Re: How to silently use Proxy authentication credentials from Keychain, like Safari, Mail, etc.
Re: How to silently use Proxy authentication credentials from Keychain, like Safari, Mail, etc.
- Subject: Re: How to silently use Proxy authentication credentials from Keychain, like Safari, Mail, etc.
- From: Motti Shneor <email@hidden>
- Date: Tue, 06 Sep 2016 15:36:21 +0300
Hello Jens, and thanks.
I doubt all Apple preinstalled applications have free access to any keychain content (passwords), or else any Apple application would serve as a potential vulnerability and the whole point of encrypted key-chains wouldn’t worth much. I think there is some kind of trust, but it is not based on signature. Maybe it is the same “trust” normal apps can get when user presses “Allow” or “Always allow", only certain applications get this trust “preinstalled” ?
Or else, maybe all these apps use NSURLSession, which defers networking tasks to an external process that may have this specific trust (as a specific entitlement)?
All my app does, is use KeyChain APIs to read proxy user/password. I believe securityd agent/daemon is the one to prompt user for permission. It runs under user ‘root’ - much like my own daemon.
* How does it gain access to my Login keychain? How does it determine which keychain to consult for a specific connection? does it somehow impersonate my user (and call the key-chain APIs)?
* If the user allows permanent permission for specific app to the user’s keychain (pressing “Always allow”) - how is this trust persisted, and where?
have you any idea?
I verified that indeed setting the proxy from one user (my normal admin user) affects all other users on the machine - my code returns the same proxies. Also when opening system preferences/network/ethernet/proxies panel - I can see the same proxy settings. Hence - I’m quite sure they are stored system wide.
Not so for the credentials...
> On 5 Sep 2016, at 22:10, Jens Alfke <email@hidden> wrote:
>
>
>> On Sep 5, 2016, at 6:51 AM, Motti Shneor <email@hidden <mailto:email@hidden>> wrote:
>>
>> 1. Why don’t Safari, Mail, Photos, and other standard apps trigger such dialog when they clearly use proxy settings (including credentials) to go to the internet? Is this behavior acceptable, and how is it done?
>
> Those apps are signed by Apple, so they’re automatically trusted.
>
> Note that the Keychain permission alert only appears _once_ for any app. You may be seeing it every time you run your code, but that’s because every time you change the code, it makes the app look different to the system. (You can get around this by signing the app; then the signature remains the same between launches.)
>
>> 2. All proxy settings seem to be system-wide. Why do the credentials reside in the active user’s Login keychain, instead of the “System” keychain? Is there at all a way (except for manually editing the keychains) to set-up proxies for ALL users, including credentials?
>
> Have you verified that different users inherit the same proxy settings? If so, I agree that it’s odd that the credentials would be in the Login keychain.
>
>> 3. Could I, at the time of installation of my product, ask once for this access, and have this “trust” saved for my installed daemon? That will be acceptable, as IT install our tool, and have rights for this. If this is possible - where and how could I do it?
>
> I don’t know. It may be related to the way that app helper processes are authenticated, i.e. being signed with related certs. But this isn’t something I’ve ever done.
>
> One other possibility is:
> * Installer gets the proxy settings, including getting user permission to access credentials
> * Installer saves the settings & credentials into a file only accessible to root
> * Daemon reads the settings from that file
>
Can’t believe this is true, because when proxy settings change - who will synchronize?
>> 4. Could I avoid the whole proxy-authentication protocol, and use some OS-X API that would do it for me (in the likes of NSURLSession) Is there some official lower-level API to do this? Otherwise I need to implement all kinds of authentication schemes (kerberos, NTLM, digest etc.), which seems silly on an OS that already knows how to do it? Clearly OS implementation will be superior to mine...
>
> I think NSURLSession is the only API that includes proxy support. For some reason CFStream doesn’t, even though it can do HTTP requests.
I think I once tested CFNetwork’s CFHTTPStream/CFHTTPMessage and they did proxy authentication too. (There’s that CFHTTPAuthentication object) - but I’m not sure. What I know for sure, you can’t use only their proxy and authentication, then get control over the connection and stream. You must be HTTP all the way, and use CFHTTPMessage APIs.
>
> —Jens
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden