What Has Been Implemented Replaced the default loginwindow:login with a custom authorization plugin. The plugin:
- Performs primary OTP authentication.
- Displays a custom password prompt.
- Validates the password using Open Directory (OD) APIs.
Next Scenario was handling password change
- Password change is simulated via: sudo pwpolicy -u robo -setpolicy "newPasswordRequired=1"
On next login:
- Plugin retrieves the old password.
- OD API returns kODErrorCredentialsPasswordChangeRequired.
- Triggers a custom change password window to collect and set new password.
Issue Observed : After changing password:
- The user’s login keychain resets.
- Custom entries under the login keychain are removed.
We have tried few solutions
- Using API, SecKeychainChangePassword(...)
- Using CLI, security set-keychain-password -o oldpwd -p newpwd ~/Library/Keychains/login.keychain-db
These approaches appear to successfully change the keychain password, but:
- On launching Keychain Access, two password prompts appear, after authentication, Keychain Access window doesn't appear (no app visibility).
Question: Is there a reliable way (API or CLI) to reset or update the user’s login keychain password from within the custom authorization plugin, so:
-
The keychain is not reset or lost.
-
Keychain Access works normally post-login.
-
The password update experience is seamless.
Thank you for your help and I appreciate your time and consideration
Is there a reliable way … to reset or update the user’s login keychain password from within the custom authorization plugin
No.
Historically, changing a user’s password was easy, but that’s most definitely not the case these days. I have a bunch of backstory about that on this thread.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"