cfoote00
Level 1 (0 points)

Q: How can I change the keychain password through Terminal?

Hey all,

 

so here's what I'm trying to do: my organization has a relatively small network, yet it's too large to manually perform changes to each workstation. We are preparing to change all the local administrator passwords, and we would like to do this by sending UNIX commands via Apple Remote Desktop (yes, we're aware of the security implications and will be sure to remove the script afterwards). I've been able to successfully change the password for the local admin account using the following command:

 

/usr/bin/dscl . -passwd /Users/Admin oldpassword newpassword

 

Doing it this way, however, causes there to be a disparity between the login password and the keychain password. Is there a command that I can send through UNIX to also change the keychain password? Thanks.

Posted on Nov 12, 2015 9:02 AM

by MrHoffman,Solvedanswer
MrHoffman MrHoffman
Level 6 (15,637 points)
Mac OS X
A:

Try the security set-keychain-password command.  Probably...

security set-keychain-password -o oldpwd -p newpwd /Users/{UserShortNameHere}/Keychains/login.keychain

 

Try that on a scratch keychain, first.

 

Apple has some resources available that might be interesting to you (and if you've not already found these), such as the advanced shell scripting document or the old command-line administration manual, or the command-line section of the more recent Server Tools help.

 

Entirely FWIW, the ARD forum isn't the best spot for OS X command-line administration questions, BTW — probably one of the server forms would be a better spot, since these are generic OS X Server commands.   From what I can tell of it, there aren't all that many folks that lurk around here.

Posted on Nov 12, 2015 11:26 AM

Close
cfoote00

Q: How can I change the keychain password through Terminal?

  • All replies
  • Helpful answers

  • by MrHoffman,

    MrHoffman MrHoffman Nov 12, 2015 9:18 AM in response to cfoote00
    Level 6 (15,637 points)
    Mac OS X
    Nov 12, 2015 9:18 AM in response to cfoote00

    For the login password, it's via sudo...

     

    sudo /usr/bin/dscl . -passwd /Users/Admin oldpwd newpwd

     

    For the keychain password — because that's encrypted data and not a hash record that can be "whacked" to a new value — you have to know the old keychain password to change it.  Your choices are continue without opening the keychain, create a new keychain, or enter the old keychain password to unlock the keychain.  Short of knowing or brute-forcing the old password, there are no other choices.  Best you can do here is reset the keychain, via the security command.

  • by cfoote00,

    cfoote00 cfoote00 Nov 12, 2015 9:33 AM in response to MrHoffman
    Level 1 (0 points)
    Nov 12, 2015 9:33 AM in response to MrHoffman

    Okay, that's helpful, thank you. If I DO know the old keychain password, is there a UNIX command to change that? I was able to find some information on that, but it seemed to only apply to the currently logged in user. Because I'm working with the local administrator accounts, they will almost never be the ones logged in when I execute the command.

  • by MrHoffman,Solvedanswer

    MrHoffman MrHoffman Nov 12, 2015 11:26 AM in response to cfoote00
    Level 6 (15,637 points)
    Mac OS X
    Nov 12, 2015 11:26 AM in response to cfoote00

    Try the security set-keychain-password command.  Probably...

    security set-keychain-password -o oldpwd -p newpwd /Users/{UserShortNameHere}/Keychains/login.keychain

     

    Try that on a scratch keychain, first.

     

    Apple has some resources available that might be interesting to you (and if you've not already found these), such as the advanced shell scripting document or the old command-line administration manual, or the command-line section of the more recent Server Tools help.

     

    Entirely FWIW, the ARD forum isn't the best spot for OS X command-line administration questions, BTW — probably one of the server forms would be a better spot, since these are generic OS X Server commands.   From what I can tell of it, there aren't all that many folks that lurk around here.

  • by cfoote00,

    cfoote00 cfoote00 Nov 12, 2015 11:27 AM in response to MrHoffman
    Level 1 (0 points)
    Nov 12, 2015 11:27 AM in response to MrHoffman

    Excellent, I'll keep that in mind. Thanks a lot.