Home / server / Questions / 37278
Accepted
smokris
Asked: 2009-07-08 11:31:32 +0800 CST

How to block Finder's "Remember this password" on client computers?

  • 772

I'm administering a cluster of Macs, with shared login. (The shared login thing wasn't my idea, but I've got to live with it.)

We're running into problems where users connect to fileshares and click the "Remember this password in my keychain" checkbox, which presents a security problem.

Is there some way to disable this option, so that users can never store their fileshare credentials?

mac-osx file-sharing finder

3 Answers

  1. Best Answer

    The possibly slightly more elegant (technically) solution is to use the "KeyChain Access" tool in the Utilities folder.

    Right Click on the "login" keychain in the left hand column and select the option to "change the keychain password". Once done, right click on the login keychain again and select "Lock Keychain"

    What you have effectively done is put the login keychain under a separate password to the user account password which unlocks the login keychain on logon. ie. it won't do that now.

    When you visit a network share, if a key exists for that share the user will be asked to unlock the "login" keychain which they won't have the password for. They can then click cancel, click the "Connect As" button and fill in the login details for the share they need.

    If a key doesn't already exist for that share, and they do select the checkbox "Add password to keychain" they'll be asked to provide the "login" keychain password before it can be added. Which again they can't do.

    If you want the 2nd scenario be sure to delete any existing network share keys from the "login" keychain.

    Also note that MacOS X Mail and Safari both use keychains for account access so will interrogate you for the keychain password. If you are using these apps, then i'd suggest creating a 2nd keychain, drag those keys into that one and leave it unlocked. Or share the password for that 2nd keychain. These are just examples, it applies to any tool that uses keychains.

    The reason for not putting the network share keys in the 2nd keychain is that they can still add a duplicate key in the login keychain. Default behaviour of that check box is to put a key in the login keychain, i don't believe that can be overridden.

    Hope that all makes sense, leave a comment if not and i`ll follow up, perhaps with a screenshot.

    M.

    • 2

  2. I don't know of a way to disable it completely, but you can run a startup script to remove the keychain file every time, you just need to delete the file in ~/Library/Keychains/

    • 1

  3. Im not a strong mac user but I have read around the net, searching for "disabling mac keychain", that you can disable keychain system wide, I never thought this was possible but I found the following

    To disable the Keychain Access prompt, you will need to disable it system-wide. To do so, click on Apple > Control Panels > Extensions Manager and then in the list of extensions, locate Keychain Access and click in the box to the left so that an X appears beside it. This will disable Keychain Access for your entire system.

    Not sure thats wise or if its from an old system

    I also read about an issue where people change their passwords regular on the AD so keychain was not reflecting this, to which the path was

    In Applications->Utilities-Keychain Access take a look at the First Aid tab in preferences. There are a few options available there. You can likely turn off the "Set login keychain as default"

    hope that helps

    • 0