Replace password prompt with Touch ID to read Keychain password
I'm using the following command to fetch a password from the Keychain in a shell script: security find-generic-password -w -s "MyServiceName"
It works, but it's showing a popup window asking me for the login keychain password:
securitywants to use your confidential information stored in "MyServiceName" in your keychain. To allow this, enter the "login" keychain password.With the options to
Deny,AlloworAlways Allow
But I don't want to enter my keychain password every time, so I can't use "Allow" and I'd rather not "Always Allow" in order to keep some level of security here.
Ideally I'd like to get a Touch ID prompt instead. Is there any way to do this ?
Solution 1:
Investigating this I was not able to find any method that would allow for the security command to make use of Touch ID. This article titled: How to Use Touch ID to Authenticate sudo on Mac OS, mentioned in a comment regarding sudo and then use of the Touch ID, will not work here since that makes use of the addition of this line:
auth sufficient pam_tid.so
to sudo's PAM file, /etc/pam.d/sudo. There is nothing equivalent to the security command since it doesn't make use of sudo.
Therefore you're left with using one of the 2 methods mentioned in the dialog when running the security command:
- Always Allow
- Allow
If you pick "Always Allow" this will grant access indefinitely just to the security command. If you pick "Allow" it will grant security access just 1 time to Keychain.
Example
Here I've created an application password item in Keychain called TestPassword.
We can see that nothing has been given access to it by looking at the ACL tab of this dialog.
If I run this security command:
$ security find-generic-password -w -s "TestPassword"
And permanently "Always Allow" I'll be given the password for this item from Keychain:
TestPassword123
But more importantly I'll add security to the ACL for this item in Keychain.
