Skip to main content
Jamf Nation, hosted by Jamf, is a dynamic and knowledgeable community of Apple-focused IT admins and Jamf Pro users. Join us in person, in October, for the annual Jamf Nation User Conference (JNUC) to discover new and better ways to manage Apple devices.
2

Yet another Keychain & Security command line tool question

Posted: 11/30/16 at 11:19 PM by mbootes

Hey,
One of the regular problems that our helpdesk experiences is incorrect usernames/ passwords being used for printing services. I've been trying to write a script to put in self service that will get a user's wifi username and password from the keychain, remove the old entries for the printers, and then add them again with the WiFi password (which we assume is correct at this stage).

Here is what I have so far...

#!/bin/bash
#Check if there is an "acct" in the response - if not then the wifi credentials for SSID can't be found.
wifi=$(security find-generic-password -D '802.1X Password' -l 'SSID' 2>&1 | grep "acct")

if [ ! -z "$wifi" ]; then
    echo "I found it!"
    #Get the account name used for wifi
    username=$(security find-generic-password -D '802.1X Password' -l 'SSID' -g 2>&1 | grep acct | sed -e 's/.*"\(.*\)"/\1/')
    #get the password used for wifi
    wifipwd=$(security find-generic-password -D '802.1X Password' -l 'SSID' -w)

    #Delete the 4 xerox printers
    security delete-generic-password -l 'Xerox - B&W (AirPrint)'
    security delete-generic-password -l 'Xerox - B&W (Advanced) @ Mac Server 2'
    security delete-generic-password -l 'Xerox - Colour (AirPrint)'
    security delete-generic-password -l 'Xerox - Colour (Advanced) @ Mac Server 2'
    #Recreate the 4 xerox printers
    security add-generic-password -a $username -s "Xerox - B&W (AirPrint)" -w $wifipwd -D 'Network Password' -l 'Xerox - B&W (AirPrint)' -T /System/Library/CoreServices/NetAuthAgent.app -T /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent -T group://NetAuth -T /usr/bin/security -U
    security add-generic-password -a $username -s "Xerox - B&W (Advanced) @ Mac Server 2" -w $wifipwd -D 'Network Password' -l 'Xerox - B&W (Advanced) @ Mac Server 2' -T /System/Library/CoreServices/NetAuthAgent.app -T /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent -T group://NetAuth -T /usr/bin/security -U
    security add-generic-password -a $username -s "Xerox - Colour (AirPrint)" -w $wifipwd -D 'Network Password' -l 'Xerox - Colour (AirPrint)' -T /System/Library/CoreServices/NetAuthAgent.app -T /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent -T group://NetAuth -T /usr/bin/security -U
    security add-generic-password -a $username -s "Xerox - Colour (Advanced) @ Mac Server 2" -w $wifipwd -D 'Network Password' -l 'Xerox - Colour (Advanced) @ Mac Server 2' -T /System/Library/CoreServices/NetAuthAgent.app -T /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent -T group://NetAuth -T /usr/bin/security -U
else
    echo "Its not there!"
fi

Now the problem that I'm having: no matter if I specify an application with the -T option on the security command (give an application permissions to access that keychain item), the user gets a prompt when trying to print for the first time with that same application (NetAuthSysAgent) tries to access the keychain.
If I check my keychain access the application is there in the access control list.
Furthermore I did some testing by dumping the keychain access control list with

 dump-keychain -a login.keychain

Here is the difference between the keychain item that doesn't prompt:

keychain: "/Users/USERNAME/Library/Keychains/login.keychain-db" version: 512 class: "genp" attributes: 0x00000007 <blob>="Xerox - B&W (AirPrint)" 0x00000008 <blob>=<NULL> "acct"<blob>="USERNAME" "cdat"<timedate>=0x32303136313230313031303533385A00 "20161201010538Z\000" "crtr"<uint32>=<NULL> "cusi"<sint32>=<NULL> "desc"<blob>="Network Password" "gena"<blob>=<NULL> "icmt"<blob>=<NULL> "invi"<sint32>=<NULL> "mdat"<timedate>=0x32303136313230313031303533385A00 "20161201010538Z\000" "nega"<sint32>=<NULL> "prot"<blob>=<NULL> "scrp"<sint32>=<NULL> "svce"<blob>="Xerox - B&W (AirPrint)" "type"<uint32>=<NULL> access: 5 entries entry 0: authorizations (1): encrypt don't-require-password description: Xerox - B&W (AirPrint) applications: <null> entry 1: authorizations (6): decrypt derive export_clear export_wrapped mac sign don't-require-password description: Xerox - B&W (AirPrint) applications (4): 0: /System/Library/CoreServices/NetAuthAgent.app (OK) 1: /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent (OK) 2: 0x67726F75703A2F2F4E65744175746800 "group://NetAuth\000" 3: /usr/bin/security (OK) entry 2: authorizations (1): integrity don't-require-password description: e600621541e120ae156b9f5c3e317727b55f61597180255da2e18790eee617b8 applications: <null> entry 3: authorizations (1): partition_id don't-require-password description: apple-tool:, apple: applications: <null> entry 4: authorizations (1): change_acl don't-require-password description: Xerox - B&W (AirPrint) applications (0):

And the keychain that does prompt (before i clicked always allow on the prompt):

keychain: "/Users/USERNAME/Library/Keychains/login.keychain-db" version: 512 class: "genp" attributes: 0x00000007 <blob>="Xerox - B&W (AirPrint)" 0x00000008 <blob>=<NULL> "acct"<blob>="USERNAME" "cdat"<timedate>=0x32303136313230313031333330315A00 "20161201013301Z\000" "crtr"<uint32>=<NULL> "cusi"<sint32>=<NULL> "desc"<blob>="Network Password" "gena"<blob>=<NULL> "icmt"<blob>=<NULL> "invi"<sint32>=<NULL> "mdat"<timedate>=0x32303136313230313031333330315A00 "20161201013301Z\000" "nega"<sint32>=<NULL> "prot"<blob>=<NULL> "scrp"<sint32>=<NULL> "svce"<blob>="Xerox - B&W (AirPrint)" "type"<uint32>=<NULL> access: 5 entries entry 0: authorizations (6): decrypt derive export_clear export_wrapped mac sign don't-require-password description: Xerox - B&W (AirPrint) applications (4): 0: /System/Library/CoreServices/NetAuthAgent.app (OK) 1: /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent (OK) 2: 0x67726F75703A2F2F4E65744175746800 "group://NetAuth\000" 3: /usr/bin/security (OK) entry 1: authorizations (1): encrypt don't-require-password description: Xerox - B&W (AirPrint) applications: <null> entry 2: authorizations (1): integrity don't-require-password description: e600621541e120ae156b9f5c3e317727b55f61597180255da2e18790eee617b8 applications: <null> entry 3: authorizations (1): partition_id don't-require-password description: apple-tool: applications: <null> entry 4: authorizations (1): change_acl don't-require-password description: Xerox - B&W (AirPrint) applications (0):

My testing so far seems to suggest that the -T option just doesn't work... has anybody had any experience with this?

2
CCA Badge

Posted: 12/1/16 at 9:50 AM by mm2270

Edit: Oops! Never mind. I see that you do have the full path as well. I didn't scroll over far enough before. Have you tried it with just the full path and not the bundle as well? I'm wondering if its only adding in the first one and ignoring the others.

Leaving original post here just for reference:

I may be wrong, but I believe when using the -T option with security, you need to specify the full path to the actual executable in the app bundle, not the app bundle itself.
In your script, you have the following path after -T

/System/Library/CoreServices/NetAuthAgent.app

I believe it should be:

/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent

Meaning, the full path to the executable inside the 'MacOS' directory. I would try it that way and see if it helps.

Posted: 12/1/16 at 7:15 PM by mbootes

Hi,
Thanks for the advice.
I'll give it a go. I hadn't tried that because the items are showing up in both Keychain Manager & the dump.