Want to highlight a helpful answer? Upvote!

Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Chris R.
Chris R. Author
User level: Level 1
58 points

Restricted use of Keychain

I have a shared system where I'd like to setup limited access to the Keychain.


No access is easy enough because I can just set a different password for the login keychain, however the tricky part comes in when there's a shared "training" email account configured in Apple Mail. I've let Apple Mail store the IMAP and SMTP passwords to the keychain, but I don't see any options to allow, say, read-only access.


With the login keychain using a different password, it doesn't get automatically unlocked on login, but as soon as Mail is launched, the user is prompted to unlock the keychain.


Any ideas?


Ultimately, I'm trying to prevent the user from saving their FileMaker password to the keychain, so an alternate solution would be to somehow prevent keychain access for FileMaker.


Thanks!

MacBook Pro 15, Mac OS X (10.6.7)

Posted on May 9, 2011 4:34 PM

Reply
11 replies
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,547 points

May 9, 2011 6:19 PM in response to Chris R.

You understand that nothing in the Keychain is accessible unless it's unlocked, right? Neither readable nor writable. When it is unlocked, items will be saved automatically. So if a user enters a FileMaker password, and FM is capable of saving that password in the Keychain, it will do so. You can't prevent that.


If the idea is that you don't want the user to know the passwords stored in the Keychain, that's relatively easy. Just prohibit use of the Keychain Access application in Parental Controls.

Reply
User profile for user: etresoft
etresoft
User level: Level 8
46,768 points

May 9, 2011 7:01 PM in response to Chris R.

Chris R. wrote:


I'm not sure you read my post correctly.

I read it correctly, but I'm not sure I understand what the problem is. Are you trying to have multiple users share the same account? Or are you trying to have keychain not work the way it was designed? Why can't users's store their passwords in it? That is what it is for.

Reply
User profile for user: Chris R.
Chris R. Author
User level: Level 1
58 points

May 9, 2011 7:47 PM in response to etresoft

etresoft wrote:

I read it correctly, but I'm not sure I understand what the problem is. Are you trying to have multiple users share the same account? Or are you trying to have keychain not work the way it was designed? Why can't users's store their passwords in it? That is what it is for.


I'm trying to setup sort of a shared kiosk (it's actually for training purposes in a dept.). Multiple accounts won't really work because it'll vary and Apple Mail will have to be setup for each, even though it'll be the same generic account. Plus the user will rarely be there for very long.


So it's not your typicaly user setup at all. Definitely something kind of counter to Apple's multi-user design, which is great...and I use that elsewhere with Open Directory. Which is why I'm here. 😉


So since this a shared account, I'd like to prevent users from storing passwords in the keychain (unless they're an admin maybe?), while also allowing Mail to use the stored passwords in the keychain.


Thanks

Reply
User profile for user: Chris R.
Chris R. Author
User level: Level 1
58 points

May 9, 2011 7:49 PM in response to Linc Davis

Linc Davis wrote:

....


If the idea is that you don't want the user to know the passwords stored in the Keychain, that's relatively easy. Just prohibit use of the Keychain Access application in Parental Controls.


Hmmm... Parental Controls! That's something I haven't checked out yet. I'm not so concerned about them knowing the password (it's actually limited to our domain only), but I'm just looking for a way to control what gets added to the keychain.


Thanks.

Reply
User profile for user: Chris R.
Chris R. Author
User level: Level 1
58 points

May 10, 2011 3:28 PM in response to Chris R.

So as it turns out, neither MCX/Workgroup Manager, nor Parental controls really give you much control over the use of the keychain, though they can certainly lockdown access to the Keychain Access app. And Kiosk is a bit overboard for this purpose.


I found a much simpler solution that does almost exactly what I want. I just locked the ~/Library/Keychains/login.keychain file in the Finder get info window. The keychain still unlocks at login, but the user can't save passwords into keychain. Even better, it doesn't complain when they try to do so.


Initially I tried it with permissions, but it seems even if you change the owner of the file, and set the users rights to Read-Only, you're still able to store login info. It may be because I set the permissions on just the file, rather than the whole directory.


The only loophole with this setup, is the user can obviously find and unlock the file, but I'm not too concerned about that really. This is more of a usability setup, rather than for security reasons.


Thanks for the help.

Reply

Restricted use of Keychain

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up