An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Topic Options
#48563 - 04/16/18 12:26 AM Migration Question
artie505 Online


Registered: 08/04/09
I'm wondering if anyone other than me has, while doing a clean install of High Sierra, been asked to create & verify new Admin passwords - NOT authenticate with existing ones - before migration of account data would proceed?

I can't even begin to hazard a wild guess why Apple would have instituted this new behavior.

Anybody?

Thanks.

More: And this just occurred to me: Why would macOS allow ONE user to change the Admin passwords for TWO accounts without authenticating?


Edited by artie505 (04/16/18 02:15 AM)
Edit Reason: More
_________________________
The new Great Equalizer is the SEND button.

Top
#48567 - 04/16/18 06:26 AM Re: Migration Question [Re: artie505]
joemikeb Online

Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Good question but some details might be helpful:
  1. What specific version of High Sierra were you installing: 10.13, 10.13.1, 10.13.2, 10.13.3, or 10.13.4?
  2. Were you instaliing from a Recovery Drive?
  3. Were you migrating the accounts from another bootable drive, a Time Machine backup, a disk image file, or something else?
  4. Was the migration performed during the initial installation and setup or did you run Migration Assistant after the installation was complete?
  5. Do I understand correctly that you had to create and verify new Admin passwords for all user accounts before you could migrate either of them?
  6. Did you migrate both accounts at the same time or separately?
Originally Posted By: artie505
I can't even begin to hazard a wild guess why Apple would have instituted this new behavior.
I think it is a safe bet that it is security related.
Originally Posted By: Artie505
More: And this just occurred to me: Why would macOS allow ONE user to change the Admin passwords for TWO accounts without authenticating?
Maybe my morning Starbucks has not yet reached my brain, but this seems to contradict what you are saying happened? Is this a rhetorical question or another subject? confused

In the meantime I am going to brew another Starbucks and see if that clears the fog. smile
_________________________
joemikeb • moderator

Top
#48574 - 04/17/18 12:03 AM Re: Migration Question [Re: joemikeb]
artie505 Online


Registered: 08/04/09
Originally Posted By: joemikeb
Good question but some details might be helpful:
  1. What specific version of High Sierra were you installing: 10.13, 10.13.1, 10.13.2, 10.13.3, or 10.13.4?
  2. Were you instaliing from a Recovery Drive?
  3. Were you migrating the accounts from another bootable drive, a Time Machine backup, a disk image file, or something else?
  4. Was the migration performed during the initial installation and setup or did you run Migration Assistant after the installation was complete?
  5. Do I understand correctly that you had to create and verify new Admin passwords for all user accounts before you could migrate either of them?
  6. Did you migrate both accounts at the same time or separately?
Originally Posted By: artie505
I can't even begin to hazard a wild guess why Apple would have instituted this new behavior.
I think it is a safe bet that it is security related.
Originally Posted By: Artie505
More: And this just occurred to me: Why would macOS allow ONE user to change the Admin passwords for TWO accounts without authenticating?
Maybe my morning Starbucks has not yet reached my brain, but this seems to contradict what you are saying happened? Is this a rhetorical question or another subject? confused

In the meantime I am going to brew another Starbucks and see if that clears the fog. smile

1. This has happened during clean installs of every version of High Sierra that's been released.

2. I was installing to a partition on my external SSD using Install macOS High Sierra.app located on a partition on my internal SSD.

3. I was migrating my data from the boot partition on my internal SSD.

4. I performed migrations during the installation of each version, plus I did one after installation.

5. That's correct, but unlike ALL other "change password" dialogs I've worked through, these did NOT ask for the existing passwords before allowing me to enter the new ones.

6. Both accounts were migrated at the same time.

I can't think of a single security-related reason to require the creation of new passwords, and, in fact, asking me to create them without first asking me for the existing ones is counter-security.

I don't see any contradiction, but maybe I wasn't clear. In my instance, both accounts are mine, my boot account and my test user account, but the second account could just as easily belong to someone else, in which case macOS would be allowing forcing me to change the another user's password. (Granted that it can be done from Recovery, but that flies under the radar while this is dumped in your lap.)

Afterthought: For a second I thought this might be related to my keychain password issue, but while I maintain separate login and keychain passwords in my boot account, my test user account is pristine.
_________________________
The new Great Equalizer is the SEND button.

Top
#48577 - 04/18/18 08:02 AM Re: Migration Question [Re: artie505]
joemikeb Online

Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Originally Posted By: artie505
For a second I thought this might be related to my keychain password issue, but while I maintain separate login and keychain passwords in my boot account, my test user account is pristine.

Based on what I recall from an article/post I came across last week, I think for a second you were CORRECT. Unfortunately I did not make the connection with your problems until later and I can't recall where I saw it. I do remember it said the linkage between the user password and login keychain password is deeply embedded in the MacOS code with is why it causes lots of different issues when they do not match. I vaguely remember a "patch" was described that would have to be renewed with each and every update/upgrade of MacOS. (This reminds me of the early OS X when the physical location of the User folder was very tightly linked in the code and user's had to go through all sorts of gyrations to move the folder to another volume.)

Google and DuckDuckGo searches find a plethora of articles on how to change the keychain password to match the user password from dozens (hundreds?) of sources including Apple, but not what I am looking for, which leads me to suspect it is embedded in a longer article or maybe even a post in a developer's forum somewhere. But I will keep looking.
_________________________
joemikeb • moderator

Top
#48579 - 04/18/18 08:32 AM Re: Migration Question [Re: joemikeb]
artie505 Online


Registered: 08/04/09
Originally Posted By: joemikeb
...I will keep looking.

Much appreciated! smile

1. My login and keychain passwords have differed since time immemorial, and I've successfully upgraded and migrated numerous times with no issues, so what's changed in High Sierra? Could it possibly be APFS related? (Note: I've done both HFS+ and APFS installations wit the same results.)

2. My test user account's login and keychain passwords are the same, so why would it be subject to the new-password restriction?

I can equalize my passwords either via System Prefs > Users & Groups or Keychain Access > Edit, but I don't care to go that route until I know WHY I've got to. If Apple has changed something, so be it, but I'd like to see a kBase doc, or a pop-up at the least.
_________________________
The new Great Equalizer is the SEND button.

Top
#48582 - 04/18/18 03:48 PM Re: Migration Question [Re: artie505]
joemikeb Online

Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
I have seen mention of the deep password linkages from multiple sources, but from personal experience I believe that it is of relatively recent origin — like High Sierra recent. Given what I know about APFS and how it relates to the rest of MacOS I believe any tie in there to be a very remote possibility. Any password linkage in the storage system would be in FileVault, not HFS+ or APFS. The underlying file system is isolated from and theoretically invisible to the rest of MacOS. (This isolation of functionality is at the heart of the Unix concept not to mention modern programming technique.)

As far as a KB article on the subject goes since Google, DuckDuckGo, et. al. can't find anything, I think you are going to have to dig into Apple's Develpoper's Documentation probably under Security. NOTE: the Developer's Documentation assumes a working knowledge of Objective-C and Unix so be forewarned.
_________________________
joemikeb • moderator

Top
#48583 - 04/18/18 11:16 PM Re: Migration Question [Re: joemikeb]
artie505 Online


Registered: 08/04/09
Originally Posted By: joemikeb
I have seen mention of the deep password linkages from multiple sources, but from personal experience I believe that it is of relatively recent origin — like High Sierra recent. <snip>

Based on my past experiences, that sounds reasonable.

Originally Posted By: joemikeb
As far as a KB article on the subject goes since Google, DuckDuckGo, et. al. can't find anything, I think you are going to have to dig into Apple's Develpoper's Documentation probably under Security. NOTE: the Developer's Documentation assumes a working knowledge of Objective-C and Unix so be forewarned.

I, too, have had no luck searching (other than finding others with the same issue), and as for Developer Documentation, I've looked at some in the past, and it's left my head spinning. (I once asked my buddy C3PO to look at some Objective-C, and he responded "It's Fortran to me." tongue )

I think it's about time to lean on Apple; this issue is 7 months and 5 versions of macOS old at this point, and it's long past time for them to have at least examined it.
_________________________
The new Great Equalizer is the SEND button.

Top
#48584 - 04/19/18 05:43 AM Re: Migration Question [Re: artie505]
joemikeb Online

Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Originally Posted By: artie505
I think it's about time to lean on Apple; this issue is 7 months and 5 versions of macOS old at this point, and it's long past time for them to have at least examined it.

It may well be that Apple does not consider it an issue and the system is performing as intended.
_________________________
joemikeb • moderator

Top
#48585 - 04/19/18 06:02 AM Re: Migration Question [Re: joemikeb]
artie505 Online


Registered: 08/04/09
Originally Posted By: joemikeb
Originally Posted By: artie505
I think it's about time to lean on Apple; this issue is 7 months and 5 versions of macOS old at this point, and it's long past time for them to have at least examined it.

It may well be that Apple does not consider it an issue and the system is performing as intended.

I think that's an awfully long stretch in Apple's direction.

I'd expect an in-your-face change such as this to be documented (and there's still a "change password" option in the Keychain Access menu bar).

I simply can't imagine Apple changing things so keychains that previously migrated without a hitch now turn up EMPTY at the end of the process with no explanation. (I mean, "SURPRISE! Your keychain is unpopulated, and it's up to you to figure out why." is just not Apple's style.)
_________________________
The new Great Equalizer is the SEND button.

Top
#48588 - 04/19/18 09:08 AM Re: Migration Question [Re: joemikeb]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: joemikeb
It may well be that Apple does not consider it an issue and the system is performing as intended.

Well, I certainly consider it an issue when Apple locks me out of a legitimate website and does not give me any idea how to remedy the situation.

This morning I tried to log into a site and got a dialogue box suggesting I needed to choose a certificate. Apple provided a list of two, which were identical, instructing me to pick one and press "Continue".

I did so and the got a dialogue box that advised "com.apple.WebKit.Networking wants to sign using key “Apple ID Authentication 2017-05-09 18:20 GMT-07:00” in your keychain.

To allow this, enter the “login” keychain password."


I managed to locate the Apple ID Authentication and chose "Show Password". The password is a combination of letters and numerals approximately 60 long, so clearly it's not a password I ever entered.

Anyway, I pasted the password into Pages and carefully separated it into bite-sized bits so I could enter it correctly. Apple rejected it.

So now, at Apple's hand, I am barred from a site I need.

And, just to really aggravate me, I can't get rid of the Apple dialogue box without a restart.


Edited by ryck (04/19/18 09:24 AM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX712 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#48590 - 04/19/18 10:34 AM Re: Migration Question [Re: ryck]
joemikeb Online

Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
This Knowledge Base article explains what an AppleID authentication token is and where it comes from and how and why it is used. Are you sure the dialog box wasn't asking for the password for your login keychain in order to obtain the authentication token instead of the token itself? The problem may have been on the other end and not on your computer.
_________________________
joemikeb • moderator

Top
#48592 - 04/19/18 10:57 AM Re: Migration Question [Re: joemikeb]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: joemikeb
This Knowledge Base article explains what an AppleID authentication token is and where it comes from and how and why it is used.

I went there and found only two references to tokens, neither of which brought me any closer to an understanding of why Apple has locked me out of a website.

“iCloud secures your information by encrypting it when it's in transit, storing it in iCloud in an encrypted format, and using secure tokens for authentication.”

“When you access iCloud services with Apple’s built-in apps (for example, Mail, Contacts, and Calendar apps on iOS or macOS), authentication is handled using a secure token. Using secure tokens eliminates the need to store your iCloud password on devices and computers.”


Originally Posted By: joemikeb
Are you sure the dialog box wasn't asking for the password for your login keychain in order to obtain the authentication token instead of the token itself?

I have no idea. In fact, I don’t even know what my “login keychain password” is.

Correction: I now know what the "login keychain password" is.....the same one used to log into the computer. And now, after going back to the site and entering the password over and over (Apple kept asking for it) and selecting the certificate 2 or 3 times, I managed to get in.


Edited by ryck (04/19/18 11:11 AM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX712 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#48593 - 04/19/18 12:22 PM Re: Migration Question [Re: ryck]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
mac os has had problems with accounts created many versions ago that have been migrated repeatedly for some time now. I can recall back to 10.5 where users were getting demoted from admin to standard or their passwords were not being accepted.

The password issue appears to be avoidable by changing your password occasionally (like at least every other version of os x) It's a matter of the format the passwords are being stored in.

I have NO idea why it randomly demotes admins to standard. This is a serious problem when that's the only admin on the computer. (a problem we saw somewhat frequently where I used to work, over a wide variety of OS versions)

It may be the case that it's detecting your accounts are old and have been broken by the upgrade and so are now asking you to provide a password to fix them. If you provide the same password as you had before, your keychain should unlock fine. Otherwise you'll have to fix that.

(this could also involve changes to auto login)
_________________________
I work for the Department of Redundancy Department

Top
#48599 - 04/20/18 08:28 AM Re: Migration Question [Re: Virtual1]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: Virtual1
It may be the case that it's detecting your accounts are old and have been broken by the upgrade and so are now asking you to provide a password to fix them. If you provide the same password as you had before, your keychain should unlock fine. Otherwise you'll have to fix that.

It appears to be healing itself. I continued to get......

" "com.apple.WebKit.Networking wants to sign using key “Apple ID Authentication 2017-05-09 18:20 GMT-07:00” in your keychain.

To allow this, enter the “login” keychain password."


.....but it is occurring less frequently. Fingers are crossed.


Edited by ryck (04/20/18 08:28 AM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX712 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#48610 - 04/21/18 02:12 PM Re: Migration Question [Re: ryck]
artie505 Online


Registered: 08/04/09
Getting this thread back on track...

Originally Posted By: artie505
Originally Posted By: joemikeb
Originally Posted By: artie505
I think it's about time to lean on Apple; this issue is 7 months and 5 versions of macOS old at this point, and it's long past time for them to have at least examined it.

It may well be that Apple does not consider it an issue and the system is performing as intended.

I think that's an awfully long stretch in Apple's direction.

I'd expect an in-your-face change such as this to be documented (and there's still a "change password" option in the Keychain Access menu bar).

I simply can't imagine Apple changing things so keychains that previously migrated without a hitch now turn up EMPTY at the end of the process with no explanation. (I mean, "SURPRISE! Your keychain is unpopulated, and it's up to you to figure out why." is just not Apple's style.)
_________________________
The new Great Equalizer is the SEND button.

Top
#48617 - 04/22/18 06:20 AM Re: Migration Question [Re: artie505]
joemikeb Online

Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
I browsed the Terminal "man" files for Security and Keychain and like missing preference files, when a keychain is not found a new empty keychain will be automatically created. These commands come to MacOS from BSD Unix via Apple's Darwin that is at the core of all Apple's current operating systems. While I was unable to trace the entire login sequence and determine what the precursor commands would be I am guessing that being unable to open a keychain because it is damaged or the password is unknown might count as "not found". While that would explain your empty keychains the question of what has changed to trigger this condition and why remains unanswered.

🤷‍♂️

_________________________
joemikeb • moderator

Top
#48624 - 04/23/18 02:44 AM Re: Migration Question [Re: joemikeb]
artie505 Online


Registered: 08/04/09
That sounds reasonable; your persistence is really appreciated, not to mention educational.

I apologize for being lazy and not pushing Apple on this; I'll do it soon. tongue
_________________________
The new Great Equalizer is the SEND button.

Top
#48691 - 04/27/18 06:53 AM Re: Migration Question [Re: artie505]
joemikeb Online

Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Not to beat a dead horse but a couple of question just occured to me...
  1. Do you have iCloud Keychain turned ON?
  2. Do you have two step authentication activated?
I can see how either of these could be a cause of your user/keychain password issues. I can also see why Apple's move toward these might bring them to change the way the login process handles inaccessible keychain issues. This might be the answer to our "why" question.
_________________________
joemikeb • moderator

Top
#48696 - 04/27/18 09:45 AM Re: Migration Question [Re: joemikeb]
artie505 Online


Registered: 08/04/09
iCloud Keychain is not turned on, nor is two-step authentication - I assume you mean at login - activated.

I spent 2 1/2 hours on the phone with AppleCare the other day, and I think I've got a handle on what's going on, but I can't complete my post without reinstalling High Sierra, which I won't do until my new enclosure gets to me from OWC.

Again, thanks for your persistence and insights! smile

More in a week or so.
_________________________
The new Great Equalizer is the SEND button.

Top
#48904 - 05/22/18 12:04 AM Re: Migration Question [Re: joemikeb]
artie505 Online


Registered: 08/04/09
Originally Posted By: joemikeb
Not to beat a dead horse but a couple of question just occured to me...
  1. Do you have iCloud Keychain turned ON?
  2. Do you have two step authentication activated?
I can see how either of these could be a cause of your user/keychain password issues. I can also see why Apple's move toward these might bring them to change the way the login process handles inaccessible keychain issues. This might be the answer to our "why" question.

First, the "Select Password" dialog box is apparently a new-to-High Sierra default step during migrations; I've been presented with it regardless of the circumstances under which I've migrated.

I'm totally mystified by its occurrence and complete lack of lack of documentation, though; even the AppleCare AMR Senior Specialist to whom I spoke was unaware of it before I told him about it.

The Specialist did, however, get me researching my keychain migration issue (i.e. my differing login and keychain p/w's preventing my keychain from successfully migrating from Sierra to High Sierra)...

Apple seems to have dropped all possibility of differing login and keychain p/w's in HS, and I've gotten my HS keychain populated only by either equalizing my p/w's in advance of upgrade/migration or entering my keychain p/w in the "Select Password" dialog box during migration:
  • An upgrade sans equalization didn't call up the "Select Password" dialog box; it simply left me with synced passwords and an empty keychain.
  • When you change your login p/w from a different Admin account, your keychain p/w may (as per HS Keychain Access Help) remain the same, but changing mine from a different Admin account has invariably synced mine - despite the fact that the pop-up says it won't - and left my keychain empty.
  • After changing my login p/w from my Recovery partition - which should have left my keychain p/w intact - I restarted to a synced p/w and an empty keychain.
  • Changing my login p/w from Sys Prefs > Users & Groups > Change Password... did, however, work as expected, i.e. it changed both my login and keychain p/w's.
HS Keychain Access Help discusses login and keychain p/w's getting out of sync, and Edit > Change Password for Keychain "login"... is mentioned as the fix, but there doesn't seem to be any way to get them out of sync in the first place.

I don't understand why Apple eliminated a security feature; maybe it has something to do with the deep password linkages you mentioned a while back? Even stranger, though, is why they blind-sided those of us partaking of it...no advance warning...not even an after the fact "Gotcha!"

In the end, though, while my being unable to maintain different login and keychain p/w's apparently isn't a bug, it also isn't something on which Apple's got a very good grip.

And the bottom line is that now that I understand what's been happening I've got no more qualms about upgrading to High Sierra...albeit without my beloved differing p/w's, and actually, after looking closely at the contents of my keychain I've realized that there's nothing in it that leaves me at risk if it can be unlocked by my login p/w.

Note: As respects your thought about my issue possibly resulting from my having iCloud Keychain turned on, back in Mavericks, Apple split "login keychain" into two separate components..."login keychain" and "Local Items keychain"; the change seems to have had something to do with iCloud, and since the former can be locked, but the latter can't, it may be related to iCloud syncing (but it hasn't affected migrations in any way of which I'm aware).
_________________________
The new Great Equalizer is the SEND button.

Top
#48905 - 05/22/18 05:50 AM Re: Migration Question [Re: artie505]
joemikeb Online

Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Once again our experience is different. I have Login, iCloud, System, and System Roots keychains, but no Local Items. Only the iCloud Keychain cannot be locked. Have you considered creating yaour own keychain and moving all but the passwords required during initial boot up from Login to it?
_________________________
joemikeb • moderator

Top
#48914 - 05/23/18 12:42 AM Re: Migration Question [Re: joemikeb]
artie505 Online


Registered: 08/04/09
Originally Posted By: joemikeb
Once again our experience is different. I have Login, iCloud, System, and System Roots keychains, but no Local Items. Only the iCloud Keychain cannot be locked. Have you considered creating yaour own keychain and moving all but the passwords required during initial boot up from Login to it?

I think we're on the same page, because I've also got Login, System, and System Roots keychains, and I'll guess that your iCloud keychain is the equivalent (in your situation) of my Local Items keychain (in my situation) which also can't be locked. (This is my Local Items keychain...all login identities and passwords plus the few highlighted Apple items.)

I'm sorry, but I don't follow your "new keychain" suggestion. As far as I can tell from very sparse search results, the functionality is for when a damaged keychain needs to be replaced, and even if it's applicable in my situation, won't it be useless - other than for keeping something locked that doesn't need to be locked - if Safari can't access it?
_________________________
The new Great Equalizer is the SEND button.

Top

Moderator:  alternaut, dkmarsh, joemikeb