avoiding keychain issues

[David Jondreau]

I've got a handful of users in an office setting that will use whatever Mac workstation is handy. There is only one account per machine. Users don't have individual accounts.

Some of the users are entering username/password combos and having the keychain save that when opening the FM files.

Since different users have different permissions, I need a way of bypassing the keychain from within Filemaker.

I've come up with the following set up and would like some feedback.

I've set up a new account with very limited privileges (access to only one layout, two fields) and implemented this start up script:

Any thoughts or comments would be appreciated.

Username Pass Dialog 

#START SCRIPT 

# 

#Ignore all keychained passwords and use minimal Open account 

Re-Login [ Account Name: "Open"; Password: "open" ] 

[ No dialog ] 

# 

#Go to Opening page 

Go to Layout [ “Opening” ] 

# 

#Set loop count 

Set Variable [ $loop; Value:1 ] 

#Loop, pausing for user to enter username/password 

Loop 

Set Error Capture [ On ] 

Show Custom Dialog [ Title: "Login"; Message: "Please enter your username and password" & If($loop > 1; "again") & "."; 

Buttons: “OK”, “Cancel”; Input #1: Opening::User Name, "Username"; Input #2: Opening::Password, Password, "Password" ] 

#Set close variable and Exit loop if user cancels 

If [ Get(LastError) = 1 ] 

Set Variable [ $close; Value:1 ] 

Exit Loop If [ 1 ] 

End If 

# 

#Re-log in, clear fields 

Re-Login [ Account Name: Opening::User Name; Password: Opening::Password ] 

[ No dialog ] 

Set Error Capture [ Off ] 

Set Field [ Opening::Password; "" ] 

Set Field [ Opening::User Name; "" ] 

# 

#If user doesn't fail to enter non-open user/pass, exit loop. 

Exit Loop If [ Get(AccountName)  ≠  "Open" ] 

# 

#Check attempt number, if 3, exit loop and set $close to 1 

If [ $loop  ≥  3 ] 

Set Variable [ $close; Value:1 ] 

Exit Loop If [ 1 ] 

End If 

# 

#increment loop and loop again 

Set Variable [ $loop; Value:1+ $loop ] 

End Loop 

# 

#If user canceled or failed to enter correct combination in 3 tries, close file. 

If [ $close ] 

Close File [ Current File ] 

Else If [ 1 ] 

Perform Script [ “Open” ] 

End If 

# 

# 

#END SCRIPT 

[Steven H. Blackwell]

I'll come back and review the script later. But can't you just disable the KeyChain for use with FileMaker Pro on these workstations?

Steven

[David Jondreau]

I don't have access to 2 of the machines (remote users). I guess I could try to walk them through it over the phone, but I HATE over the phone tech support with unsophisticated users.

Is there AppleScript that will do this (those users are on Macs)?

________

Also, I like to make my apps as maintence-free as possible. If they add another machine, instead of simply e-mailing a link to the host, I've got to change settings on the machine.

Edited October 19, 2009 by Guest

[Fenton]

It would be possible to script deletion of FileMaker entries in a keychain. But if it screws up and deletes other entries, people are going to be pretty pissed off, I would think. (You can find only the FileMaker ones though, as you can see in the AppleScript below.)

It is actually not that difficult for people to do this manually. Because you can launch Keychain Access, look at a keychain (they may have more than one with these entries; I have 2), sort by the Kind column. "FileMaker Pro password" is one of the kinds. I imagine you can Delete several at once (not going to try it tho).

Also, there is nothing to stop them adding them again. It's their computer after all. Remember, they added these in the first place. I suppose you could Lock their keychains (they'd have to agree and authorize it for each); but that might cripple them for all kinds of things. And they could always Unlock them. I don't know that there is a "exclude applications" list in Keychain Access.

Yes, it could be done with AppleScript. It may however require them to authorize once or twice. But it is a scary proposition, messing with Keychains, especially those of others.

Here's an AppleScript I wrote to show me my FileMaker entries. I included, but commented out a line to Delete them (not going to test that). I also commented out a line to Lock each keychain. Use at your own risk.

tell application "Keychain Scripting"

	launch

	set my_keychains to (every keychain)

	set {FM_keys, FM_names} to {{}, {}}

	repeat with k in my_keychains

		if name of k is not "System" and name of k is not "Microsoft_Intermediate_Certificates" then

			unlock k

			set my_keys to every generic key of k

			repeat with i from 1 to count of my_keys

				set key_type to creator type of item i of my_keys

				if key_type is «class FMP7» then

					set end of FM_keys to item i of my_keys

					set end of FM_names to name of item i of my_keys

					--delete item i of my_keys

				end if

			end repeat

			-- lock k

		end if

	end repeat

	FM_keys

	-- FM_names

end tell

Edited October 20, 2009 by Guest
Lock

[David Jondreau]

I'll come back and review the script later.

Steven,

Not to bug you, but you ARE the FMP security guru.

Thanks,

DJ

[Steven H. Blackwell]

Very welcome.

And you're not bugging me. I am just way behind. I think we can make a more economic script here, but I need some time to look at it.

Steven

[Steven H. Blackwell]

OK, here is an approach that will work for overriding stored keyChain credentials whether they are internal or external Accounts.

This relies on a start-up script with all the caveats normally attendant to such scripts.

Create a Privilege set called NoPrivs with no privileges other than execute scripts and the fmapp Extended Privilege for network access. Create some Account called, for example, LowPrivs and attach the NoPrivs Privilege Set to it.

Have the file automatically open with the LowPrivs Account and have the following script set to run:

Allow User Abort [ Off ]

Set Error Capture [ On ]

Re-Login [ ]

If [ Exact ( Get ( PrivilegeSetName ) ; "NoPrivs" ) ]

Beep

Beep

Close Window [ Current Window ]

End If

What this will do is override the KeyChain and immediately force a relog modal dialog to appear. Doing anything other than entering new correct credentials should cause the file to close. Correct credentials will cause the file to open.

In the event that database visibility is in effect on the Server, the stored database credentials will be recognized for Server access. But the process for the file will click in when it is opened.

The earlier script will work, I think, but this technique is somewhat more terse.

HTH

Steven

Steven

[David Jondreau]

I thought Re-login would allow a user to use their keychain. There's a checkbox option to do so, but using that doesn't actually bypass the re-login. It seems I don't need the globals and the standard dialog box then.

The rest of the script was to give a user three chances to login before quitting.

Thanks!

[Steven H. Blackwell]

The rest of the script was to give a user three chances to login before quitting

You're more generous than am I. :>)

Try script and see how it works. If they put the wrong credentials into the dialog, the file closes. If they cancel the dialog, the file closes. Tested with FileMaker Pro 10 only.

Steven