Using the Keychain Application on a Remote Machine
When accessing a remote machine running OS X 10.11.1, is it possible to modify keychain items via the Keychain application? It was possible, and greatly appreciated, in previous versions of OS X.
Attempting to show passwords on a remote user's machine does not work, logging:
Ignoring user action since the dialog has received events from an untrusted source.
According to Apple's release notes for Security Update 2015-007 (https://support.apple.com/en-us/HT205375), under the last section for SecurityAgent (CVE-2015-5943) it states:
Impact: A malicious application can programmatically control keychain access prompts
Description: A method existed for applications to create synthetic clicks on keychain prompts. This was addressed by disabling synthetic clicks for keychain access windows.
This appears to have disabled keychain modification with the Keychain application on remote machines. As suggested by this post to AskDifferent (http://apple.stackexchange.com/questions/212622/keychain-wont-let-copy-passwords -after-10-11-1-update), granting access to an application via System Preferences -> Security & Privacy -> Accessibility will solve the problem. However, adding ARDAgent to this list does not fix the problem. Also, the remote management daemons in /System/Library/CoreServices/RemoteManagement cannot be added as ScreensharingAgent and screensharingd are located respectively inside of ScreensharingAgent.bundle and screensharingd.bundle, which are not recognized by the System Preference's Security & Privacy panel.
Attempting to use the security command line tool causes similar issues. For example, attempting to display a password with the -g option creates a dialog on the remote machine asking for keychain access permission. As with accessing keychain items from the Keychain application directly on the remote machine, clicking the dialog's "Allow" button will not work.
As my users have a variety of passwords and notes in their keychains, I wish to avoid granting the Keychain application access to every keychain item. I would like the ability to add, modify and delete keychain items via the Keychain application, as I did in prior versions of OS X.
Any help would be gratefully appreciated. Thank you.
Remote Desktop 3.8-OTHER, OS X El Capitan (10.11.1)