Script to delete keychain entry

peter_gladden
New Contributor

Our student Macbooks (El Capitan) are not bound to our Active Directory. However, the students need to use their active directory userid and password to print to a networked printer which are setup on our Windows print server. Sometimes a student will enter an incorrect password when initially printing and save it to keychain. The manual process is easy to delete. However, I'd like to create a script policy that I can add to Self Service so the students can use it. The keychain entry is a "network password" for our print server, so it's easy enough to find and delete.

I'm new to the Apple scripting but want to learn more about it.

I would appreciate any assistance in writing the correct script that I can add to a policy in self-service.

3 REPLIES 3

mjsanders
New Contributor III

Before you start scripting: You better educate students how to use the keychain, since they are local admins, and will probably add many passwords into Keychains.
But the basic bash command to manage the keychain is 'security' and the option you are looking for is 'find-internet-password' or 'delete-internet-password' but the command's output is not easy to understand, nor parse easily. See these blogs I found (some may be outdated, but they look similar to my experience) Blog one or Blog two

AppleScript support for scripting the keychain is gone since 10.7, but some 3rd party add ons have some options, but the last update is for 10.9.1 so status for these tools on macOS Siera is unkown.

from the man page for the security command:

find-internet-password [-h] [-a account] [-s server] [options...] [-g]
     [keychain...]
            Find an internet password item.

            -a account      Match account string
            -c creator      Match creator (four-character code)
            -C type         Match type (four-character code)
            -d securityDomain
                            Match securityDomain string
            -D kind         Match kind string
            -j comment      Match comment string
            -l label        Match label string
            -p path         Match path string
            -P port         Match port number
            -r protocol     Match protocol (four-character code)
            -s server       Match server string
            -t authenticationType
                            Match authenticationType (four-character code)
            -g              Display the password for the item found
            -w              Display the password(only) for the item found

and then 'security delete-internet-password' with the proper options will delete the wrong keys

jmartinez0837
New Contributor

i made a policy that does just what you want. it runs a script that prompts for users username and password and writes it to the keychain. if there is an existing record it will delete and recreate. I added it below. let me know if you have any questions maybe we can work together to get it working in your environment.

#!/bin/sh

#variable to check if serverName keychain already exists
keychain=$(security find-internet-password -r "smb " -D "Network Password" -s "serverFQDN")

#function to get Username and Password of user, must be verified
Get_Data ()    
{
    USER1=$(osascript -e '
    tell application "System Events"
        display dialog "Enter your yourSchool Username 
(Do not include @yourSchool.edu)" default answer "" buttons {"Cancel","OK"} default button 2         
        set USER1 to the (text returned of the result)
    end tell')

    # Check status of osascript
    if [ "$?" != "0" ] ; then
        echo "User aborted. Exiting..."
        exit 1
    fi    

    PASS="Not Set"
    while [ "$PASS" != "$PASS2" ]
    do
        PASS=$(osascript -e '
        tell application "System Events"
            display dialog "Enter your yourSchool Password" default answer "" hidden answer TRUE buttons {"Cancel","OK"} default button 2           
            set PASS to the (text returned of the result)
        end tell')

        # Check status of osascript
        if [ "$?" != "0" ] ; then
            echo "User aborted. Exiting..."
            exit 1
        fi  

        PASS2=$(osascript -e '
        tell application "System Events"
            display dialog "Verify your yourSchool Password" default answer "" hidden answer TRUE buttons {"Cancel","OK"} default button 2
            set PASS2 to the (text returned of the result)
        end tell')

        # Check status of osascript
        if [ "$?" != "0" ] ; then
            echo "User aborted. Exiting..."
            exit 1
        fi          

        if [ "$PASS" != "$PASS2" ]; then
            osascript -e '
            tell application "System Events"
                display dialog "Password do not match. Please try again" buttons "OK" default button 1
            end tell'
        fi      
    done #end while 
}

Create_Keychain () 
{

    #create keychain using inputted USER and PASS
    echo "Creating new keychain record..."
    security add-internet-password -s serverFQDN -l serverFQDN -a "riverdale\"$USER1 -w $PASS -D "Network Password" -r "smb " -T "/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent" -T "/System/Library/CoreServices/NetAuthAgent.app" -T "group://NetAuth"
}

#Call Get_Data function 
Get_Data

if [ "$keychain" == "" ]; then

    Create_Keychain

elif [ "$keychain" != "" ]; then

    echo "Deleting keychain..."
    security delete-internet-password -r "smb " -D "Network Password" -s "serverFQDN"
    Create_Keychain
else
    exit 0
fi

# Exit
exit 0

betty02
New Contributor II

@jmartinez0837

Tried to get this to work, copied the script and saved it as a .sh, stuck it in admin, then a policy in self service, click "fix" and then nothing happens :( Anything for me to look at?