How to delete Keychains at logout

How to Delete Keychains at Logout

keychain logoutI’ve been asked quite a few times whether it’s possible to disable the Keychain functionality in OS X. This is a fairly critical part of the OS, so the short answer is no, but there are some workarounds that suit certain environments, particularly deleting the Keychain at logout.

Why would you want to do this?

For anyone new to the topic, the Keychain is a feature introduced years ago by Apple to securely store users’ passwords and to make them available to other applications. The functionality was built-in to a load of OS X features and apps like Mail, Safari and the Finder.

Apple also made APIs available to developers so they can integrate the Keychain into their apps. So if a developer needs a user to authenticate to use their app, they can store and retrieve credentials from the user’s Keychain.

So while this all sounds good, there are a few situations where the Keychain can get in the way. The most common issue is when password policies are being used to force users to change their passwords on a regular basis.

If they have been storing the password in their Keychain for things like file servers and email, and then change the password to something else, they will get Keychain errors, or worse, locked out from some applications as OS X tries to send the old (incorrect) password to the service.

Another problem is when users reset their password outside of OS X. This happens a lot in schools as students forget their passwords and have to have them reset in AD.

When the student logs back into a Mac that has a local copy of their Keychain the passwords won’t match, presenting them with an error. This is even more likely if the Macs are in shared classroom / lab setups. The users will be leaving a breadcrumb trail of local Keychain files making the problem much worse if their password is reset.

Deleting the Keychain at logout

A popular way to avoid this issue is to delete the Keychain at log out. When a user logs in, if no Keychain file is present in ~/Library/Keychains, the OS will create one based on the user’s current password. This means that all you have to worry about is deleting the old one before that point.

The script:

	#!/bin/sh

	rm -Rf /Users/$USER/Library/Keychains/*

	exit 0

This script will simply delete anything in the user’s ~/Library/Keychains folder, forcing the OS to create a new one next time they login.

To create it, use a “coding” text editor (Sublime Text, TextWrangler, BBEdit, Fraise, etc.) and add the code above. Save it with a .sh extension in a location accessible by all user accounts, and make sure it is executable.

We normally recommend making a new folder in /Library with the company name to store these types of things. If this were for Amsys, I would use the two following steps to create the folder and set the necessary permissions:

  1. In the Terminal, type “sudo mkdir /Library/Amsys”
  2. Copy the script you created into the folder
  3. In the Terminal type “sudo chown -R root:wheel /Library/Amsys”
  4. In the Terminal type “sudo chmod -R 755 /Library/Amsys”

All the above commands will need to be run as an admin user.

Getting the script to run

Once all this is in place you need to get the script to run each time a user logs out. To do this, you can add a new Logout Hook:

In the Terminal, type:

sudo defaults write com.apple.loginwindow LogoutHook /Library/Amsys/name_of_script.sh

You just need to adjust the path based on your company folder name and change “name_of_script.sh” to whatever you called the script when you saved it.

A note about Logout Hooks

When you use the defaults command to add a login or logout hook to trigger scripts, you are adding XML entries into the com.apple.loginwindow.plist file. This functionality has been deprecated by Apple, meaning it may be taken away in a future release of OS X. This is fine for login hooks as we have LaunchDaemons to replace them. It does, however, present a bit of a problem for logout hooks as there is no equivalent replacement.

There have been a few creative alternatives popping up on the Internet, but Apple has not indicated any plans to replace the functionality. So while it will work for now, this is worth taking into account when choosing to setup logout hooks.

7 Replies to "How to delete Keychains at logout"

  • Matt K

    Could this be done at login with a LaunchAgent instead of logout? Maybe the keychain is checked before the LaunchAgent runs so it wouldn’t work, just a thought.

  • We were doing a related bit of work on keychains recently and it looks like any checks made by the OS are at a very early stage of the login process. I could be wrong but I suspect a launch agent would be too late.

  • Matt K

    I tested using a LaunchAgent to delete keychains at login. The problem is that if you delete at login, a new login.keychain is never created. You don’t get prompted for the old keychain password, but when you open safari you get a message “A keychain cannot be found…” If you delete at logout or restart the login.keychain is created using the login password without prompts.

    It’s worth noting that ADPassmon v2 in features added by MacMule handles some of this but through prompts rather than in an automated way.

    • Alan S

      I also tried deleting at login, and it definitely doesn’t work. Since the logout hook is officially deprecated (though still works) and since login is not a working trigger, I went with a LaunchDaemon instead that deletes all keychains at boot time (with the shared computers rebooting every day).

      There are fringe situations this wouldn’t cover (someone logs into a shared computer at the beginning of the day, changes her AD password somewhere else, and then returns to the shared computer later in the day before a reboot), but it covers 99.9999% of cases for us.

  • Lee S

    I have the logout hook configured for the keychain to delete at logout which works very well. The only issue I have noted is that users that use the Mail Application end up getting there A/D account locked out the next time they log in and access Mail. Has anyone else experienced this, and found a solution?

  • Offset is a utility that can run packages and scripts at login and logout which when combined with this script makes a good lab environment addition.

Leave a Reply

Your email address will not be published. Required fields are marked *