I'm testing Keychain Minder on 10.9.5 and 10.10.5. I can get the Keychain Minder GUI to display when I click on a lock in System Preferences, but the GUI does not appear at the screensaver lock.

When I checked /var/log/install.log, it appears that the auth db update did take place, as there's these two entries:

postinstall: Mechanism installed
postinstall: Screensaver rule updated

Is there anything I should be checking for?

installing 1.4 leads to various issues related to auth.db, the screensaver unlock screen is replaced by a more standard authentication dialog asking for username and password, in some cases it will take the users password in others it will not. have to select switch user to log back in. In some cases cant unlock any system preference panes. Rebuilding auth.db fixes the issue but then Keychainminder does not work anymore.

We would like run deprecation_notifier for minor versions. Example 10.12.6

I'm interested in using Keychain Minder, as a replacement for AFP548's Keychain Minder:

https://derflounder.wordpress.com/2012/07/06/keychain-minder/

I was not able to find system requirements for Keychain Minder, would you please add this information to the Keychain Minder README?

https://github.com/google/macops/blob/master/keychainminder/README.md

The break_machine function in MacDestroyer's postinstall does not work properly on an un-encrypted Mac running OS X El Capitan. SIP will prevent any changes to /sbin/launchd

https://github.com/google/macops/blob/master/macdestroyer/postinstall#L66-L68

I am doing some tests with a local account. I found that after I reset the password with dscl, emulating a password change, ValidateLoginPassword function does not check the password properly. Anything I type into the password field will evaluate as true. This lets me reset my Keychain passwords to anything I desire. I have yet to test with a mobile account.

The logs below show that authd understands my password was invalid, but Keychain Minder continues on and resets my Keychain to the wrong password. Interesting.

Aug 17 15:14:07 MH02001208MACLT KeychainMinderGUI[1259]: KeychainMinder launched for admin
Aug 17 15:14:21 MH02001208MACLT authd[156]: engine[1259]: checkpw() returned -2; failed to authenticate user admin (uid 502).
Aug 17 15:14:21 MH02001208MACLT com.apple.xpc.launchd[1] (com.apple.imdmessageservices.IMDMessageServicesAgent): The _DirtyJetsamMemoryLimit key is not available on this platform.
Aug 17 15:14:21 MH02001208MACLT com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent): The _DirtyJetsamMemoryLimit key is not available on this platform.
Aug 17 15:14:21 MH02001208MACLT authd[156]: engine[1259]: checkpw() returned -2; failed to authenticate user admin (uid 502).
Aug 17 15:14:21 MH02001208MACLT securityd_service[356]: resetting keybag for uid (502) in session (100005)
Aug 17 15:14:21 MH02001208MACLT kernel[0]: AppleKeyStore:Sending lock change 0 for handle 1
Aug 17 15:14:21 MH02001208MACLT kernel[0]: AppleKeyStore:Sending lock change 0 for handle -502
Aug 17 15:14:21 MH02001208MACLT kernel[0]: AppleKeyStore: operation failed (pid: 356 sel: 15 ret: e00002ce)
Aug 17 15:14:21 MH02001208MACLT KeychainMinderGUI[1259]: KeychainMinder Reset: 0

The logic of the ValidateLoginPassword and when it is called looks fine. However, I was able to get a false positive when fast user switching...

It doesn't look like you are using the com.google.keychain-minder.validate-new-password right for anything else. Any reason, besides the overhead, not to use the OD framework? x amount of incorrect password attempts will eventually lock out the user. I am not sure if AuthorizationCopyRights has that behavior or not...

BOOL ValidateLoginPassword(NSString *newPassword) {

    NSError *err = nil;
    ODSession *mySession = [ODSession defaultSession];
    ODNode *myNode = [ODNode nodeWithSession:mySession name:@"/Local/Default" error:&err];

    if (err) {
        NSLog(@"/Local/Default not found");
    }

    err = nil;
    ODRecord *myRecord = [myNode recordWithRecordType:kODRecordTypeUsers name:NSUserName() attributes:nil error:&err];

    if (err) {
        NSLog(@"%@ not found", NSUserName());
    }

    return [myRecord verifyPassword:newPassword error:nil];

}

Anyways, just some thoughts. I am impressed so far that no reboot is needed to reset local items! Yay!

I've installed Keychain Minder 1.2, and I'm seeing that the Keychain Minder GUI now always appears after login. This may be due to the RunAtLoad flag being added to the LaunchAgent; removing it from the LaunchAgent addressed the behavior:

00d7ced#diff-6d8fc9394339d8e851330a157f0e13d3

VoiceOver does not read DeprecationNotifier lock screen text (the warning screen with the timer that prompts the user to upgrade and says "Click Here" to dismiss). This causes accessibility issues with populations who use screen readers, as without the text on screen being accessible, users who are unable to view the warning screen will experience computer performance issues as the timer increases, without being aware of the cause.

I have a very basic proof of concept here:

https://github.com/tburgin/macops/commit/96fe9415ddfe246a8117751f407003e718aea1af

Works well under 10.11

Under 10.10, not so much.
I can't seem to get the AuthorizationPlugin to send messages to the KeychainMinderAgent. I can connect but every time I send a message I receive a connection invalidated error.

Oct 28 12:52:15 burgindev SecurityAgent[2089]: Error Domain=NSCocoaErrorDomain Code=4099 "Couldn’t communicate with a helper application." (The connection to service named com.google.corp.KeychainMinderAgent was invalidated.) UserInfo=0x7fe58c300000 {NSDebugDescription=The connection to service named com.google.corp.KeychainMinderAgent was invalidated.}

I am thinking it is some type of code signing issue. Any ideas? More investigation is required.

It would be great if we configure the notifier to launch our application management system (munki) off the back of the notifier using munki links. The problem with this is if the user is off LAN at the time, they wouldn't be able to do much about it.

Is it possible to configure the deprecation_notifier to only notify if a configurable url / ip address is reachable?

Thanks!

This issue was automatically created by Allstar.

Security Policy Violation
Project is out of compliance with Binary Artifacts policy: binaries present in source code

Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.

Remediation Steps
To remediate, remove the generated executable artifacts from the repository.

Artifacts Found

• macdestroyer/fdeadduser

Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.

Allstar has been installed on all Google managed GitHub orgs. Policies are gradually being rolled out and enforced by the GOSST and OSPO teams. Learn more at http://go/allstar

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

When I used to work at Google (techstop), we had an escape sequence built into deprecation notifier that techs could type in to kill the countdown. How can we configure this in our environment?

I'm seeing an issue where, if I'm logged into a user account and click on a lock in System Preferences, then log in using another account's admin credentials, the Keychain Minder GUI pops up.

To reproduce:

1. Set up two accounts, where one has admin rights and the other does not.
2. Log in as the account that does not have admin rights.
3. Open System Preferences
4. Click a lock
5. Log into the authentication dialog using the account with admin rights' credentials.

Expected behavior:

A. Lock unlocks
B. Keychain Minder GUI does not appear

Observed behavior:

1. Lock unlocks
2. Keychain Minder GUI appears.

Note: I was also able to reproduce the behavior when both accounts had admin rights, but I figured the above scenario was the more common of the two.

I built deprecation notifier to do some initial testing on my 10.11 computer, setting "expectedVersion" = "10.12" in Localizable.strings, and noticed that with multiple monitors, the mousedown event only successfully closes the overlay on the currently focused screen. Subsequent notifications seem to stack on the unfocused screen (translucency decreases), and the only way to close those is to kill the process itself.

I am curious to why KeychainMinder is not run at the Login Window?