An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Topic Options
#48563 - 04/16/18 12:26 AM Migration Question
artie505 Online


Registered: 08/04/09
I'm wondering if anyone other than me has, while doing a clean install of High Sierra, been asked to create & verify new Admin passwords - NOT authenticate with existing ones - before migration of account data would proceed?

I can't even begin to hazard a wild guess why Apple would have instituted this new behavior.

Anybody?

Thanks.

More: And this just occurred to me: Why would macOS allow ONE user to change the Admin passwords for TWO accounts without authenticating?


Edited by artie505 (04/16/18 02:15 AM)
Edit Reason: More
_________________________
The new Great Equalizer is the SEND button.

Top
#48567 - 04/16/18 06:26 AM Re: Migration Question [Re: artie505]
joemikeb Offline

Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Good question but some details might be helpful:
  1. What specific version of High Sierra were you installing: 10.13, 10.13.1, 10.13.2, 10.13.3, or 10.13.4?
  2. Were you instaliing from a Recovery Drive?
  3. Were you migrating the accounts from another bootable drive, a Time Machine backup, a disk image file, or something else?
  4. Was the migration performed during the initial installation and setup or did you run Migration Assistant after the installation was complete?
  5. Do I understand correctly that you had to create and verify new Admin passwords for all user accounts before you could migrate either of them?
  6. Did you migrate both accounts at the same time or separately?
Originally Posted By: artie505
I can't even begin to hazard a wild guess why Apple would have instituted this new behavior.
I think it is a safe bet that it is security related.
Originally Posted By: Artie505
More: And this just occurred to me: Why would macOS allow ONE user to change the Admin passwords for TWO accounts without authenticating?
Maybe my morning Starbucks has not yet reached my brain, but this seems to contradict what you are saying happened? Is this a rhetorical question or another subject? confused

In the meantime I am going to brew another Starbucks and see if that clears the fog. smile
_________________________
joemikeb • moderator

Top
#48574 - 04/17/18 12:03 AM Re: Migration Question [Re: joemikeb]
artie505 Online


Registered: 08/04/09
Originally Posted By: joemikeb
Good question but some details might be helpful:
  1. What specific version of High Sierra were you installing: 10.13, 10.13.1, 10.13.2, 10.13.3, or 10.13.4?
  2. Were you instaliing from a Recovery Drive?
  3. Were you migrating the accounts from another bootable drive, a Time Machine backup, a disk image file, or something else?
  4. Was the migration performed during the initial installation and setup or did you run Migration Assistant after the installation was complete?
  5. Do I understand correctly that you had to create and verify new Admin passwords for all user accounts before you could migrate either of them?
  6. Did you migrate both accounts at the same time or separately?
Originally Posted By: artie505
I can't even begin to hazard a wild guess why Apple would have instituted this new behavior.
I think it is a safe bet that it is security related.
Originally Posted By: Artie505
More: And this just occurred to me: Why would macOS allow ONE user to change the Admin passwords for TWO accounts without authenticating?
Maybe my morning Starbucks has not yet reached my brain, but this seems to contradict what you are saying happened? Is this a rhetorical question or another subject? confused

In the meantime I am going to brew another Starbucks and see if that clears the fog. smile

1. This has happened during clean installs of every version of High Sierra that's been released.

2. I was installing to a partition on my external SSD using Install macOS High Sierra.app located on a partition on my internal SSD.

3. I was migrating my data from the boot partition on my internal SSD.

4. I performed migrations during the installation of each version, plus I did one after installation.

5. That's correct, but unlike ALL other "change password" dialogs I've worked through, these did NOT ask for the existing passwords before allowing me to enter the new ones.

6. Both accounts were migrated at the same time.

I can't think of a single security-related reason to require the creation of new passwords, and, in fact, asking me to create them without first asking me for the existing ones is counter-security.

I don't see any contradiction, but maybe I wasn't clear. In my instance, both accounts are mine, my boot account and my test user account, but the second account could just as easily belong to someone else, in which case macOS would be allowing forcing me to change the another user's password. (Granted that it can be done from Recovery, but that flies under the radar while this is dumped in your lap.)

Afterthought: For a second I thought this might be related to my keychain password issue, but while I maintain separate login and keychain passwords in my boot account, my test user account is pristine.
_________________________
The new Great Equalizer is the SEND button.

Top
#48577 - 04/18/18 08:02 AM Re: Migration Question [Re: artie505]
joemikeb Offline

Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Originally Posted By: artie505
For a second I thought this might be related to my keychain password issue, but while I maintain separate login and keychain passwords in my boot account, my test user account is pristine.

Based on what I recall from an article/post I came across last week, I think for a second you were CORRECT. Unfortunately I did not make the connection with your problems until later and I can't recall where I saw it. I do remember it said the linkage between the user password and login keychain password is deeply embedded in the MacOS code with is why it causes lots of different issues when they do not match. I vaguely remember a "patch" was described that would have to be renewed with each and every update/upgrade of MacOS. (This reminds me of the early OS X when the physical location of the User folder was very tightly linked in the code and user's had to go through all sorts of gyrations to move the folder to another volume.)

Google and DuckDuckGo searches find a plethora of articles on how to change the keychain password to match the user password from dozens (hundreds?) of sources including Apple, but not what I am looking for, which leads me to suspect it is embedded in a longer article or maybe even a post in a developer's forum somewhere. But I will keep looking.
_________________________
joemikeb • moderator

Top
#48579 - 04/18/18 08:32 AM Re: Migration Question [Re: joemikeb]
artie505 Online


Registered: 08/04/09
Originally Posted By: joemikeb
...I will keep looking.

Much appreciated! smile

1. My login and keychain passwords have differed since time immemorial, and I've successfully upgraded and migrated numerous times with no issues, so what's changed in High Sierra? Could it possibly be APFS related? (Note: I've done both HFS+ and APFS installations wit the same results.)

2. My test user account's login and keychain passwords are the same, so why would it be subject to the new-password restriction?

I can equalize my passwords either via System Prefs > Users & Groups or Keychain Access > Edit, but I don't care to go that route until I know WHY I've got to. If Apple has changed something, so be it, but I'd like to see a kBase doc, or a pop-up at the least.
_________________________
The new Great Equalizer is the SEND button.

Top
#48582 - 04/18/18 03:48 PM Re: Migration Question [Re: artie505]
joemikeb Offline

Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
I have seen mention of the deep password linkages from multiple sources, but from personal experience I believe that it is of relatively recent origin — like High Sierra recent. Given what I know about APFS and how it relates to the rest of MacOS I believe any tie in there to be a very remote possibility. Any password linkage in the storage system would be in FileVault, not HFS+ or APFS. The underlying file system is isolated from and theoretically invisible to the rest of MacOS. (This isolation of functionality is at the heart of the Unix concept not to mention modern programming technique.)

As far as a KB article on the subject goes since Google, DuckDuckGo, et. al. can't find anything, I think you are going to have to dig into Apple's Develpoper's Documentation probably under Security. NOTE: the Developer's Documentation assumes a working knowledge of Objective-C and Unix so be forewarned.
_________________________
joemikeb • moderator

Top
#48583 - 04/18/18 11:16 PM Re: Migration Question [Re: joemikeb]
artie505 Online


Registered: 08/04/09
Originally Posted By: joemikeb
I have seen mention of the deep password linkages from multiple sources, but from personal experience I believe that it is of relatively recent origin — like High Sierra recent. <snip>

Based on my past experiences, that sounds reasonable.

Originally Posted By: joemikeb
As far as a KB article on the subject goes since Google, DuckDuckGo, et. al. can't find anything, I think you are going to have to dig into Apple's Develpoper's Documentation probably under Security. NOTE: the Developer's Documentation assumes a working knowledge of Objective-C and Unix so be forewarned.

I, too, have had no luck searching (other than finding others with the same issue), and as for Developer Documentation, I've looked at some in the past, and it's left my head spinning. (I once asked my buddy C3PO to look at some Objective-C, and he responded "It's Fortran to me." tongue )

I think it's about time to lean on Apple; this issue is 7 months and 5 versions of macOS old at this point, and it's long past time for them to have at least examined it.
_________________________
The new Great Equalizer is the SEND button.

Top
#48584 - 04/19/18 05:43 AM Re: Migration Question [Re: artie505]
joemikeb Offline

Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Originally Posted By: artie505
I think it's about time to lean on Apple; this issue is 7 months and 5 versions of macOS old at this point, and it's long past time for them to have at least examined it.

It may well be that Apple does not consider it an issue and the system is performing as intended.
_________________________
joemikeb • moderator

Top
#48585 - 04/19/18 06:02 AM Re: Migration Question [Re: joemikeb]
artie505 Online


Registered: 08/04/09
Originally Posted By: joemikeb
Originally Posted By: artie505
I think it's about time to lean on Apple; this issue is 7 months and 5 versions of macOS old at this point, and it's long past time for them to have at least examined it.

It may well be that Apple does not consider it an issue and the system is performing as intended.

I think that's an awfully long stretch in Apple's direction.

I'd expect an in-your-face change such as this to be documented (and there's still a "change password" option in the Keychain Access menu bar).

I simply can't imagine Apple changing things so keychains that previously migrated without a hitch now turn up EMPTY at the end of the process with no explanation. (I mean, "SURPRISE! Your keychain is unpopulated, and it's up to you to figure out why." is just not Apple's style.)
_________________________
The new Great Equalizer is the SEND button.

Top
#48588 - 04/19/18 09:08 AM Re: Migration Question [Re: joemikeb]
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: joemikeb
It may well be that Apple does not consider it an issue and the system is performing as intended.

Well, I certainly consider it an issue when Apple locks me out of a legitimate website and does not give me any idea how to remedy the situation.

This morning I tried to log into a site and got a dialogue box suggesting I needed to choose a certificate. Apple provided a list of two, which were identical, instructing me to pick one and press "Continue".

I did so and the got a dialogue box that advised "com.apple.WebKit.Networking wants to sign using key “Apple ID Authentication 2017-05-09 18:20 GMT-07:00” in your keychain.

To allow this, enter the “login” keychain password."


I managed to locate the Apple ID Authentication and chose "Show Password". The password is a combination of letters and numerals approximately 60 long, so clearly it's not a password I ever entered.

Anyway, I pasted the password into Pages and carefully separated it into bite-sized bits so I could enter it correctly. Apple rejected it.

So now, at Apple's hand, I am barred from a site I need.

And, just to really aggravate me, I can't get rid of the Apple dialogue box without a restart.


Edited by ryck (04/19/18 09:24 AM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Sierra 10.12.6
Canon MX712 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#48590 - 04/19/18 10:34 AM Re: Migration Question [Re: ryck]
joemikeb Offline

Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
This Knowledge Base article explains what an AppleID authentication token is and where it comes from and how and why it is used. Are you sure the dialog box wasn't asking for the password for your login keychain in order to obtain the authentication token instead of the token itself? The problem may have been on the other end and not on your computer.
_________________________
joemikeb • moderator

Top
#48592 - 04/19/18 10:57 AM Re: Migration Question [Re: joemikeb]
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: joemikeb
This Knowledge Base article explains what an AppleID authentication token is and where it comes from and how and why it is used.

I went there and found only two references to tokens, neither of which brought me any closer to an understanding of why Apple has locked me out of a website.

“iCloud secures your information by encrypting it when it's in transit, storing it in iCloud in an encrypted format, and using secure tokens for authentication.”

“When you access iCloud services with Apple’s built-in apps (for example, Mail, Contacts, and Calendar apps on iOS or macOS), authentication is handled using a secure token. Using secure tokens eliminates the need to store your iCloud password on devices and computers.”


Originally Posted By: joemikeb
Are you sure the dialog box wasn't asking for the password for your login keychain in order to obtain the authentication token instead of the token itself?

I have no idea. In fact, I don’t even know what my “login keychain password” is.

Correction: I now know what the "login keychain password" is.....the same one used to log into the computer. And now, after going back to the site and entering the password over and over (Apple kept asking for it) and selecting the certificate 2 or 3 times, I managed to get in.


Edited by ryck (04/19/18 11:11 AM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Sierra 10.12.6
Canon MX712 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#48593 - 04/19/18 12:22 PM Re: Migration Question [Re: ryck]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
mac os has had problems with accounts created many versions ago that have been migrated repeatedly for some time now. I can recall back to 10.5 where users were getting demoted from admin to standard or their passwords were not being accepted.

The password issue appears to be avoidable by changing your password occasionally (like at least every other version of os x) It's a matter of the format the passwords are being stored in.

I have NO idea why it randomly demotes admins to standard. This is a serious problem when that's the only admin on the computer. (a problem we saw somewhat frequently where I used to work, over a wide variety of OS versions)

It may be the case that it's detecting your accounts are old and have been broken by the upgrade and so are now asking you to provide a password to fix them. If you provide the same password as you had before, your keychain should unlock fine. Otherwise you'll have to fix that.

(this could also involve changes to auto login)
_________________________
I work for the Department of Redundancy Department

Top
#48599 - 04/20/18 08:28 AM Re: Migration Question [Re: Virtual1]
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: Virtual1
It may be the case that it's detecting your accounts are old and have been broken by the upgrade and so are now asking you to provide a password to fix them. If you provide the same password as you had before, your keychain should unlock fine. Otherwise you'll have to fix that.

It appears to be healing itself. I continued to get......

" "com.apple.WebKit.Networking wants to sign using key “Apple ID Authentication 2017-05-09 18:20 GMT-07:00” in your keychain.

To allow this, enter the “login” keychain password."


.....but it is occurring less frequently. Fingers are crossed.


Edited by ryck (04/20/18 08:28 AM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Sierra 10.12.6
Canon MX712 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#48610 - 04/21/18 02:12 PM Re: Migration Question [Re: ryck]
artie505 Online


Registered: 08/04/09
Getting this thread back on track...

Originally Posted By: artie505
Originally Posted By: joemikeb
Originally Posted By: artie505
I think it's about time to lean on Apple; this issue is 7 months and 5 versions of macOS old at this point, and it's long past time for them to have at least examined it.

It may well be that Apple does not consider it an issue and the system is performing as intended.

I think that's an awfully long stretch in Apple's direction.

I'd expect an in-your-face change such as this to be documented (and there's still a "change password" option in the Keychain Access menu bar).

I simply can't imagine Apple changing things so keychains that previously migrated without a hitch now turn up EMPTY at the end of the process with no explanation. (I mean, "SURPRISE! Your keychain is unpopulated, and it's up to you to figure out why." is just not Apple's style.)
_________________________
The new Great Equalizer is the SEND button.

Top
#48617 - Yesterday at 06:20 AM Re: Migration Question [Re: artie505]
joemikeb Offline

Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
I browsed the Terminal "man" files for Security and Keychain and like missing preference files, when a keychain is not found a new empty keychain will be automatically created. These commands come to MacOS from BSD Unix via Apple's Darwin that is at the core of all Apple's current operating systems. While I was unable to trace the entire login sequence and determine what the precursor commands would be I am guessing that being unable to open a keychain because it is damaged or the password is unknown might count as "not found". While that would explain your empty keychains the question of what has changed to trigger this condition and why remains unanswered.

🤷‍♂️

_________________________
joemikeb • moderator

Top

Moderator:  alternaut, dkmarsh, joemikeb