Using the Internet is a never-ending struggle to keep track of passwords for email servers, file servers, Web sites, and other private information. The Keychain Access software (path: /Applications/Utilities/Keychain Access) automatically stores passwords from Keychain-aware applications such as Mail and Safari. Users can also manually add their own passwords to the keychain. Later, the keychain can be unlocked to reveal the original cleartext password.
The default keychain is unlocked by your account password. Sensitive information is best placed in a secondary keychain with a different password; otherwise, a single compromise of your account unlocks access to all your information.
Read how to add new keychains in the "Managing Keychains" section later in the chapter.
Keychains and Keychain Scope
By default, all users have their own keychain named login. This is called the User keychain. Additional User keychains can be created to store specific information, such as credit card numbers, PINs, and so on. Think of the keychain as a database of your most sensitive information, all accessible through your Mac OS X account password.
In addition to User keychains, Global keychains are accessible by all users on the system. A Global keychain can be created by an administrator and shared to the other users on the system. An example of the usefulness of this feature is creating a keychain with corporate login data for intranet file servers that should be available to everyone.
User keychains are stored in ~/Library/Keychains, whereas Global keychains are located in /Library/Keychains.
Launching Keychain Access displays the contents of your default keychainnamed login. For an account that has been using the keychain to store file server passwords, HTTP authentication information, and so on, the Keychain Access window should look similar to that shown in Figure 3.32.
Figure 3.32 The Keychain Access window displays a list of stored passwords and other information.
The obvious question is, "How did these items get here?" They were added by Mac OS X applications. Typically, when an application wants to store something in the keychain, you'll be given the option of storing it. For example, when accessing a site that requires HTTP authentication, some Web browsers present a dialog box requesting a username and password, and offering to "remember" it or "add to keychain." Choosing these options automatically adds the entered password to the default keychain. Over time, your keychain could become populated with hundreds of items, and you might not ever know it!
When an application wants to access information from your keychain, it must first make sure that the keychain is unlocked. Your default Mac OS X keychain is automatically unlocked when you log in to your account, making its passwords accessible to the applications that stored them. To manually lock or unlock a keychain, click the Lock button at the top of the Keychain Access window. The Keychain Access window, along with its Dock icon, changes to reflect its security status. If an application attempts to access information on a locked keychain, it displays a dialog box, as shown in Figure 3.33. Entering the correct password (your account password for the default keychain) unlocks the keychain that your application is attempting to access. Clicking the Details disclosure pushbutton displays what keychain is being unlocked and the application making the keychain request.
Figure 3.33 If an application attempts to access data in a locked keychain, you are prompted for the keychain's password.
Even after a keychain is unlocked, an application might still need a bit more help before it can retrieve the information it needs from the keychain. Each stored piece of information can be controlled in a way that makes it accessible to only specific applications. Mail passwords, for example, are accessible only by the Mail application. If a program you just downloaded off the Internet attempts to unlock your Web or email passwords, you'll know something nefarious is afoot. Sometimes, usually after a system upgrade, you will have to re-educate your Mac OS X computer about what applications can access what passwords. This is a simple process.
When the keychain notices an unauthorized application attempting to access a piece of information, it prompts the user with a window to deny the access, allow it only once (Allow Once), or allow the application to access the information whenever it wants (Always Allow), demonstrated in Figure 3.34.
Before making a choice, always click the Details disclosure pushbutton to view which keychain is being accessed and which application wants the data. If you don't recognize the application, click Deny to disallow access.
Figure 3.34 Each application must be authorized to access a specific piece of information.
Working with Keychain Items
Users who want to access stored data, or manually add new information to a keychain, can do so through the Keychain Access program. Each item listed in the Keychain window can be viewed by selecting it. Web entries can be launched in a Web browser by selecting the resource and clicking the Go toolbar button. You can sort the Keychain item list by using View, Sort or by clicking the headings in the List view.
The lower portion of the window displays information about a keychain entry using a button bar with two entries: Attributes and Access Control.
The Attributes button as its name suggests, provides basic information about the stored information. For example, Figure 3.35 shows the attributes for an IMAP password in my default keychain. The Kind field identifies the type of information, Where shows the resource that stored the information, and Account displays the creating user account. Users can add any additional comments about the item by typing in the Comments field. Click the Show Password button to display the password in cleartext.
When you click Show Password, you often are prompted to allow Keychain Access to retrieve the data. Although this might seem strange, it is because Keychain Access itself must obey the same rules as the rest of the system. Because Keychain Access isn't listed as having unlimited access to stored items, it asks each time it needs to retrieve the information.
You can edit any of the item attributes within the Attributes pane. Click the Save Changes button in the lower-right corner to save any modifications you've made.
Figure 3.35 The Attributes pane displays what type of data is stored, and when it was added to the keychain.
The Access Control pane enables the user to pick and choose which applications can access a given piece of information in the keychain. Shown in Figure 3.36, the controls of this pane are straightforward. Click Allow All Applications to Access This Item to transparently provide access to the resource with no user interaction.
You can specify individual applications by clicking the Confirm Before Allowing Access radio button; then use the Add and Remove buttons to add and remove applications from the list. Leave the application list blank to always force a confirmation. Finally, check the Ask for Keychain Password check box to force the user to enter a password each time access is confirmed.
Figure 3.36 The Access Control pane provides control over what applications can access a piece of data.
Adding New Entries
New pieces of information can be added to the keychain by clicking the Add button in the main Keychain window or choosing File, New, then Password Item or Secure Note from the menu or clicking the Password or Note buttons in the toolbar. This action opens a new window, such as that shown in Figure 3.37, for entering the data to be stored. Enter the name or URL of the stored item in the Name field, the account name associated with the data in the Account field, and, finally, the sensitive data in the Password field. By default, the password is hidden as you type. To display the password as it is typed, click the Show Typing check box. Click Add when finished. When creating a Secure Note, only a name and note field are displayed.
Figure 3.37 New items can easily be added manually to an existing keychain.
To remove any item from the keychain (either automatically or manually entered), select its name in the list and then click the Delete toolbar button, or choose Edit, Delete.
Digital certificates are used to provide authoritative identification information for people and services online. Secure Web sites use certificates to prove that they are legitimate (as you'll see in Chapter 27). Another use, fully supported in Panther, is that of providing secure mail services to and from clients that support the S/MIME standard (see http://www.rsasecurity.com/standards/smime/faq.html for details).
To support encryption in mail, you must add an X.509 digital certificate containing a private and public key. The public key is used to sign outgoing messages so that other users can encrypt mail to you, which, subsequently is decrypted with your private key. Other users who sign their outgoing messages with their public key (using the S/MIME standard) can send you mail, and the Mac OS X Mail application automatically saves a certificate with their public key to your keychain. This, in turn, allows you to send encrypted messages to that person.
To obtain a certificate for signing mail, contact a Certificate Authority (CA), such as http://www.verisign.com/products/class1/index.html or http://www.thawte.com/html/COMMUNITY/personal/. Or do a Google search for "free email certificate" to turn up several dozen free options.
Unfortunately, not many certificate services (if any) can easily provide the certificates in a format that is Mac OS X "Mail" ready. As a result, it is difficult to predict how you will "get" your certificate. Some users in similar situations report success importing the certificates into browsers such as Netscape (http://www.netscape.com) or Opera (http://www.opera.com) and then using the export options in these browsers to save the certificate in a .cer, .crt, or .p7c (among others) file. I've personally had success importing the certificate into Outlook (most certificate services are already set up to import into Outlook) and then exporting from Outlook. Whatever your technique, you should eventually end up with a certificate that can be imported into Keychain Access.
To import a certificate, double-click it (if it is a recognized type), or choose File, Import and choose the file. Keychain Access displays an import dialog box, as shown in Figure 3.38.
Figure 3.38 Import a digital certificate into Keychain Access.
Choose the keychain to add the certificate to and then click OK. If you want to view the certificate before saving it, click the View Certificates button. After an S/MIME certificate has been added, the encryption features "appear" in Mail, as described in Chapter 4.
Certificates can be selected in the Keychain element list to view their contents and change their Trust settings. Trust Settings can be altered such that permission is required each time a certificate is accessed, or a certificate is always trusted.
Each user account can have as many keychains as needed, including systemwide Global keychains. Click the Keychains toolbar button to manage the keychains stored in your user account; the window drawer shown in Figure 3.39 appears.
Figure 3.39 Use the Keychain List to manage your available keychains.
As mentioned earlier, a default keychain is generated for each user account named login. Also included is a default Global keychain named System shared throughout all user accounts.
New keychains can be created by choosing File, New Keychain. You are prompted for a name and a save location for the keychain. The default for a User keychain is ~/Library/Keychains; Global keychains should be stored in /Library/Keychains.
Next, you need to enter a passphrase that unlocks the new keychain. It's best to choose something different from your account password to prevent people who might gain access to your account from seeing your most sensitive information. If you want to add an existing keychain file (perhaps from your account on another Mac OS X machine), use File, Add Keychain from the menu, and then choose the keychain file on your drive.
When the new keychain is added or created within an account, you can switch to it by choosing its name from the Keychain window drawer. You can make a keychain your default keychain (displacing login), by choosing File, Make Keychain Default.
To move entries from one keychain to another, select the items you want to move and then drag them to the appropriate keychain in the keychain drawer.
To remove a keychain from the system, highlight its name in the list and then press the Delete key.
Unlock or lock keychains in the drawer using the Lock/Unlock toolbar icons.
You can add a Keychain menu extra to your menu bar by choosing View, Show Status in the menu bar. This extra provides the capability to lock and unlock any one of your keychains at any time.
Creating Global Keychains
Global keychains are identical to User keychains but have a flag toggled to make them available to all usersthe Global flag (surprise). You can convert any keychain to or from Global keychain status using the Keychain List (Window, Keychain List; Command-Option-L). The Keychain List is shown in Figure 3.40.
Figure 3.40 Manage User and Global keychains.
The pop-up menu at the top of the list enables you to choose between User (your keychains) and System keychains. System keychains are keychains stored at the System (/Library/Keychains) level but not necessarily Global keychains. If installing a keychain for everyone on the system, it should be stored as a System keychain and should also be set as a Global keychain.
To convert a keychain to or from global status, highlight it in the Keychain List; then use the Global check box to change its status. System Global keychains automatically show up in other users' Keychain Lists.
Keychain Settings and Passwords
The Keychain Access application has no preferences, but it does allow some control over each keychain file, such as modifying the password that unlocks the keychain. To open the settings, highlight the appropriate keychain from the Keychains drawer and then choose Edit, Change Settings for Keychain. You should see a new window, much like the one shown in Figure 3.41.
Figure 3.41 Set your keychains to lock after a certain length of time.
Within the Settings window, you can use the Lock After XX Minutes of Inactivity setting to force Mac OS X to lock a keychain if it isn't used for a certain length of time. Clicking Lock When Sleeping causes the keychain to be locked if the computer goes to sleep.
Use Edit, Change Keychain Password to edit the password that unlocks the keychain.
If you change the password on your default keychain to something other than your Mac OS X account password, it will not be automatically unlocked when you first log in.
Keychain First Aid
As you work with keychains, a variety of problems can occur, such as passwords getting out of sync and improper keychains being set as the default. The Keychain First Aid tool can repair some of these common problems for any user account on the system.
To access Keychain First Aid, choose Window, Keychain First Aid (Option-Command-A). The First Aid window, shown in Figure 3.42, appears.
Figure 3.42 Keychain First Aid can repair common Keychain problems.
To verify a user's keychain, click the Verify radio button, enter the username and password, and click the Start button. If problems are found, switch to Repair mode and then click Start again.
The options button can be used to configure what "repairs" will take place and also offers an option to reset to a "factory fresh" default keychain.
The First Aid features are best for fixing problems for users who have accidentally messed up their default login keychain. It does not fix a keychain that has suffered data corruption or recover information that has otherwise been lost. It is a tool to help you, as an administrator, handle keychain problems for your users without logging in to their accounts.
Keychain Access menus provide little additional control over what is offered in the toolbar buttons. Use the File menu to quickly lock all keychains and reset the default keychain for your account. All other functions are readily accessible from the Keychain Access window.