Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
Re: Keychain access dialogs and ssh
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Keychain access dialogs and ssh



On Mar 16, 2010, at 7:39 AM, Rustam Muginov wrote:

> Hello all.
> I am planning to deploy a build computer at the server which i would have no physical access too.
> I am pretty sure that most of the build procedure could be done via ssh, but i am curious about item rights to access keychain.
>
> Then i first run codesign on the system, (either from Xcode or from command line), the dialog popping up requesting authorization for a tool to access Keychain. I have to click "always allow" then i never had this dialog again. How would things happens if i run build scripts remotely via ssh? Are where any commands to grant  such access without requiring VNC connection or physical access to keyboard?
>
> Thank you in advance.

You need to eliminate the need for dialogs. There are two kinds: keychain unlocking, and (ACL) access control.

The "always allow" button edits the item's ACL to give permanent access to codesign(1). So do that once (interactively) and you're set. (You can also explicitly edit the ACL in Keychain Access, but the Always Allow button is way more convenient in this case.)

You still need to unlock the keychain. (Sshd will not unlock your keychain for you when you ssh into the system.) You can do that explicitly using the security(1) command:

	security unlock-keychain -p password /path/to/keychain

That's the password of your keychain, which defaults to your login password. If you feel queasy about storing that in a script (you should), you can store the key in a separate keychain you create for that purpose, and give it a different password.

Cheers
  -- perry
---------------------------------------------------------------------------
Perry The Cynic                                             email@hidden
To a blind optimist, an optimistic realist must seem like an Accursed Cynic.
---------------------------------------------------------------------------

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

References: 
 >Keychain access dialogs and ssh (From: Rustam Muginov <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2011 Apple Inc. All rights reserved.