From: Wout M. <wme...@ci...> - 2007-12-19 13:03:36
|
Use the systemkeychain -C command to create a new system keychain on each system and make the resulting files negative (i.e. not managed by radmind). Usage: systemkeychain -C [passphrase] # (re)create system root keychain systemkeychain [-k destination-keychain] -s source-keychain ... systemkeychain -T token-protected-keychain-name Contrary to 10.4, 10.5 now has a manpage, great! :-) Anyway, the system keychain is used to store WiFi passwords for auto connecting etc. Not something you want to manage across all systems, most likely. Cheers, Wout. On Dec 17, 2007, at 11:29 PM, Greg Neagle wrote: > Several weeks ago, there was a discussion here on what to put in the > leopard base negative transcript. I flagged lots of filesystem items > for consideration. I've discovered an issue with this item: > > /private/var/db/SystemKey > > After some experimenting, this appears to to be the key used to > unlock /Library/Keychains/System.keychain. Both files are created > during the OS install, and are a matched set - if you use a /private/ > var/db/SystemKey file from a separate install of Leopard, you'll see > messages like this in the system log on startup: > > Dec 17 14:02:44 aquaman _mdnsresponder[56]: Recreating > System.keychain because it cannot unlock; see /usr/libexec/security- > checksystem > > and you'll find that both /Library/Keychains/System.keychain and / > private/var/db/SystemKey have been moved aside with a time/datestamp > and replaced with freshly generated files. Unfortunately, the new / > Library/Keychains/System.keychain is empty, which in probably not > what you want. > > I fixed this problem for myself by copying over both files from a > fresh Leopard install on another machine, then merging them into my > 10.5.1 transcript (and removing /private/var/db/SystemKey from the > negative transcript) > > So it appears that /private/var/db/SystemKey must be in a positive > transcript, and both files must be captured from the same install > run. I'm guessing that this is a small security measure - if an > attacker managed to munlock the System.keychain on one machine, he/ > she would not necessarily be able to do so on another. If you use > radmind to manage both files on all your machines, they will be able > to be unlocked with the same password, so be aware of this lessening > of security. > > This may also meant that you cannot simply put all of /private/var/db > in a negative transcript unless you have an alternate way to ensure > that /private/var/db/SystemKey is the correct key for your specific / > Library/Keychains/System.keychain. > > -Greg > > > > ------------------------------------------------------------------------- > SF.Net email is sponsored by: > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services > for just about anything Open Source. > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace > _______________________________________________ > Radmind-users mailing list > Rad...@li... > https://lists.sourceforge.net/lists/listinfo/radmind-users |