Unwanted saving of proxy credentials
I'm working in an environment where several users access shared iMacs (OS X 10.7.4) using generic accounts that are shared between multiple users. However when they want to access the internet they must authenticate with the proxy server using their own unique credentials.
With that in mind, the proxy credentials should be cleared on logout, so that when another user accesses the same account, they still have to input their own proxy credentials when accessing the internet. Firefox does this just fine. However Safari saves the credentials no matter what and they persist through logout, which is a security and privacy concern.
I've tried turning off authentication for the proxy server. This will prompt for credentials again but will save them after they're entered. Keychains have similar behaviour when they expire or are deleted. AutoFill for passwords in Safari is turned off and there are no saved passwords or other credentials.
How do I stop the proxy credentials from being saved?
Update: The problem seems to be coming from a system process called AuthBrokerAgent which is responsible for proxy authentication. When proxy credentials are entered for the first time, it stores them in the user's login keychain and automatically adds itself as an allowed application for accessing those credentials. A workaround can be created by removing it from a list of allowed applications, forcing the program to ask for the keychain password when accessing those credentials, then changing the keychain password so it's different from the user account password, but this is extremely cumbersome as it must be configured on every account individually. A better solution must exist.
Deleting the AuthBrokerAgent preference list broke proxy authentication in Safari completely.
I'm not sure how to prevent the creation of the credentials in the first place, but you can remove items from the Keychain using the security command, which is easily scriptable.
The command you want is security delete-internet-password -s server
, where server
is the hostname or address of the proxy server without the protocol (i.e. 192.168.0.1
, not https://192.168.0.1
). Alternatively you can use -l label
to match the name of the keychain item, or various other search parameters, which you can find detailed on the man page.
You can have this command run at logout for each user by saving it as an executable script in a location readable by all users (make sure the file is executable for all users as well). Then run sudo defaults write com.apple.loginwindow LogoutHook /path/to/script
.