Skip to content
This repository has been archived by the owner on Dec 2, 2022. It is now read-only.

Keychain minder does not accept password El Capitan 11.3 #10

Closed
SillySalamander opened this issue Mar 17, 2016 · 7 comments
Closed

Keychain minder does not accept password El Capitan 11.3 #10

SillySalamander opened this issue Mar 17, 2016 · 7 comments
Assignees
@tburgin
Labels
bug

Comments

@SillySalamander
Copy link

Keychain minder is not accepting correct password in either forgot password or know password options.
@russellhancox
Copy link
Contributor

Are the affected users' accounts 'Standard' non-admin accounts?

@SillySalamander
Copy link
Author

hey!

they are standard users and network accounts

to simulate I changed the users password directly in active directory, so that the user logs in with a different password than their keychain. keychainminder comes up first thing in front of everything (awesome) but the password does not work. I'll try with an admin account now and let you know.

@russellhancox
Copy link
Contributor

Oddly, we just noticed this issue ourselves a few minutes ago and have a fix prepared. Watch this space!

@SillySalamander
Copy link
Author

haha wow thats awesome. how ironic that free software is better supported than Apples OS or anything Microsoft. thank you very much

tburgin added a commit that referenced this issue Mar 17, 2016
@tburgin
Use the "authenticate" right
5893a46 
`system.login.tty` uses the `default` rule which requires `admin` group membership.

`security authorizationdb read system.login.tty`

```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>class</key>
	<string>rule</string>
	<key>created</key>
	<real>477499297.08687699</real>
	<key>modified</key>
	<real>477499297.08687699</real>
	<key>rule</key>
	<array>
		<string>default</string>
	</array>
	<key>version</key>
	<integer>1</integer>
</dict>
</plist>
```

`security authorizationdb read default`

```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>allow-root</key>
	<false/>
	<key>authenticate-user</key>
	<true/>
	<key>class</key>
	<string>user</string>
	<key>comment</key>
	<string>Default rule.
            Credentials remain valid for 5 minutes after they've been obtained.
            An acquired credential is shared by all clients.
			</string>
	<key>created</key>
	<real>477499297.08687699</real>
	<key>group</key>
	<string>admin</string>
	<key>modified</key>
	<real>477499297.08687699</real>
	<key>session-owner</key>
	<false/>
	<key>shared</key>
	<true/>
	<key>timeout</key>
	<integer>300</integer>
	<key>tries</key>
	<integer>10000</integer>
	<key>version</key>
	<integer>0</integer>
</dict>
</plist>
```

To fix this we will use the `authenticate` right to check the user's password. This seems to work okay in testing. We should keep an eye on this in case a calling loop occurs because `KeychainMinder:check,privileged` in apart of `authenticate`.

Associated Issues:
  *  #10
@tburgin tburgin mentioned this issue Mar 17, 2016
Merged
@tburgin
Copy link
Member

tburgin commented Mar 24, 2016

@SillySalamander This latest pull request should clear up the issue completely. Once approved we will post a new release and binaries.

@ScarabMonkey
Copy link

Any news on a new release?

@tburgin
Copy link
Member

tburgin commented Jun 22, 2016

Just posted v1.6

@tburgin tburgin closed this as completed Jun 22, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@tburgin tburgin

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@russellhancox @ScarabMonkey @tburgin @SillySalamander