Writing

Software, technology, sysadmin war stories, and more. Feed
Friday, May 17, 2013

Time travel on a Mac breaks keychains and wifi passwords

Have you ever solved a problem using some arcane bit of knowledge and then realized how unlikely it would be for a non-tech user to ever figure it out independently? Has this colored your view of a given web site, program, or operating system? I had another one of those experiences this morning.

First, the arcane bit of knowledge. If you've ever worked with SSL certificates, you might have noticed a few of the traits which are set by the signer. In particular, there's an expiration date which sets the last time it's valid, but there's also a "not before" time. This typically is used to set the period of validity to an exact span of time instead of having no defined beginning.

This might bite you the first time your clock gets messed up and you travel into the past. When this happens, all sorts of secure-side web sites will stop working because you're running in a time before their certs will be valid. Not all of them have the same span of validity, so it might work for some and fail on others depending on how far back your clock has slipped.

So here's where that knowledge runs up into reality. In my role as de facto tech support monkey for the family, I get to hear about machines which aren't playing nice. Last time, it was about a stupid wireless switch on a laptop. This time, the report was simple enough: "the machine says it's set to before 2008, and I'm getting this guest network thing".

This was a Mac, and for whatever reason, it had decided to reset itself back to 2000. When it came back up, this apparently caused it to render some or all of the keychain inaccessible or otherwise invalid, including the wireless network password. I figured this was something stupid like "not-valid-before" behavior, and it would need a valid date to start working again.

With no network access, it was unable to do the usual NTP magic to sync its clock, and thus it was not going to heal itself. The "solution" was to disable NTP sync, manually set the time ahead to the approximate current time, and then switch to the right network. That actually worked, and I was able to jump in remotely to take care of a basic sanity check on the machine after that point, including re-enabling the usual NTP behavior.

As for why it popped up the guest network "walled garden" thing, that one is easy. Someone had previously associated this machine with a guest network at that location, but it was a lower priority than the usual secured network. When it failed to get on the secured network, it tried the next entry, and the walled garden detection on the Mac popped up the login screen.

It was just one big bag of weird.

What's really annoying is that I've actually been bitten by this before, and I didn't have any idea what was going on. I wound up having to reset a bunch of passwords to get things going again.

It's the combination of that past event and fiddling with SSL that suggested the right course of action today. Does this sound like the sort of thing a normal Mac user should know?

It sounds suspiciously like the sort of Unix wonkiness which has kept me employed for many years. These things tend to leak through their every attempt to make the system look nice and shiny on top. I know it's really ugly and greasy underneath. Brokenness like this only reinforces it.