Using Keychains With .Mac; Troubleshooting Issues

3/2/07 By

Using keychains with .Mac; troubleshooting keychain issues

You can use keychains with .Mac. This article applies to Mac OS X 10.4 or later and contains troubleshooting information that you can use if you encounter keychain issues.

Fresh on the heels of my last post about keychain troubles, Apple was good enough to release a far more detailed article on the topic. This is definitely one of those “Utility”1 bookmarks you want to keep in your browser. The article covers mostly troubles when syncing your keychains via .Mac, but it has some good points for troubleshooting none-the-less.

However, based on my past experiences syncing keychains with .Mac, there’s only one thing I can say about it — just don’t do it!

Why, you ask? Well, if you sync keychains between more than one workstation, and any two of those workstations use different login passwords, you’re going to wreak havoc with your login.keychain file due to the fact that the it’s tied directly to your user account password.

Here’s an example: Let’s say you have two Macs — A and B. Mac A uses password “abc” for the user account, Mac B uses “def” for its user account. You set up both machines to sync via .Mac. Mac A syncs first, and Mac B picks up the login.keychain from the .Mac server. It notices that your keychains are not identical and asks if you want to replace it. You say yes. The keychain on Mac B now has a password of “abc” while the account uses “def”.

Oh, that’s bad…

Since the passwords no longer match, you start getting bugged to unlock your keychain every time you try to do something that needs it. You enter what you think is the right password (“def”) only to be told it’s not right. You have no idea why, so you decide to reset your login.keychain, bummed that you lost all your passwords on Mac B.

Mac A picks up the reset login.keychain from .Mac that Mac B created and replaces entries as Mac B did above. You’re back where you were just a little while ago — Mac A has an account password of “abc” and a keychain password of “def”. The whole problem starts over again, and continues.

The ONLY way to avoid this disaster is to be sure you’ve changed both account passwords (and again — possibly user account short names) to the exact same value. So unless this doesn’t apply to you (and even if it does), I stand by my original advice: Don’t sync keychain items via .Mac — ever!

  1. I like to keep a folder in by browser favorites named “Utility” where I store handy tidbit such as this. It’s a time saver when something goes wrong. []
iTunes, App Store, iBookstore, and Mac App Store
Filed Under: Apple, How To...
About Jim Mitchell

Jim started out with a Mac SE/30 and a whole lot of love for that machine. It was during those early years working with PageMaker, Freehand & Photoshop that he learned the importance of keeping a system in tip-top shape. Now, as a systems admin with more than 20 years of experience under his belt, Jim’s ongoing efforts help keep the Macs of others running smoothly. You can follow Jim on Twitter at @jimmitchell.