Getting to know your Mac: Keychain Access
In this installation of Getting to know your Mac, the MacFixIt editors will be taking a look at the Keychain Access utility. Keychain Access allows you to manage your passwords for everything from Web sites to servers and networks to encrypted folders. Yo
Passwords
The greatest attribute to Keychain Access is the storage of passwords. As mentioned earlier, Keychain Access stores passwords for many of your most important processes. If you forget a network password or can't seem to recall a password for a mounted volume, Keychain Access will have it stored for you.
1. Open Keychain Access, which is located in Applications > Utilities.Occasionally users may experience issues with passwords in applications. Network settings and Mail settings can get confused when passwords are changed or deleted in the program and Keychain Access does not get updated. You may find that you have two passwords listed for the same account (like a Mail account for instance). In this case, delete the older passwords and this should resolve your issues in Mail. If you see passwords to programs, networks, or Web forms that you no longer access, you should delete these passwords to avoid similar confusion.
2. From the "Keychains" list, select a Keychain to search. The defaults are "log-in," "System," and "System Roots." Most of the information you are likely to need will be in either "log-in" or "System."
3. From the "Category" list, click on Passwords. If you have a lot of passwords, you can use the drill down triangle to select a password type (AppleShare, Application, or Internet).
4. Once you find the password you need, double-click the item and select the "Show password" check box near the bottom of the Attributes tab. Enter your administrator password and select "Allow."
5. Your password will appear, and you're ready to go.
6. From this window you may also select the Access Control tab. This will allow you to choose which applications (or all applications) have access to this password. You may also select to confirm before allowing access and require the Keychain password.
Certificates
If you are having issues with certificates (typically an error message saying that the certificate isn't accepted because the certificate authority's root certificate isn't trusted by your computer or your certificate is expired or invalid to use), you can use Keychain Access to properly distribute access settings.
1. Obtain the root certificate from the certificate authority. Safari will display the root certificate as part of an error message. You can drag the root certificate icon to the desktop.
2. Double-click the certificate icon to open Keychain Access. Choose a Keychain from the pop-up menu and click OK. You may have to provide an administrator's username and password.
3. Double-click the certificate and click the drill down triangle for "Trust" settings.
4. To override any of the settings, select a new option from the drop-down menus.
Applications asking for access to your Keychain
When you activate any item that is protected by a password (a network connection or mail server) the application will attempt to retrieve the password from your Keychain. Keychain requests your permission to provide the password to the application. There are three options that Keychain Access will prompt you with:
1. Allow Once. Selecting this will do exactly what it says. The application will have permission to access this password one time and must ask again if it would like to access it again.Secure Notes
2. Always Allow. Selecting this option will forgo the need to continually type in your password for applications that constantly require access to a particular password, such as Mail.
3. Deny. Selecting this will prevent the application from retrieving your password. In order to complete this process, you must enter your password manually.
Keychain Access provides a handy and secure place to keep important notes, right inside the program. Simply select "Secure Notes" from the "Category" list and click the ( ) button at the bottom of the window. Enter a name for the note and the contents and click Add.
Keychain First Aid
If you are having issues with your Keychain passwords, you can run a built-in First Aid to verify and repair the problems. From the Keychain Access menu, select Keychain First Aid. Enter your password and click the radio button to Verify or Repair and click start.
Notes of caution
Changing passwords and settings can cause security risks in your computer, especially if you are using a shared machine. If you are encountering password-related issues and do not feel comfortable using Keychain Access to solve them, call someone who might. Apple's phone technical support is some of the best in the business and several local technicians are very adept at solving issues with Keychains.
Keychain Access Scenarios
There may be times when you've accessed network resources, or logged into other systems with different credentials than those stored in your keychain. For kerberos single sign-on events such as logging into an AFP share, this can be frustrating since every time you access the resource it will use the supplied password and not the one from your keychain. Granted in some instances you can log out of the service, but for some others this might not be as easy. One thing Keychain Access provides is a kerberos ticket manager (in the "Keychain Access" menu), which you can use to cancel the single sign-on event and be prompted for a password the next time you access a resource that requires your password. If at any time you log in with the wrong credentials and cannot log out or find some way to re-authenticate, check the kerberos ticket viewer to see if a kerberos ticket is active. Canceling it should allow you to re-authenticate without having to restart the system.
Managing Logins
You can also use Keychain Access to manage and limit logins for specific applications. There are three options for how a password can be accessed. The first is to always allow all applications to access the password, prompt for confirmation before giving access to the password, and further protecting the second option by requiring you to enter your keychain password each time you want to confirm an application's access. These can be set up by double-clicking a keychain entry and using the "Access Control" tab. With this, you can provide different levels of security for various applications, and prevent some that you might have automatically launch from accessing a password without you knowing about it. Requiring the entry of the keychain password (login password) will prevent unauthorized users at your workstation from just clicking "allow" and letting the application access the password.
Organizing Keychain Access
One final thing you can do is organize your passwords (which can be useful if you use Keychain Access a lot). By default when you have an application store passwords in the keychain, a new entry will be made with the name of that application, which can result in a keychain entry for every application (or other uniquely named resource). If you use the same login and password for various applications, you can create an "application password" entry and have it be shared among several applications, instead of having each one create a password entry. This can also be coupled to access-control settings to have the applications bound to the specific password be able to freely access it, but have other applications require prompting for access to their password.
A word of note, keychains are accessed by applications in alphabetical order. As such, if you store user "abc" in a keychain and bind it to a program, and then do the same for user "bcd" and bind it to the same program, when the program is opened only user "abc's" credentials will be supplied to the program. This limitation of having only one login/password is usually not a problem, but if you've got different credentials for logging into the same server (ie: one set for accessing a web folder, and another set for accessing a backup folder), then this can be a limitation of Keychain Access since it will only provide one for that server.
Experiencing problems? Have feedback? Let us know!
Resources