Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: cfoote00
cfoote00 Author
User level: Level 1
9 points

How can I change the keychain password through Terminal?

Hey all,


so here's what I'm trying to do: my organization has a relatively small network, yet it's too large to manually perform changes to each workstation. We are preparing to change all the local administrator passwords, and we would like to do this by sending UNIX commands via Apple Remote Desktop (yes, we're aware of the security implications and will be sure to remove the script afterwards). I've been able to successfully change the password for the local admin account using the following command:


/usr/bin/dscl . -passwd /Users/Admin oldpassword newpassword


Doing it this way, however, causes there to be a disparity between the login password and the keychain password. Is there a command that I can send through UNIX to also change the keychain password? Thanks.

Posted on Nov 12, 2015 9:02 AM

Reply
4 replies
User profile for user: MrHoffman
MrHoffman
Community+ 2024
User level: Level 10
116,685 points

Nov 12, 2015 9:18 AM in response to cfoote00

For the login password, it's via sudo...


sudo /usr/bin/dscl . -passwd /Users/Admin oldpwd newpwd


For the keychain password — because that's encrypted data and not a hash record that can be "whacked" to a new value — you have to know the old keychain password to change it. Your choices are continue without opening the keychain, create a new keychain, or enter the old keychain password to unlock the keychain. Short of knowing or brute-forcing the old password, there are no other choices. Best you can do here is reset the keychain, via the security command.

Reply
User profile for user: cfoote00
cfoote00 Author
User level: Level 1
9 points

Nov 12, 2015 9:33 AM in response to MrHoffman

Okay, that's helpful, thank you. If I DO know the old keychain password, is there a UNIX command to change that? I was able to find some information on that, but it seemed to only apply to the currently logged in user. Because I'm working with the local administrator accounts, they will almost never be the ones logged in when I execute the command.

Reply
User profile for user: MrHoffman
MrHoffman
Community+ 2024
User level: Level 10
116,685 points

Nov 12, 2015 11:26 AM in response to cfoote00

Try the security set-keychain-password command. Probably...

security set-keychain-password -o oldpwd -p newpwd /Users/{UserShortNameHere}/Keychains/login.keychain


Try that on a scratch keychain, first.


Apple has some resources available that might be interesting to you (and if you've not already found these), such as the advanced shell scripting document or the old command-line administration manual, or the command-line section of the more recent Server Tools help.


Entirely FWIW, the ARD forum isn't the best spot for OS X command-line administration questions, BTW — probably one of the server forms would be a better spot, since these are generic OS X Server commands. From what I can tell of it, there aren't all that many folks that lurk around here.

Reply

How can I change the keychain password through Terminal?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up