Snow Leopard keychain and password administration 101

Erik Eckel goes over the basics of troubleshooting problems with Snow Leopard's keychain and resetting account passwords.

Erik Eckel goes over the basics of troubleshooting problems with Snow Leopard's keychain and resetting account passwords.


Keychain corruption and errors are among a Mac enterprise administrator's more frustrating issues. Unfortunately, many Mac administrators are more familiar with Windows security processes. Like many, I've had to learn Mac Keychain ins and outs the hard way: under fire. Over the last month, I've had to  troubleshoot Macs for which the system administrator password was no longer known or in which specific user account's keychains simple no longer worked properly. Here are some Snow Leopard Keychain fundamentals that may well help you, should you find yourself in the same situations.

The Mac Keychain

The Mac OS X Keychain, of course, stores passwords, security certificate information and even Web-based form data within encrypted files. Keychain information is stored in four different locations, depending upon the type of data being stored:

  • The Users\%username%\Library\Keychain\login.keychain maintains a user's local system user account login password.
  • The Users\%username%\Library\Keychain\FileVaultMaster.keychain contains the master FileVault password for the system.
  • The Users\%username%\Library\Keychain\System.keychain holds security information for numerous resources, including wireless network passwords.
  • The Users\%username%\System\Library\Keychains directory stores root certificates.

Keychain access

Administrators should employ the Keychain Access utility to troubleshoot and correct keychain errors. The utility is found within the Application directory's Utilities folder. Using the provided console, administrators can view and edit problematic keychain entries. Note that the administrator must be logged in to the Mac using an account possessing administrative rights to make changes to keychain data.

Troubleshooting and repairing keychains

Administrators can edit a keychain entry by double-clicking it. Alternatively, administrators can create new keychain entries by clicking File | New Keychain. The default location for new keychains is within the user's Keychains folder (located within the user's Home directory).

Keychains can be deleted from directories by highlighting them and clicking File and selecting Delete Keychain. This step sometimes proves helpful when troubleshooting a failed wireless network connection, for example. With a failed entry eliminated, assigning a new password to the wireless network may enable proper authentication.

On occasions in which keychain corruption occurs, verifying and repairing the keychain entries in question sometimes corrects these issues. To repair a keychain entry, open the Keychain Access utility, select the keychain in question, click File, then select Unlock Keychain. You'll be prompted to enter the keychain's password. Once the password is entered, click Keychain Access and select Keychain First Aid. Enter the password again, and then select Verify to confirm the keychain's integrity, or select Repair to fix issues that might be found. Clicking the provided Start button begins the verification or repair.

Resetting account passwords

Some confusion exists regarding resetting a Snow Leopard machine's account passwords. I've met computer professionals who believed a Mac needed the operating system reinstalled should the root password be misplaced or forgotten. That's incorrect.

Apple includes a password reset utility on the Mac OS X installation disk. To reset a Mac system's root password, the Mac OS X disk must be inserted in the Mac when it starts, and the C key must be depressed while the system is starting. The Installer will boot the machine. From the Mac OS X Installer window, administrators can choose the Reset Password option from the Utilities entry within the menu bar and reset the password for any local user account on the system.

Get enterprise Mac tips and features delivered to your inbox by susbscribing to TechRepublic's Macs in Business newsletter, which delivers each Thursday. Automatically sign up today!