How to install root trusted certificate via SSH ?
I already read that SecTrustSettingsSetTrustSettings requires user interaction. That mean that it requires user login and password be entered.
But is it possible to move that authetification to command line, outside UI session?
I made a sample tool that try to do this. https://github.com/DanilKorotenko/certificateTool
Accordingly to the documentation: https://developer.apple.com/library/archive/documentation/Security/Conceptual/authorization_concepts/02authconcepts/authconcepts.html#//apple_ref/doc/uid/TP30000995-CH205-CJBJBGAA
If the timeout attribute is missing, the credential can be used to grant the right as long as the login session lasts, unless the credential is explicitly destroyed.
When I call function AuthorizationCopyRights, I create a shared credential (login+password).
Authorization rule com.apple.trust-settings.admin does not have timeout attribute.
security authorizationdb read com.apple.trust-settings.admin
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>For modifying Trust Settings in the Admin domain. Requires entitlement or admin authentication.</string>
<key>created</key>
<real>745942864.47938299</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>745942864.47938299</real>
<key>rule</key>
<array>
<string>entitled</string>
<string>authenticate-admin</string>
</array>
<key>version</key>
<integer>1</integer>
</dict>
</plist>
But. If read authd log, when running this tool, in logs we can read this:
default 18:28:43.117724+0300 authd Validating shared credential trustadmin (707) for authenticate-admin (engine 396)
default 18:28:43.117733+0300 authd credential 707 expired '0.136439 > 0' (does NOT satisfy rule) (engine 396)
It says that our credential is expired. But it should not be expired because the rule does not have timeout.
In summary, accordingly to documentation, SecTrustSettingsSetTrustSettings should not require authentification, when calling process is running as root. Because, com.apple.trust-settings.admin right rule does not have timeout, and since that root authetification on process call will create shared credential which SecTrustSettingsSetTrustSettings will use.
But in reality the behavior is different.
I found, that on some other macs, that tool works as expected. It adds trust certificate silently. May be there is some special condition for exactly this roght? May be there is some special preferences, flags or environment variables?
Steps To Reproduce
Change this constants in code before build.
const char *userLogin = "your-adminuser";
const char *userPass = "your-password";
const char *certificateName = "your-certificateFileName";
You may use testCertificate, or create our own.
- Build project.
- Connect to localhost by ssh
ssh <youruser>@localhost
- Go to build folder.
- sudo ./certificateTool
Actual result: The tool returns: SecTrustSettingsSetTrustSettings failure. Error: -60007
That means that user interaction is required.
Expected result: User interaction does not required.
accordingly to documentation, SecTrustSettingsSetTrustSettings should not require authentification, when calling process is running as root.
That doc is out of date. At some point we changed the policy to always require user authentication. I don’t remember when that was, but it’s probably more than five years ago now.
There are two common ways around this:
-
In a non-managed environment, you can trust the CA’s root certificate via the UI. If the machine is remote, use Screen Sharing.
-
In managed environments, you can install the CA’s root certificate via MDM.
I’d appreciate you filing a bug against the SecTrustSettingsSetTrustSettings documentation. Please post your bug number, just for the record.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"