问题
I'm using the NameAndPassword authorization plugin to login through the OS X lock screen (the fixed version of the plugin since original is broken). I need it to be able to access stored passwords somehow, and currently I'm trying to achieve this by using keychains.
I managed to create the keychain and save some password inside, along with the ACL needed to access the password without prompting the user. Any application added to the ACL works fine with no prompts, but when I try to access the keychain with this NameAndPassword authorization plugin, I'm getting -25293 The user name or passphrase you entered is not correct error when calling SecKeychainFindGenericPassword to obtain the password.
I have tried adding both the /Library/Security/SecurityAgentPlugins/NameAndPassword.bundle bundle and the /Library/Security/SecurityAgentPlugins/NameAndPassword.bundle/Contents/MacOS/NameAndPassword executable itself to the ACL, but the error is always the same.
I believe this might be due to this plugin is being ran as another user (or as no user at all). What can I do to get rid of this error? Or maybe it will not be possible? In such case, how am I supposed to store and access the passwords from within this plugin, when it can't access home directory? I've been struggling with this for weeks now.
回答1:
Check if you changed the ownership of the plugin bundle to root:wheel Use this command:
sudo chown -R root:wheel /Library/Security/SecurityAgentPlugins/NameAndPassword.bundle
回答2:
The plugin will likely need to be configured as privileged to have access to the filesystem location where your keychain is stored.
Your mechanism may need to run after the HomeDirMechanism if you need access to the home directory.
In order to read from the keychain, you will need to unlock it first. For the default login keychain, you can usually unlock it using the password from the login window since this is kept in sync with the login password by default.
You will need to specify which keychain you are reading from otherwise it would attempt to use the root user's default keychain which may not exist.
Apple's Technical Note covers a lot on this topic. https://developer.apple.com/library/content/technotes/tn2228/_index.html
来源:https://stackoverflow.com/questions/24561216/error-acessing-keychain-item-from-os-x-authorization-plugin