Reading Keychain Passwords from the Command Line
Apple’s Keychain is a nice way to store your passwords in an encrypted database. Apple provides the Keychain Access GUI application to view and manage passwords. You can do all sorts of cool stuff with it, like have multiple keychains for extra security. I just found out you can also view and manage passwords from the command line using the security(1) tool. It’s got a lot of subcommands and options, but here’s the syntax if you want to find the password for an IMAP email account:
% security find-internet-password -g -r imap -a <ACCOUNT> -s <SERVER>
You can replace “imap” with other protocols like “https” to access Web passwords. One issue is it will prompt you for access to the keychain using the standard “Deny”, “Allow Once”, “Always Allow” GUI dialog. This makes it somewhat useless during remote access. However, if you click on “Always Allow”, then the command line tool can access the password to that account only for all future invocations without a dialog. A second issue is that it prints the password to standard error. So if your using it from a script, be sure to redirect standard error to standard output:
output = `security find-internet-password ... 2>&1`