How to access login keychain of all users when runs as root?

But it is deprecated from 10.10.

That API is deprecated because the whole concept of file-based keychain is effectively deprecated. The future of keychains on the Mac is the data protection keychain. See TN3137 On Mac keychain APIs and implementations for more background on this.

Given that, it’s fine to use SecKeychainOpen for your current task. It’ll continue to work for any file-based keychains.

However, this speaks to a larger problem, namely that this won’t work for your user’s data protection keychain. There is no API to manipulate another user’s data protection keychain and, honestly, I think it’s unlikely that we’ll add one. In the long term you’ll have to explore an alternative approach to this overall task.

How do you achieve this goal on iOS?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks for the reply!

The app is designed for macOS only, and the passwords won't be synced to iCloud. So I think file-based keychain is enough for now.

But yes, in long term it could be a problem. Is it possible to access other user's data protection keychain using command-line tool like security?

Lacking substantial context, so making some quite-possibly-wrong assumptions...

Can you go after this password change from the server side, with what amounts for a forced password change setting? You can either accept and validate the password and force the password change on the server (probably preferable), or can accept any password (hazardous), and require a new password or (probably better) passkey be established.

This server-side change might also require a little work on the client, depending on the details.

And forced-password change mechanisms are baked into pretty much all enterprise directories, which means any installation involving a directory is going to have to contend with a server-requested password reset anyway.

Backing up a step or two, this feature is right on the edge of a denial-of-service mechanism combined with a means for compromising existing accounts, too. If users can trigger this global reset, miscreants might well eventually explore its implementation details.

Sorry for late reply. I'm busy these days.

The implementation is about saving SSH key passphrase into keychain, so it must save locally. SSH agent can save it using "ssh-add --apple-use-keychain", but it can't work on libssh bind, so I have to save/load passphrase without agent. Then it has issue when IT tool which need to renew all users SSH keys.

Thanks to  @Hoffman, I came up with an idea that set a global date flag. If app found SSH key is older than the global date when startup, it expires and renew. This method don't require IT tool to access other user keychain and work with data protection keychain. Perfect :-)

Is it possible to access other user's data protection keychain using command-line tool like security?

No. The majority of subcommands supported by the security tool only work with the file-based keychain.

This method don't require IT tool to access other user keychain and work with data protection keychain.

Nice!

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"