13 Replies Latest reply on Oct 18, 2011 9:16 PM by DavidJondreau

    Disable (Keychain?) password recording?

    dataWolf

      Title

      Disable (Keychain?) password recording?

      Post

      How can I remove the ability to save the password? It seems like the stupidest thing in the world to allow end users to save their password. We tell them not to, but at least one person has saved their password so anyone who uses the computer can log in as them into sensitive data. How can I turn it off?

      I don't know whether this is a FM thing or maybe it's keychain.If people are going to work at home I can't turn key chain off on their computers since I don't have access to their computers. But if someone knows how to disable the keychain if that's what is doing it, maybe I could at least require them to disable keychain (and hope they don't access from new computer).

      As an administrator I would like the ability to "Do not allow user to save password". 

      thanks!

        • 1. Re: Disable (Keychain?) password recording?
          RickWhitelaw

          Each person using a given machine should have an individual account on the machine. The machine should require a password even to unlock a screensaver and awake from sleep (and it should sleep after a very short time of inactivity). The problem isn't with FM. It's with lax machine-level security. If a person can't access the OS level account then they have no access to a Keychain. Simple!

          RW

          • 2. Re: Disable (Keychain?) password recording?
            FentonJones

            I agree with Rick, that every machine needs to lock itself. That's an OS thing, which I imagine you know about. But, since you asked, I messed about with AppleScript a bit, to see what could be done about FileMaker Keychain entries. It is possible to read them, and to even delete them. The following AppleScript can do that. I've commented out the "delete" line, so this will just read them. You'd have to run this on each machine (unless you have a way to run it as the admin remotely; I don't know how myself, more of a dilettante than expert). And of course it doesn't stop them storing them again. But it would allow you to bust people who do.

            It would also be possible to run this from FileMaker's Perform AppleScript step. If you ran this as part of a Startup script, I wonder whether it would immediately delete the one they just stored? Likely. I'll leave you to test, as I don't really want to delete all mine. You could also add a further If test to only delete one of a specific name.


            tell application "Keychain Scripting"
            launch
            set my_keychains to (every keychain)
            set {FM_keys, FM_names} to {{}, {}}
            repeat with k in my_keychains
            if name of k is not "System.keychain" and name of k is not "Microsoft_Intermediate_Certificates" then
            unlock k
            set my_keys to every generic key of k
            repeat with i from 1 to count of my_keys
            set key_type to creator type of item i of my_keys
            if key_type is «class FMP7» then
            set end of FM_keys to item i of my_keys
            set end of FM_names to name of item i of my_keys
            --delete item i of my_keys
            end if
            end repeat
            lock k
            end if
            end repeat
            --FM_keys
            FM_names
            end tell

            P.S. "«class FMP7»" identifies FileMaker keychain entries, those are "chevrons", not "<<" ">>", but I can't remember how to type them.

            • 3. Re: Disable (Keychain?) password recording?
              FentonJones

              Yes, it works. Run via Perform AppleScript, at the end of a Startup script, it deletes the keys (just one key in this case, which I tested for). It got some kind of AppleScript access error afterwards. So put Set Error Capture ["On"] before the Perform AppleScript step. Then it seems to be fine. I suppose Allow User Abort ["Off"] is also a good idea.

              It does take a second or two (at least, depends on computer speed and number of keychain entries).

              P.S. I was not able to Find only the FileMaker ones.
              whose creator type is «FMP7»
              does not seem to work

              • 4. Re: Disable (Keychain?) password recording?
                FentonJones

                Here is a slimmed down (slightly) faster version. It does not return a list of the names, nor does it delete ALL your FileMaker keychain entries, it just deletes one if it matches one you enter at the top. This one has the Delete line turned ON. 

                P.S. The error I got before was because I had "System" instead of "System.keychain" I think. This one does not get any error. You might still want Set Error Capture ["On"] though.

                set keys_to_delete to {"AMS_Master", "some other key"}

                tell application "Keychain Scripting"
                launch
                set my_keychains to (every keychain)
                set {FM_keys, FM_names} to {{}, {}}
                repeat with k in my_keychains
                if name of k is not "System.keychain" and name of k is not "Microsoft_Intermediate_Certificates" then
                unlock k
                set my_keys to every generic key of k
                repeat with i from 1 to count of my_keys
                set key_type to creator type of item i of my_keys
                if key_type is «class FMP7» then
                set FM_name to name of item i of my_keys
                if FM_name is in keys_to_delete then
                delete item i of my_keys
                end if
                end if
                end repeat
                -- lock k
                end if
                end repeat
                end tell

                • 5. Re: Disable (Keychain?) password recording?
                  FentonJones

                  OK, last version :-] This one just reads the name of the file from its window. It would therefore not work if you changed the name of the window on startup (unless you did that AFTER the Perform AppleScript step).

                  set my_name to name of window 1

                  tell application "Keychain Scripting"
                  launch
                  set my_keychains to (every keychain)
                  set {FM_keys, FM_names} to {{}, {}}
                  repeat with k in my_keychains
                  if name of k is not "System.keychain" and name of k is not "Microsoft_Intermediate_Certificates" then
                  unlock k
                  set my_keys to every generic key of k
                  repeat with i from 1 to count of my_keys
                  set key_type to creator type of item i of my_keys
                  if key_type is «class FMP7» then
                  set FM_name to name of item i of my_keys
                  if FM_name is my_name then
                  delete item i of my_keys
                  end if
                  end if
                  end repeat
                  -- lock k
                  end if
                  end repeat
                  end tell

                  • 6. Re: Disable (Keychain?) password recording?
                    dataWolf

                    Hi guys, thanks for the help! The reason I can't do whatever Rick is suggesting is that, as I was trying to describe, these are people who would be working remotely therefore I don't have access to their machines. Actually even if I did then I would want to control it from the program since people can save it right after I leave the room so they "don't have to type it in each time and it offered to". grr

                    But your solution would work great for my purposes since I can undo it if they do do it! :)

                    So I copied and pasted your last example. In PerformApplescript I used NativeApplescript, and pasted and hit return and it gives an error "An unknown token can't go after this number" and it selects the character "1" in the first sentence. I thought perhaps it was the carriage return/blank line but I removed that and it didn't make a difference.

                    I don't AppleScript so I can't debug this myself. Can you help me get the script to run? I do not change the name of the window. I am using FMPA9 accessing FMS11

                    • 7. Re: Disable (Keychain?) password recording?
                      dataWolf

                      I think I understand now that Rick is saying that if someone else doesn't have access to the users OS account, then they can't use the saved password. Well, this is confidential information, and some users would be on laptop. If I found or stole your laptop then I can use the install disk to reset your password and bingo I have access to your confidential remote database so no, I don't consider it sufficient security to be allowed to store a password even if the OS account has a password, at least not for data that is considered confidential. My bank doesn't allow me to store my password on their website. You can steal my laptop but you still can't get into my bank account though I access it all the time from that machine.

                      • 8. Re: Disable (Keychain?) password recording?
                        RickWhitelaw

                        To DataWolf,

                        I'm not sure that what you're saying is correct. If a person steals a laptop, even rebooting with an Install disk might not grant access to a User File. Like I said, I'm not sure.

                        • 9. Re: Disable (Keychain?) password recording?
                          FentonJones

                          I just copy/pasted the above AppleScript code into a Perform AppleScript, as Native, and I got not error on compilation. It worked. Though, one thing about it. The time it takes to run depends entirely on the length of their Keychains. Takes just as long on a tiny FileMaker file as a monster.

                          I wonder if some hidden character got copied? I posted a tiny file with only the Perform AppleScript, set into a Startup script. The user/pw is the standard: user "Admin", no password.

                          Keychain_Block.fp7.zip

                          • 10. Re: Disable (Keychain?) password recording?
                            FentonJones

                            Since we were talking a bit about locking upon activation of a screensaver, I thought I'd post this Hint I ran across this morning. I'm not an IT person per se, but it sounds useful. It is about being able to unlock screensaver's remotely, if the user has a different admin account from you, on his machine.

                            http://hints.macworld.com/article.php?story=20101103055948533

                            • 11. Re: Disable (Keychain?) password recording?
                              dataWolf

                              Fenton your solution has worked wonderfully for a while now. Unfortunately I have a new machine with Lion and it does not work. I get an error "Keychain Access got an error: Can’t get every «class ckc »."

                              I wonder if you could post an update to work with Lion? I still haven't programmed in AppleScript so I'm still at a loss.

                              Thanks a bunch if you do get around to it!

                              dWolf

                              • 12. Re: Disable (Keychain?) password recording?
                                DavidJondreau

                                You could have a dummy login account that the file is set to open with. Make those access privileges minimal. Then on file open (which now happens automatically), run a script that calls the "Re-login" script step to force the user to enter their credentials. You can't sucessfully keychain that.

                                • 13. Re: Disable (Keychain?) password recording?
                                  DavidJondreau

                                  "My bank doesn't allow me to store my password on their website. You can steal my laptop but you still can't get into my bank account though I access it all the time from that machine."

                                  I'm pretty sure your browser can save that password. Mine does, except for some accounts that use "mouse in" credentials.