Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the '10.4: AirPort and System.keychain password solution' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: AirPort and System.keychain password solution
Authored by: eirich on Mar 23, '06 03:35:41PM

I have somewhat of a different problem with Keychain Access in that I used to be able to retrieve such things as wireless network passwords from Keychain Access if for some reason I needed to blow the settings away. I used to do this by simply checking the "Show password" box. Now, not matter which password I put in, my own password or the root password, I simply get a message that I have entered an invalid password. Is there a different System password I don't know about?



[ Reply to This | # ]
10.4: AirPort and System.keychain password solution
Authored by: barefootguru on Mar 23, '06 03:51:15PM

I assume it's because only the system knows the password to the system keychain (though it must be saved somewhere).

I wrote an AppleScript to extract my Airport password from the system keychain:

tell application "Keychain Scripting"
	tell keychain "System.keychain"
		set TheKey to "" & (password of first key whose name is "xxx")
	end tell
end tell

set the clipboard to TheKey

display dialog "Copied " & length of TheKey & " chars to clipboard." with icon note buttons {"OK"} default button "OK"

Replace xxx with your network name.

[ Reply to This | # ]

10.4: AirPort and System.keychain password solution
Authored by: eirich on Mar 23, '06 08:05:37PM

That works like a charm on my home network, but not so well for WPA-PSK TKIP secured networks. I know what those passwords are on my computer, and it's just a phrase, but the script returns a string of numbers.

I just have to wonder why there has been a change to access the System Keychain items. And why show "Show password" if we can't get them that way anyway?

Thanks barefootguru. I at least have this script to get my home network if it gets lost.



[ Reply to This | # ]
10.4: AirPort and System.keychain password solution
Authored by: mtimmsj on Mar 23, '06 08:36:58PM

My understanding of the System keychain is that it is used to store passwords for things that may be needed before you (or any user) logs in.

For example, lets say you power on a powerbook and the aiport is up so it scans for configured networks and finds one. The system can then use the password saved in the system keychain to associate and connect to that network. All this happens before you log in.

Since these are global, the safest way to handle them is to use a password only the system knows. No users know what the system keychain password is, so no users can find out what the wireless network passwords are. That's the theory at least. It looks like barefootguru found a way around it. That's a security hole if you ask me. I wouldn't want just anyone being able to look at the stuff saved in the system keychain. At least they provide a pop-up asking if this is really what you want to allow to happen. If you really want to hang script editor try clicking on Deny when the "Confirm Access to Keychain" pop-up appears.

The reason that WPA-PSK TKIP secured networks return a string of numbers is because those passwords are run through a hashing algorithm prior to being saved to the keychain. This is normal. This is then used to generate keys for TKIP.



[ Reply to This | # ]
10.4: AirPort and System.keychain password solution
Authored by: eirich on Mar 23, '06 09:19:15PM

Yep. I figured as much but my tired, muddled brain didn't want to come up with something to write that showed I understood this already. Still though, previous versions of OS X allowed one to retrieve this information so why the change? I still had to put in a password to get it before. It's not like someone is going to get that information without mine or root's password. But really, it's more of an annoyance than anything else.



[ Reply to This | # ]
10.4: AirPort and System.keychain password solution
Authored by: mtimmsj on Mar 24, '06 09:14:31AM

I would think it's a form of security through obscurity. Such forms of security almost always turn out to be more annoying and not so secure to begin with.



[ Reply to This | # ]
10.4: AirPort and System.keychain password solution
Authored by: Gigacorpse on Mar 24, '06 06:45:23AM

"Since these are global, the safest way to handle them is to use a password only the system knows."

Is it possible to manually create a system keychain WITH a known good password?



[ Reply to This | # ]
10.4: AirPort and System.keychain password solution
Authored by: mtimmsj on Mar 24, '06 09:11:57AM

Yes, it looks like you can use the -k option to set a specific system password. I don't have admn access to my Mac, so I can't test it.



[ Reply to This | # ]
10.4: AirPort and System.keychain password solution
Authored by: barefootguru on Mar 24, '06 01:19:16PM
Yeah, see Scott's blog. I dunno if there's a downside to this.

[ Reply to This | # ]