hoakley August 10, 2023 Macs, Technology

How to tackle keychain problems

Keychain problems have occurred not infrequently in the past, but with the addition of the Data Protection keychain in macOS they have become less common, and sharing your keychain in iCloud should now eliminate the great majority of problems. There may still be occasions when a user is prompted repeatedly for the password to a keychain. This article considers how to address that and other problems.

Access dialog

When you’re prompted to provide a keychain password, the dialog shown is crucial, both in terms of validating the request and discovering why you’re being asked in the first place.

keychain

Not only should you check carefully that the dialog is genuine, but use its contents to discover why you’re being asked to provide the password. First, verify its icon, the app name, keychain item, keychain name, and its three standard buttons. When you’re happy that it’s genuine and not a fake or a different type of request, record:

the requesting app, here Keychain Access,
the keychain name, here the login keychain,
the keychain item, here a secure note named Test Note 1.

When you’ve decided whether to allow or deny the request, consider whether to Allow it just this once, or to Always Allow it.

Be wary of apps suddenly requesting access that they should already have. For example, Safari is normally given full access to your web and internet access passwords, so it doesn’t prompt you for individual access. If you start seeing requests from Safari to open a keychain to give access to passwords that it should already have, suspect that the app has been changed, forcing reset of its access rights, or that the requests are bogus; either way you should suspect a security problem.

There are two sound reasons for repeated requests for authentication to unlock keychains: either the app making the request isn’t trusted to access that keychain or that item within it, or the keychain is being locked again after use, something that shouldn’t happen for the login or iCloud keychains.

If you’re happy that app should be given access to that keychain, instead of pressing Return to Allow that access, click on Always Allow. Your Mac’s security system will then decide whether to give that app lasting access, so saving further requests. One common error here is pressing Return or clicking on Allow, then wondering why a similar request follows almost immediately: if you want that app to have access in future, click on Always Allow instead.

Locking

Locking of keychains is simple to observe in the sidebar of Keychain Access, or in Mints‘ Keychain tool.

To change locking behaviour of a keychain, select that keychain in the sidebar of Keychain Access and use the Edit / Change Settings for Keychain menu command to show that keychain’s settings. You can then increase the time before that keychain is locked automatically, or disable locking altogether.

If you have custom keychains that are being accessed repeatedly and resulting in unnecessary password requests, try copying the items being accessed from there to your login keychain, which should eliminate the need to keep opening that custom keychain. Even when you set a custom keychain to be kept unlocked, before you can access it the first time after each login, you’ll be required to enter its password, as it can’t be unlocked automatically in the way that the login keychain is.

Login password mismatch

By default, your user login and login keychain passwords are identical, enabling macOS to automatically unlock your login keychain whenever you log in as that user. When you change your user password, that should automatically change the password for the login keychain as well, ensuring that unlocking still works automatically.

Sometimes the two passwords become different, usually because you changed the password on the login keychain separately. This results in login requiring you to enter two passwords instead of one. It can normally be rectified by changing the password for the login keychain to the same as the user login password.

Broken keychains

In the past, Keychain Access has also provided a First Aid feature to check and repair faulty or damaged keychains, but it no longer does. Manually reconstructing a keychain or building a fresh one, for instance after resetting the login keychain and wiping its contents, is lengthy and tedious. It’s generally better to migrate or restore from a backup or copy, which isn’t an easy option either.

Apple Support can be helpful with keychain problems, and can talk you through the steps required to get your Mac’s keychains working again.

Expired certificates

When running older versions of macOS, security certificates provided in system keychains can fall out of date, and then may cause all sorts of problems accessing websites and services. If you can locate an updated certificate, install that in the System keychain in /Library/Keychains and those problems should vanish. Note that you can’t remove, change or add certificates to SystemRootCertificates or other keychains stored in /System/Library/Keychains as they’re on the SSV and can only be changed by a macOS update.

Data Protection (iCloud) keychain

Keychain Access only provides limited access to the Data Protection keychain, whether that’s shared in iCloud or kept on your Mac as Local Items. As it can only display the passwords stored in this increasingly important keychain, it’s now better to access those through the Passwords item in System Settings, or using the Passwords tool in Safari’s Settings.

Protecting other data

Unlike most third-party password managers, keychains in macOS are designed to hold passwords, keys, certificates and small secure notes, but not arbitrary data like images and documents. This is intentional, as it limits the size that keychains can grow to, and makes them more reliable to share in iCloud. macOS provides a range of other secure storage methods that are better suited to storing other data, ranging from locked Notes to FileVault itself, many of which are protected by the Secure Enclave and free of any cost or dependence on third-parties. I will look at those in a future article.

4Comments

Add yours

1

Jerry Leichter on August 12, 2023 at 9:21 pm

So … here’s a strange one. For years, I’ve kept secondary keychains in Dropbox, making them accessible to multiple Macs. Observation of Keychain Access showed that it never modified keychain files in place – it always created an entirely new file. As a result, this actually worked reliably.

Starting about 6 months ago, after some point release of Monterey, it stopped working. If a keychain was modified on System A and then synced to System B, System B would silently refuse to use the keychain. In Keychain Access, the keychain would be present but listed under System Keychains. Opening it was allowed, but it would always show as being empty.

What exactly controls this behavior is completely obscure. Removing the keychain from Keychain Access and adding it right back doesn’t work. On the other hand, making a copy, removing the original, and adding the copy works … sometimes. So it’s not the *contents* of the file. The obvious question is whether it’s some extended attribute. Dropbox has started adding attributes – but removing them has no effect. One of these files, for some reason, has the mystery com.apple.macl attribute – but others don’t. And why does my login keychain have com.apple.quarantine set on it?

Over all … mysterious. Anyone have any clues as to what’s happening here and how to get around it? I’m wondering if there’s now a revision number on each keychain, and the Keychain Access keeps track of revision number – file correspondences and will refuse to use a keychain if the values don’t match – though depending on how it implemented that it could prevent you from restoring keychains from a backup!

(Yes, I also use the iCloud keychain. My problem with it is that singular word: Keychain. I don’t like the idea that important passwords are all accessible to anyone who gets into my iCloud account – e.g., by the tricks people have come up with for observing you unlock your iPhone, letting them steal your password, then your phone, and so on. In fact, that’s also the reason I have secondary keychains to begin with: Even if someone gets into my laptop, they don’t (without additional attacks) get access to my passwords. The ideal solution – Apple would have to implement it, of course – would be to allow multiple independent iCloud keychains – which should, of course, also be accessible from iOS. But there’s no indication that Apple is going in that direction.

LikeLiked by 1 person
- 2
  
  hoakley on August 12, 2023 at 9:50 pm
  
  Thank you. I’m sorry to hear of these problems, but as they go well beyond the boundaries of what’s intended of keychains, I think you’re going to be lucky to find a solution.
  Their onset may have coincided with the changes that have been made to the way that Dropbox works with macOS. It’s easy to study xattrs, for example using my utility xattred. com.apple.quarantine is often added to files that have come from outside ‘trusted’ storage, such as over AirDrop, now. Whether they could explain your keychain problems, I don’t know. But they’re easy to strip, and if stripping all xattrs doesn’t help, then it’s not the xattrs.
  However, I think you need to consider whether what you’re doing is wise. You’re here storing secrets in file-based keychains, which Apple is fast moving away from, instead using the iCloud keychain, which is much better protected. File-based keychains are similar to those used in the last century, and are on the verge of deprecation. Safari and Apple’s other apps that store secrets in keychains now use the iCloud keychain (or its non-shared substitute Local Items) exclusively for its superior protection.
  Howard.
  
  LikeLike
  - 3
    
    Jerry Leichter on August 12, 2023 at 10:57 pm
    
    Yes, I know. There’s a fundamental issue with security: Controlling the attack surface leads you to centralize everything. But then you end up with a single centralized control point of overwhelming value. That’s what’s happened with iCloud accounts: Once you get in, you have immediate access to *everything.* While iCloud security is really good, it isn’t and can’t be perfect. I mentioned the well-publicized issue of breaking into iPhones above, but here’s another example: My daughter is a teacher. She can’t allow her watch to unlock her Mac because it’s all to likely to unlock when some child touches it. Why doesn’t Apple at least allow a mode where you need to acknowledge the unlock (as is the case with some other uses of the watch for authentication)? Not clear, but they probably are just trying to keep things simple. (And why can’t you configure things so that when the watch goes out of range your Mac locks?)
    
    Anyway: There really wasn’t anything wrong with the old file-based keychains. Just because they’ve been around for a long time, doesn’t make them obsolete – unless Apple chooses to do so. (Remember the old mechanism that synchronized the file-based keychains through whatever-it-was-then called? I actually used that (though, yes, it had its issues with reliability) – I only went to the Dropbox solution when Apple removed that feature. The new synchronization feature does seem to be much more flexible and reliable – but in its quest for simplicity they’ve removed the ability to have separate key-stores based on distinct credentials for distinct purposes.
    
    Unfortunately, this is the kind of tradeoff we get from Apple, especially recently.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on August 13, 2023 at 7:43 am
      
      “Once you get in, you have immediate access to *everything.*”
      Not at all. But the press have certainly fuelled the lie that it’s easy to break into someone’s iCloud account and steal “everything”. With approaching a billion accounts, there have always been a few that users have been careless enough to expose. Some years back, there was a flurry of prominent account holders who were hacked, but not one of those proved to be a vulnerability in iCloud, just the usual human failings of iCloud users. I regularly hear, for example, from those with iCloud accounts who share their account within their family, so several of them log into the same account. This is human weakness.
      DP keychains were developed for sharing in iCloud. As such, connect to that iCloud account and of course you get access to the keychain, otherwise there’d be no point in sharing it. It doesn’t, though, give unrestricted access to the contents of the shared keychain: there are multiple controls in addition, including in many cases the requirement for apps to have entitlements to be able to access some of the contents.
      “She can’t allow her watch to unlock her Mac”
      Sorry, you’ve lost me there. What does that have to do with DP keychains? I don’t set my Watch to unlock any of my Macs either, as a matter of personal preference rather than any security issue. You don’t have to, and it isn’t even a default, but something you opt into.
      “There really wasn’t anything wrong with the old file-based keychains.”
      There is: they’re not secure by modern standards. Apple makes that clear, which is why it’s trying to move away from them.
      “they’ve removed the ability to have separate key-stores based on distinct credentials for distinct purposes.”
      Apple hasn’t removed that, indeed, it has extended that by adding requirements such as app entitlements, using the Secure Enclave, and incorporating biometrics such as Touch ID and Face ID. Perhaps you should take a look at its developer documentation for the API for DP keychains before claiming that there’s some downgrading tradeoff.
      Howard.
      
      LikeLike

·Comments are closed.