How can I access the keychain remotely from the command line?
I am storing various passwords (e.g. for remote email servers) in my keychain. From the command line, when logged in locally, I can retrieve these via:
security unlock-keychain ~/Library/Keychains/login.keychain
<enter password>
security find-internet-password -s smtp.gmail.com -a [email protected]
<dumps keychain attributes, not including password>
security find-internet-password -s smtp.gmail.com -a [email protected] -g
<dumps keychain attributes, including password>
However, the results cannot be achieved when run remotely (ssh'ing in to the box from somewhere else):
security unlock-keychain ~/Library/Keychains/login.keychain
<enter password>
security find-internet-password -s smtp.gmail.com -a [email protected]
<dumps keychain attributes, not including password>
security find-internet-password -s smtp.gmail.com -a [email protected] -g
<nothing printed, to stdout or stderr>
Moreover, the return value of the final command (using -g) is 36.
I've dumped the output of set
from a local login and compared it to a remote
one, and the missing environment variables are:
Apple_PubSub_Socket_Render
GPG_AGENT_INFO
SECURITYSESSIONID
TERM_PROGRAM
TERM_PROGRAM_VERSION
TERM_SESSION_ID
XPC_FLAGS
XPC_SERVICE_NAME
What am I missing? I do have SSH_AUTH_SOCK
set to a valid value (returned
from ssh-agent
).
Solution 1:
In reproducing this to investigate, I notice that I have my keychain configured to “Confirm before allowing access.” So when I perform the find-internet-password
locally with the -g
flag, I get a dialog box stating security wants to use your confidential information stored in “smtp.gmail.com” in your keychain. If I click “Allow” then it works, if I click “Deny” it fails similarly to the ssh
case, with a return code of 51
.
When I try the command remotely via ssh
, the -g
immediately results in failure, with the status of 36
that you are reporting.
I suspect that this is because, when you ssh
in, there is no way for the system to pop up a dialog box allowing you to confirm that you want to allow the security
command to access this information.
I was able to get the command to work while connected by ssh
by first clicking the “Always Allow” option when running the command locally. This updates the permissions in Keychain so that I no longer need to respond to the dialog (even locally), which allows it to work remotely too.
I don’t know if this will be entirely helpful to you, however, as I think it means you will need to preemptively grant the security
program access to any keychain items you may want to access remotely. It may be possible to write a script to do this?
If you are experimenting with this manually and later want to revoke this access, you can go to the affected item in Keychain Access, choose Get Info and look at the Access Control tab. You will see an entry for security
there, which you can delete:
Solution 2:
security -i unlock-keychain
works for me in MacOS 10.13.4 High Sierra.
After investigating karthick's solution, I found this. The -i makes the command interactive and prompts you in the terminal for your password.