Keychain error -25308

I've implemented a VPN app (with Packet tunnel Provider) for MacOS.

Each user has a password, which I'm saving at the keychain with a persistentReference.

For some users (not many), the app fails to save the password and I got error -25308 which is User interaction is not allowed.


Why does it happening and how can I solve it?

Up..😐

Why does it happening and how can I solve it?

You should open a DTS tech support incident so that I, or more likely one of my colleagues, can look into this properly.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Sure, but I don't have anything to attach to the DTS (It's not reproducing too often).

All I can say is that the user got this error (-25308).

So is it ok to open a DTS with only the above general description?

So is it ok to open a DTS with only the above general description?

I can’t answer that definitively because it’s probably not me who’s end up with the incident, but it certainly never hurts to try.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

we've had the same problem for more than a year, only for a few users and we cannot reproduce it.

Once we had a user who showed it to us, it was reproducible on his device. But as soon as we installed a debug version with XCode the problem disappeared. When re-installing the previous version from the app-store, the problem did not occur again. The user is now happy but we are still in the dark :-(

I found a reproducible case of this same error while using aws-vault over a remote SSH session into a MacBook:

ssh mymacbook.local
  aws-vault exec ${AWS_CONFIG_PROFILE_NAME_HERE} -- ${SOME_AWS_COMMAND_HERE}

This opens a local browser page to AWS SSO auth. I'm able to use VNC to remotely connect to the active display and click to approve the session in the browser window.

Then the command returns the following error:

Opening the SSO authorization page in your default browser (use Ctrl-C to abort)

https://device.sso.us-east-1.amazonaws.com/?user_code=XXXX-XXXX

aws-vault: error: exec: Failed to get credentials for ${AWS_CONFIG_PROFILE_NAME_HERE}: User interaction is not allowed. (-25308)

This same command works perfectly fine when run locally & directly using the MacBook's keyboard & screen. The -25308 error code and message are 100% reproducible when trying this command over a remotely connected SSH terminal session.

I have checked that the login keychain is shown as unlocked in the Keychain Access app. I've also tried running: security unlock-keychain  "${HOME}/Library/Keychains/login.keychain-db" in the remote SSH terminal.

Seems like this may have something to do with some other hidden macOS security settings that prevent aws-vault (or other apps, such as the VPN app the OP mentions), from working over a remotely started terminal session?

I checked the system logs while running the aws-vault command to reproduce the error, and sure enough securityd is logging some errors about code signing while aws-vault tries to perform keychain operations:

2022-05-03 16:52:03.461873-0600 0xab0f62   Activity    0xc55614             11605  0    aws-vault: (Security) SecKeychainOpen

2022-05-03 16:52:03.462417-0600 0xab0f62   Activity    0xc55615             11605  0    aws-vault: (Security) SecKeychainOpen

2022-05-03 16:52:03.462836-0600 0xab0f62   Error       0x0                  11605  0    aws-vault: (libsqlite3.dylib) [com.apple.libsqlite3:logging-persist] cannot open file at line 45530 of
 [9ff244ce07]

2022-05-03 16:52:03.462872-0600 0xab0f62   Error       0x0                  11605  0    aws-vault: (libsqlite3.dylib) [com.apple.libsqlite3:logging-persist] os_unix.c:45530: (2) open(/var/db
/DetachedSignatures) - No such file or directory

2022-05-03 16:52:03.465167-0600 0xab0f62   Activity    0xc55616             11605  0    aws-vault: (Security) SecTrustEvaluateIfNecessary

2022-05-03 16:52:03.467640-0600 0xab0f62   Activity    0xc55617             11605  0    aws-vault: (Security) SecTrustSettingsXPCRead

2022-05-03 16:52:03.467809-0600 0xab0d8e   Activity    0xc54f18             634    0    trustd: (libsystem_info.dylib) Membership API: translate identifier

2022-05-03 16:52:03.468701-0600 0xab0f62   Activity    0xc55618             11605  0    aws-vault: (Security) SecKeychainAddCallback

2022-05-03 16:52:03.468819-0600 0xab0f62   Activity    0xc55619             11605  0    aws-vault: (Security) SecTrustSettingsXPCRead

2022-05-03 16:52:03.474920-0600 0xab0f62   Activity    0xc5561a             11605  0    aws-vault: (Security) SecTrustEvaluateIfNecessary

2022-05-03 16:52:03.480998-0600 0xab0f62   Activity    0xc5561b             11605  0    aws-vault: (Security) SecItemAdd

2022-05-03 16:52:03.481988-0600 0xab0a65   Default     0x0                  364    0    securityd: [com.apple.securityd:clientid] code requirement check failed (-67050), client is not Apple-
signed

2022-05-03 16:52:03.483018-0600 0xd3b      Default     0x0                  364    0    securityd: [com.apple.securityd:KCdb] 0x13626c430(0x13636d7c0) unlocking for makeUnlocked()

2022-05-03 16:52:03.483068-0600 0xd3b      Default     0x0                  364    0    securityd: [com.apple.securityd:SecurityAgentConnection] new SecurityAgentConnection(0x16b4eea30)

2022-05-03 16:52:03.483099-0600 0xd3b      Default     0x0                  364    0    securityd: [com.apple.securityd:SecurityAgentXPCQuery] new SecurityAgentXPCQuery(0x16b4eea30)

2022-05-03 16:52:03.483417-0600 0xd3b      Default     0x0                  364    0    securityd: [com.apple.securityd:clientid] code requirement check failed (-67050), client is not Apple-
signed

2022-05-03 16:52:03.483455-0600 0xd3b      Default     0x0                  364    0    securityd: [com.apple.securityd:SecurityAgentConnection] activate(0x16b4eea30)

2022-05-03 16:52:03.483517-0600 0xd3b      Default     0x0                  364    0    securityd: (Security) [com.apple.securityd:security_exception] MacOS error: -25337

2022-05-03 16:52:03.483823-0600 0xd3b      Default     0x0                  364    0    securityd: [com.apple.securityd:security_exception] CSSM Exception: 224 unknown error 224=e0

2022-05-03 16:52:03.483940-0600 0xd3b      Default     0x0                  364    0    securityd: [com.apple.securityd:SecurityAgentXPCQuery] SecurityAgentXPCQuery(0x16b4eea30) dying

2022-05-03 16:52:03.484082-0600 0xab0f62   Default     0xc5561b             11605  0    aws-vault: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147415840 CSSMERR_CSP
_NO_USER_INTERACTION

2022-05-03 16:52:03.483972-0600 0xd3b      Default     0x0                  364    0    securityd: [com.apple.securityd:SecurityAgentConnection] SecurityAgentConnection(0x16b4eea30) dying

2022-05-03 16:52:03.484158-0600 0xab0f62   Default     0xc5561b             11605  0    aws-vault: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147415840 CSSMERR_CSP
_NO_USER_INTERACTION

2022-05-03 16:52:03.484829-0600 0xab0b71   Error       0x0                  469    0    analyticsd: [com.apple.analyticsd:xpc] [XPC Server] managed connection recieved connection invalidated
: Connection invalid

2022-05-03 16:52:03.485589-0600 0x1058     Default     0x0                  406    0    mDNSResponder: [com.apple.mDNSResponder:Default] [R185837] DNSServiceCreateConnection STOP PID[11605](
aws-vault)

2022-05-03 16:52:03.500952-0600 0xab1038   Default     0x0                  0      0    kernel: arm64e_plugin_host: running binary "bash" in keys-off mode due to identity: com.apple.bash

2022-05-03 16:52:03.505416-0600 0x12e1     Error       0x0                  628    0    Google Chrome: (QuartzCore) [com.apple.coreanimation:API] cannot add handler to 4 from 4 - dropping

2022-05-03 16:52:03.530880-0600 0xab1055   Default     0x0                  0      0    kernel: arm64e_plugin_host: running binary "bash" in keys-off mode due to identity: com.apple.bash

2022-05-03 16:52:03.536886-0600 0xab1059   Default     0x0                  0      0    kernel: arm64e_plugin_host: running binary "bash" in keys-off mode due to identity: com.apple.bash


Seems like the final error reported by aws-vault is from this line:

aws-vault: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147415840 CSSMERR_CSP
_NO_USER_INTERACTION

Which was caused immediately by the securityd errors just before that:

securityd: [com.apple.securityd:clientid] code requirement check failed (-67050), client is not Apple-
signed

securityd: (Security) [com.apple.securityd:security_exception] MacOS error: -25337

securityd: [com.apple.securityd:security_exception] CSSM Exception: 224 unknown error 224=e0

This overall seems like an issue built-in to macOS, probably for security reasons that presume that all Keychain actions should be attached to an app that has an interactive GUI. Seems very similar to this issue reported on a terminal app using the keyring while under screen or SSH session

The fundamentals here are pretty straightforward:

  • The -25308 error is errSecInteractionNotAllowed, which means that the keychain needed to interact with the user and that’s not allowed in this context.

  • SSH login sessions are one situation where interacting with the user is not allowed.

The complexity stems from why the keychain needs to interact with the user. You wrote:

I've also tried running: security unlock-keychain …

Right. This rules out the keychain being locked as a source of this user interaction, but that’s only one source. There are plenty of other sources, and it’s hard to be sure which one is in play in your specific case.

This overall seems like an issue built-in to macOS, probably for security reasons that presume that all Keychain actions should be attached to an app that has an interactive GUI.

That’s not true. A non-GUI process can use the keychain just fine. This includes things in a user login session, like tools run by SSH, and even daemons [1].

What is true is that macOS has strict rules about execution contexts. For details on this, see Technote 2083 Daemons and Agents.

A program with a Unix-y heritage, like screen, expects to be able to switch execution by switching the traditional Unix-y UIDs and GIDs. That doesn’t really work on macOS [2], and such programs often run into problems. As explained in the technote, these problems don’t always have obvious symptoms, and they can come and go as the system evolves.

I’m not sure what this program is trying to do with the keychain but this is a serious concern:

This opens a local browser page to AWS SSO auth.

Given the above-mentioned execution context limits, doing this correctly on macOS requires some convoluted code [3]. I suspect that this program is just ignoring the issue and that’s why you’re running into problems. However, it’s hard to be sure without knowing more about the code.

I presume that this isn’t code that you wrote?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Daemons are limited to the file-base keychain. See On Mac Keychains for more details about the long story that is macOS keychains.

[2] It works if you live entirely within the Unix-y layers of the system but fails when you work with higher-level frameworks, like Security.

[3] You’d have to run an agent in each GUI login session to handle the GUI-specific work.

Keychain error -25308
 
 
Q