Link Active: "onAirPort" - 0030651dd724 - chan 2
configd[83]: SecKeychainFindGenericPassword err= -25308 ( =0xffff9d24, secErrStr=User interaction is not allowed. ) (current= onAirPort)
launchd: Server 0 in bootstrap 1103 uid 0: "/usr/sbin/lookupd"[102]: exited abnormally: Hangup


NOW I GET THIS
SystemStarter[288]: authentication service (298) did not complete successfully
SystemStarter[288]: The following StartupItems failed to properly start:
SystemStarter[288]: /System/Library/StartupItems/AuthServer
SystemStarter[288]: - execution of Startup script failed

If someone can help on this problem, I really don't know what to try.

May be it can help, if I make in Terminal
Stef:~ Stef$ alias llll 'ls -Fal'
-bash: alias: llll: not found
-bash: alias: ls -Fal: not found

I don't have anything !

SOS SOS :-)



[ Reply to This | # ]
10.4: AirPort and System.keychain password solution
Authored by: eirich on Mar 23, '06 03:35:41PM

I have somewhat of a different problem with Keychain Access in that I used to be able to retrieve such things as wireless network passwords from Keychain Access if for some reason I needed to blow the settings away. I used to do this by simply checking the "Show password" box. Now, not matter which password I put in, my own password or the root password, I simply get a message that I have entered an invalid password. Is there a different System password I don't know about?



[ Reply to This | # ]
10.4: AirPort and System.keychain password solution
Authored by: barefootguru on Mar 23, '06 03:51:15PM

I assume it's because only the system knows the password to the system keychain (though it must be saved somewhere).

I wrote an AppleScript to extract my Airport password from the system keychain:

tell application "Keychain Scripting"
	tell keychain "System.keychain"
		set TheKey to "" & (password of first key whose name is "xxx")
	end tell
end tell

set the clipboard to TheKey

display dialog "Copied " & length of TheKey & " chars to clipboard." with icon note buttons {"OK"} default button "OK"

Replace xxx with your network name.

[ Reply to This | # ]

10.4: AirPort and System.keychain password solution
Authored by: eirich on Mar 23, '06 08:05:37PM

That works like a charm on my home network, but not so well for WPA-PSK TKIP secured networks. I know what those passwords are on my computer, and it's just a phrase, but the script returns a string of numbers.

I just have to wonder why there has been a change to access the System Keychain items. And why show "Show password" if we can't get them that way anyway?

Thanks barefootguru. I at least have this script to get my home network if it gets lost.



[ Reply to This | # ]
10.4: AirPort and System.keychain password solution
Authored by: mtimmsj on Mar 23, '06 08:36:58PM

My understanding of the System keychain is that it is used to store passwords for things that may be needed before you (or any user) logs in.

For example, lets say you power on a powerbook and the aiport is up so it scans for configured networks and finds one. The system can then use the password saved in the system keychain to associate and connect to that network. All this happens before you log in.

Since these are global, the safest way to handle them is to use a password only the system knows. No users know what the system keychain password is, so no users can find out what the wireless network passwords are. That's the theory at least. It looks like barefootguru found a way around it. That's a security hole if you ask me. I wouldn't want just anyone being able to look at the stuff saved in the system keychain. At least they provide a pop-up asking if this is really what you want to allow to happen. If you really want to hang script editor try clicking on Deny when the "Confirm Access to Keychain" pop-up appears.

The reason that WPA-PSK TKIP secured networks return a string of numbers is because those passwords are run through a hashing algorithm prior to being saved to the keychain. This is normal. This is then used to generate keys for TKIP.



[ Reply to This | # ]
10.4: AirPort and System.keychain password solution
Authored by: eirich on Mar 23, '06 09:19:15PM

Yep. I figured as much but my tired, muddled brain didn't want to come up with something to write that showed I understood this already. Still though, previous versions of OS X allowed one to retrieve this information so why the change? I still had to put in a password to get it before. It's not like someone is going to get that information without mine or root's password. But really, it's more of an annoyance than anything else.



[ Reply to This | # ]
10.4: AirPort and System.keychain password solution
Authored by: mtimmsj on Mar 24, '06 09:14:31AM

I would think it's a form of security through obscurity. Such forms of security almost always turn out to be more annoying and not so secure to begin with.



[ Reply to This | # ]
10.4: AirPort and System.keychain password solution
Authored by: Gigacorpse on Mar 24, '06 06:45:23AM

"Since these are global, the safest way to handle them is to use a password only the system knows."

Is it possible to manually create a system keychain WITH a known good password?



[ Reply to This | # ]
10.4: AirPort and System.keychain password solution
Authored by: mtimmsj on Mar 24, '06 09:11:57AM

Yes, it looks like you can use the -k option to set a specific system password. I don't have admn access to my Mac, so I can't test it.



[ Reply to This | # ]
10.4: AirPort and System.keychain password solution
Authored by: barefootguru on Mar 24, '06 01:19:16PM
Yeah, see Scott's blog. I dunno if there's a downside to this.

[ Reply to This | # ]
10.4: AirPort and System.keychain password solution
Authored by: barefootguru on Mar 23, '06 04:00:55PM

I used the same trick to fix an application crash (slightly different options, but the definitive ones have been listed here).

System Preferences was crashing whenever I tried to view the Airport options. Also I also couldn't connect to a client's network, even entering the network name and password manually.

Turns out the system keychain must have been corrupt, and deleting it and re-entering the 2 airport networks fixed both problems.



[ Reply to This | # ]
10.4: AirPort and System.keychain password solution
Authored by: scott.gardner on Mar 24, '06 12:23:07AM

I am having a new and similar issue with the Keychain and AirPort or Ethernet mobile user connections to OS X Server. The "Mac OS X wants to use your Keychain..." dialog box pops up after attempting to log in post restart/power-on. Entering the Keychain password (identical to login password) facilitates successful login. I tried this hint, didn't work. Any ideas?



[ Reply to This | # ]
10.4: AirPort and System.keychain password solution
Authored by: mtimmsj on Mar 24, '06 09:18:14AM

Which keychain is being accessed? It is possible to store these passwords in the login keychain if the system keychain is no longer available.

Once you know the exact keychain the item is in, double click on it in Keychain Access and an info window will open for it. Click on the Access Control tab and see what options are set for it. Maybe the "Ask for Keychain password" checkbox is checked.



[ Reply to This | # ]
10.4: AirPort and System.keychain password solution
Authored by: scott.gardner on Mar 25, '06 06:47:13PM

The system was requesting access to login.keychain. Keychain Access was acting erratically (e.g., duplicating keychains, removing one keychain when I selected to remove a different one, repetitively prompting for password authentications, etc.). So, I zapped my user account (an OS X Server mobile account) and restarted. Good as new.



[ Reply to This | # ]
10.4: AirPort and System.keychain password solution
Authored by: kenbrown on Jul 12, '07 08:55:02PM
Great solution! The "whose" operator doesn't work for me with 10.4.10's Keychain Scripting (though it sure looks like it should). Here's a slightly different version that does work by using an explicit loop:
display dialog "What key?" default answer ""
set theKeyName to the text returned of the result
tell application "Keychain Scripting"
   tell keychain "System.keychain"
      set theKeyList to every key
      repeat with k in theKeyList
         if the name of k is theKeyName then
            set TheKeyValue to the password of k
         end if
      end repeat
   end tell
 end tell

set the clipboard to TheKeyValue

display dialog "Copied " & length of TheKeyValue & " chars to clipboard." with icon note buttons {"OK"} default button "OK"


[ Reply to This | # ]