How to Delete Keychains at Logout
I’ve been asked quite a few times whether it’s possible to disable the Keychain functionality in OS X. This is a fairly critical part of the OS, so the short answer is no, but there are some workarounds that suit certain environments, particularly deleting the Keychain at logout.
Why would you want to do this?
For anyone new to the topic, the Keychain is a feature introduced years ago by Apple to securely store users’ passwords and to make them available to other applications. The functionality was built-in to a load of OS X features and apps like Mail, Safari and the Finder.
Apple also made APIs available to developers so they can integrate the Keychain into their apps. So if a developer needs a user to authenticate to use their app, they can store and retrieve credentials from the user’s Keychain.
So while this all sounds good, there are a few situations where the Keychain can get in the way. The most common issue is when password policies are being used to force users to change their passwords on a regular basis.
If they have been storing the password in their Keychain for things like file servers and email, and then change the password to something else, they will get Keychain errors, or worse, locked out from some applications as OS X tries to send the old (incorrect) password to the service.
Another problem is when users reset their password outside of OS X. This happens a lot in schools as students forget their passwords and have to have them reset in AD.
When the student logs back into a Mac that has a local copy of their Keychain the passwords won’t match, presenting them with an error. This is even more likely if the Macs are in shared classroom / lab setups. The users will be leaving a breadcrumb trail of local Keychain files making the problem much worse if their password is reset.
Deleting the Keychain at logout
A popular way to avoid this issue is to delete the Keychain at log out. When a user logs in, if no Keychain file is present in ~/Library/Keychains, the OS will create one based on the user’s current password. This means that all you have to worry about is deleting the old one before that point.
#!/bin/sh rm -Rf /Users/$USER/Library/Keychains/* exit 0
This script will simply delete anything in the user’s ~/Library/Keychains folder, forcing the OS to create a new one next time they login.
To create it, use a “coding” text editor (Sublime Text, TextWrangler, BBEdit, Fraise, etc.) and add the code above. Save it with a .sh extension in a location accessible by all user accounts, and make sure it is executable.
We normally recommend making a new folder in /Library with the company name to store these types of things. If this were for Amsys, I would use the two following steps to create the folder and set the necessary permissions:
- In the Terminal, type “sudo mkdir /Library/Amsys”
- Copy the script you created into the folder
- In the Terminal type “sudo chown -R root:wheel /Library/Amsys”
- In the Terminal type “sudo chmod -R 755 /Library/Amsys”
All the above commands will need to be run as an admin user.
Getting the script to run
Once all this is in place you need to get the script to run each time a user logs out. To do this, you can add a new Logout Hook:
In the Terminal, type:
sudo defaults write com.apple.loginwindow LogoutHook /Library/Amsys/name_of_script.sh
You just need to adjust the path based on your company folder name and change “name_of_script.sh” to whatever you called the script when you saved it.
A note about Logout Hooks
When you use the defaults command to add a login or logout hook to trigger scripts, you are adding XML entries into the com.apple.loginwindow.plist file. This functionality has been deprecated by Apple, meaning it may be taken away in a future release of OS X. This is fine for login hooks as we have LaunchDaemons to replace them. It does, however, present a bit of a problem for logout hooks as there is no equivalent replacement.
There have been a few creative alternatives popping up on the Internet, but Apple has not indicated any plans to replace the functionality. So while it will work for now, this is worth taking into account when choosing to setup logout hooks.