2009/10/24

Snow Leopard pestering for keychain password

Interesting new behavior in Mac OS X 10.6 (Snow Leopard):

Services that formerly required a single authentication of the keychain (at launch) now ask every time, if the keychain is locked.

I've noticed this at least with Apple Mail and Google Contact Sync (ex: the gconsync process asks access the keychain).

The new behavior is certainly more secure (formerly, the passwords read from the keychain had to be stored somehow, to use later, thus providing an additional potential place to steal them). However, I don't agree it's worth the trade for the level of bother.

And it forces me to either:

1) Type my keychain password frequently (some risk there; ex: if someone's watching).

OR

2) Adjust the automatic keychain locking to be less frequent - which could well result in it never being locked (since it would continually be a accessed, resetting the countdown to automatic locking).

I didn't like either, so I found a way to tell Mail to check (poll) less frequently; every six hours:

defaults write /Users/mvgfr/Library/Preferences/com.apple.mail PollTime 360

(The above is to be issued to a command line prompt, all on one line. If you're not familiar with the command line, here's a beginner's guide. Standard warnings for the command line apply; if you're not careful you can do serious damage.)

This works for me, since I'm using Mail only as a backup of my mail messages; I compose and read mail in other ways.

(The Mail Preferences window allows a maximum of 60 minutes - and this is what shows when set as above, though the custom setting is thankfully maintained and not overwritten.)

Google Contact Sync (gconsync) took a little more effort; documented at the previous link. The concept may apply to other types of synching, though would require changing another parameter, since the above is specific to Google Contact Sync.

6 comments:

Marcantonio Rendino said...

Further observation shows an interesting wrinkle:

Apparently apps can now maintain a separate "unlocked" access to a keychain (or a specific item thereof), separate from the "global" locked/unlocked status of the keychain.

For example, Mail will continue to access the keychain (without prompting to authenticate) in order to automatically check incoming messages - even though the status of the keychain shows as locked (ex: by the menu extra or the Keychain Access app).

This is more granular than previous behavior, in which authenticating unlocked the keychain "globally".

Somewhat confusing due to the UI though.

Also confusing, compared to prior behavior, in that it's now necessary to authenticate for keychain access, multiple times, for multiple accesses.

George Coghill said...

How did you get Mail to have access to the keychain even when locked?

I am having the same prob since upgrading to 10.6. Worked fine in 10.5 - login keychain locked itself, but Mail could continue to access to check mail.

There used to be an "always allow" option for keychain access dialog boxes, but I don't get that for Mail when it asks for the login password in 10.6.

Marcantonio Rendino said...

Unfortunately, even with the prior observations, I still see the same behavior as you; Mail will ask for the keychain password at "strange" times.

FWIW: I do think I see a pattern though, and I have a theory:

- Mail asks for the keychain password at launch and goes on its merry way, forever keeping your IMAP boxes in sync, with no need to ask again - UNLESS:

a) You (or some code) explicitly ask it to do something, such as: send a message, resync, etc.

b) There is a network interruption/change, including sleep.

So it looks like it starts a single IMAP session with the password gained by keychain access, and does not - as previous versions seemed to do - keep that password for future operations.

(Another seeming change: It no longer unlocks the keychain "globally", so another app will ask for the keychain right afterward, if it needs it.)

This is certainly more secure, though less convenient - especially when greeted with the "Mail needs access to the keychain!" (which floats above everything; grr), *every single time you wake the Mac up*, or your network has a hiccup, or you send a message, or...

Unfortunately I think it's a *bad* trade - like Windows pestering you constantly with it's "are you sure?!" dialogs -- because it doesn't take long for the user to either totally ignore the messages, blindly OK'ing them *all* OR turn it off OR (even worse) route around (like using a trivial password).

So the *actual* security is *weakened*.

George Coghill said...

I thought I had fixed it last night, I dug through my Mail keychain items and noticed the "always allow" apps had duplicates of various mail accounts.

I deleted each and re-added Mail. Seemed to do the trick.

This morning, back to the prompt to enter the password. Ugh.

I don't set my MacPro to sleep, so that's not the cause.

I had a similar situation in the past with MobileMe, and the solution was to create a separate keychain for MobileMe that never auto-locked so the system could access & run syncs & backups.

Not a secure solution! If this persists, I will end up doing the same to my Mail passwords, again not an ideal solution.

I haven't heard a lot of griping about it, so either our situation is rare, or people just don't care/notice as much.

Personally, this is a change for the worse IMO.

Marcantonio Rendino said...

Yep; I've seen the same and agree - this is a net decrease in security.

And I filed a bug report with Apple to that effect; I suggest anyone else so-inclined, do the same:

Marcantonio Rendino said...

The URL to file Apple bug reports is

https://bugreport.apple.com/cgi-bin/WebObjects/RadarWeb.woa