I've implemented a VPN app (with Packet tunnel Provider) for MacOS.
Each user has a password, which I'm saving at the keychain with a persistentReference.
For some users (not many), the app fails to save the password and I got error -25308 which is User interaction is not allowed.
Why does it happening and how can I solve it?
Up..😐
Why does it happening and how can I solve it?
You should open a DTS tech support incident so that I, or more likely one of my colleagues, can look into this properly.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"Sure, but I don't have anything to attach to the DTS (It's not reproducing too often).
All I can say is that the user got this error (-25308).
So is it ok to open a DTS with only the above general description?
So is it ok to open a DTS with only the above general description?
I can’t answer that definitively because it’s probably not me who’s end up with the incident, but it certainly never hurts to try.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"we've had the same problem for more than a year, only for a few users and we cannot reproduce it.
Once we had a user who showed it to us, it was reproducible on his device. But as soon as we installed a debug version with XCode the problem disappeared. When re-installing the previous version from the app-store, the problem did not occur again. The user is now happy but we are still in the dark :-(
I found a reproducible case of this same error while using aws-vault over a remote SSH session into a MacBook:
ssh mymacbook.local
aws-vault exec ${AWS_CONFIG_PROFILE_NAME_HERE} -- ${SOME_AWS_COMMAND_HERE}
This opens a local browser page to AWS SSO auth. I'm able to use VNC to remotely connect to the active display and click to approve the session in the browser window.
Then the command returns the following error:
Opening the SSO authorization page in your default browser (use Ctrl-C to abort)
https://device.sso.us-east-1.amazonaws.com/?user_code=XXXX-XXXX
aws-vault: error: exec: Failed to get credentials for ${AWS_CONFIG_PROFILE_NAME_HERE}: User interaction is not allowed. (-25308)
This same command works perfectly fine when run locally & directly using the MacBook's keyboard & screen. The -25308 error code and message are 100% reproducible when trying this command over a remotely connected SSH terminal session.
I have checked that the login keychain is shown as unlocked in the Keychain Access app. I've also tried running: security unlock-keychain "${HOME}/Library/Keychains/login.keychain-db" in the remote SSH terminal.
Seems like this may have something to do with some other hidden macOS security settings that prevent aws-vault (or other apps, such as the VPN app the OP mentions), from working over a remotely started terminal session?
I checked the system logs while running the aws-vault command to reproduce the error, and sure enough securityd is logging some errors about code signing while aws-vault tries to perform keychain operations:
2022-05-03 16:52:03.461873-0600 0xab0f62 Activity 0xc55614 11605 0 aws-vault: (Security) SecKeychainOpen
2022-05-03 16:52:03.462417-0600 0xab0f62 Activity 0xc55615 11605 0 aws-vault: (Security) SecKeychainOpen
2022-05-03 16:52:03.462836-0600 0xab0f62 Error 0x0 11605 0 aws-vault: (libsqlite3.dylib) [com.apple.libsqlite3:logging-persist] cannot open file at line 45530 of
[9ff244ce07]
2022-05-03 16:52:03.462872-0600 0xab0f62 Error 0x0 11605 0 aws-vault: (libsqlite3.dylib) [com.apple.libsqlite3:logging-persist] os_unix.c:45530: (2) open(/var/db
/DetachedSignatures) - No such file or directory
2022-05-03 16:52:03.465167-0600 0xab0f62 Activity 0xc55616 11605 0 aws-vault: (Security) SecTrustEvaluateIfNecessary
2022-05-03 16:52:03.467640-0600 0xab0f62 Activity 0xc55617 11605 0 aws-vault: (Security) SecTrustSettingsXPCRead
2022-05-03 16:52:03.467809-0600 0xab0d8e Activity 0xc54f18 634 0 trustd: (libsystem_info.dylib) Membership API: translate identifier
2022-05-03 16:52:03.468701-0600 0xab0f62 Activity 0xc55618 11605 0 aws-vault: (Security) SecKeychainAddCallback
2022-05-03 16:52:03.468819-0600 0xab0f62 Activity 0xc55619 11605 0 aws-vault: (Security) SecTrustSettingsXPCRead
2022-05-03 16:52:03.474920-0600 0xab0f62 Activity 0xc5561a 11605 0 aws-vault: (Security) SecTrustEvaluateIfNecessary
2022-05-03 16:52:03.480998-0600 0xab0f62 Activity 0xc5561b 11605 0 aws-vault: (Security) SecItemAdd
2022-05-03 16:52:03.481988-0600 0xab0a65 Default 0x0 364 0 securityd: [com.apple.securityd:clientid] code requirement check failed (-67050), client is not Apple-
signed
2022-05-03 16:52:03.483018-0600 0xd3b Default 0x0 364 0 securityd: [com.apple.securityd:KCdb] 0x13626c430(0x13636d7c0) unlocking for makeUnlocked()
2022-05-03 16:52:03.483068-0600 0xd3b Default 0x0 364 0 securityd: [com.apple.securityd:SecurityAgentConnection] new SecurityAgentConnection(0x16b4eea30)
2022-05-03 16:52:03.483099-0600 0xd3b Default 0x0 364 0 securityd: [com.apple.securityd:SecurityAgentXPCQuery] new SecurityAgentXPCQuery(0x16b4eea30)
2022-05-03 16:52:03.483417-0600 0xd3b Default 0x0 364 0 securityd: [com.apple.securityd:clientid] code requirement check failed (-67050), client is not Apple-
signed
2022-05-03 16:52:03.483455-0600 0xd3b Default 0x0 364 0 securityd: [com.apple.securityd:SecurityAgentConnection] activate(0x16b4eea30)
2022-05-03 16:52:03.483517-0600 0xd3b Default 0x0 364 0 securityd: (Security) [com.apple.securityd:security_exception] MacOS error: -25337
2022-05-03 16:52:03.483823-0600 0xd3b Default 0x0 364 0 securityd: [com.apple.securityd:security_exception] CSSM Exception: 224 unknown error 224=e0
2022-05-03 16:52:03.483940-0600 0xd3b Default 0x0 364 0 securityd: [com.apple.securityd:SecurityAgentXPCQuery] SecurityAgentXPCQuery(0x16b4eea30) dying
2022-05-03 16:52:03.484082-0600 0xab0f62 Default 0xc5561b 11605 0 aws-vault: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147415840 CSSMERR_CSP
_NO_USER_INTERACTION
2022-05-03 16:52:03.483972-0600 0xd3b Default 0x0 364 0 securityd: [com.apple.securityd:SecurityAgentConnection] SecurityAgentConnection(0x16b4eea30) dying
2022-05-03 16:52:03.484158-0600 0xab0f62 Default 0xc5561b 11605 0 aws-vault: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147415840 CSSMERR_CSP
_NO_USER_INTERACTION
2022-05-03 16:52:03.484829-0600 0xab0b71 Error 0x0 469 0 analyticsd: [com.apple.analyticsd:xpc] [XPC Server] managed connection recieved connection invalidated
: Connection invalid
2022-05-03 16:52:03.485589-0600 0x1058 Default 0x0 406 0 mDNSResponder: [com.apple.mDNSResponder:Default] [R185837] DNSServiceCreateConnection STOP PID[11605](
aws-vault)
2022-05-03 16:52:03.500952-0600 0xab1038 Default 0x0 0 0 kernel: arm64e_plugin_host: running binary "bash" in keys-off mode due to identity: com.apple.bash
2022-05-03 16:52:03.505416-0600 0x12e1 Error 0x0 628 0 Google Chrome: (QuartzCore) [com.apple.coreanimation:API] cannot add handler to 4 from 4 - dropping
2022-05-03 16:52:03.530880-0600 0xab1055 Default 0x0 0 0 kernel: arm64e_plugin_host: running binary "bash" in keys-off mode due to identity: com.apple.bash
2022-05-03 16:52:03.536886-0600 0xab1059 Default 0x0 0 0 kernel: arm64e_plugin_host: running binary "bash" in keys-off mode due to identity: com.apple.bash
Seems like the final error reported by aws-vault is from this line:
aws-vault: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147415840 CSSMERR_CSP
_NO_USER_INTERACTION
Which was caused immediately by the securityd errors just before that:
securityd: [com.apple.securityd:clientid] code requirement check failed (-67050), client is not Apple-
signed
securityd: (Security) [com.apple.securityd:security_exception] MacOS error: -25337
securityd: [com.apple.securityd:security_exception] CSSM Exception: 224 unknown error 224=e0
This overall seems like an issue built-in to macOS, probably for security reasons that presume that all Keychain actions should be attached to an app that has an interactive GUI. Seems very similar to this issue reported on a terminal app using the keyring while under screen or SSH session
The fundamentals here are pretty straightforward:
The -25308 error is errSecInteractionNotAllowed, which means that the keychain needed to interact with the user and that’s not allowed in this context.
SSH login sessions are one situation where interacting with the user is not allowed.
The complexity stems from why the keychain needs to interact with the user. You wrote:
I've also tried running:
security unlock-keychain …
Right. This rules out the keychain being locked as a source of this user interaction, but that’s only one source. There are plenty of other sources, and it’s hard to be sure which one is in play in your specific case.
This overall seems like an issue built-in to macOS, probably for security reasons that presume that all Keychain actions should be attached to an app that has an interactive GUI.
That’s not true. A non-GUI process can use the keychain just fine. This includes things in a user login session, like tools run by SSH, and even daemons [1].
What is true is that macOS has strict rules about execution contexts. For details on this, see Technote 2083 Daemons and Agents.
A program with a Unix-y heritage, like screen, expects to be able to switch execution by switching the traditional Unix-y UIDs and GIDs. That doesn’t really work on macOS [2], and such programs often run into problems. As explained in the technote, these problems don’t always have obvious symptoms, and they can come and go as the system evolves.
I’m not sure what this program is trying to do with the keychain but this is a serious concern:
This opens a local browser page to AWS SSO auth.
Given the above-mentioned execution context limits, doing this correctly on macOS requires some convoluted code [3]. I suspect that this program is just ignoring the issue and that’s why you’re running into problems. However, it’s hard to be sure without knowing more about the code.
I presume that this isn’t code that you wrote?
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] Daemons are limited to the file-base keychain. See On Mac Keychains for more details about the long story that is macOS keychains.
[2] It works if you live entirely within the Unix-y layers of the system but fails when you work with higher-level frameworks, like Security.
[3] You’d have to run an agent in each GUI login session to handle the GUI-specific work.