Terminally Geeky: use automatic login more securely

Imagine if you rebooted your computer, and it automatically logged you in, launched all of your login apps, updated your Dropbox folder, MobileMe, email, RSS, Twitter and everything else without you even having to enter your password.

That auto-login capability is built into your Mac, and in fact, it may be the default setting on your Mac, so this may be how you're used to operating. But if you're like me, you disabled auto-login for security reasons, so when you reboot your Mac, it stops at the login screen, waiting for you to enter (or click on) your login name and enter your password.

What if you could have both? What if you could have the security of the login screen with the convenience of automatic login?

That's what I'm going to show you how to do.

Background

(If you don't care to know 'why' I'd want to do this, feel free to skip this section.)

I hate waiting. I hate waiting for my computer more than anything else. It's gotten much worse since I started using my MacBook Air a few weeks ago. Anytime I have to wait for my computer, I find myself thinking "Why? Why isn't this easier and faster?"

Sure it boots up faster than any computer I've ever seen, and even with a bunch of apps set to launch at login, it's ready pretty quickly, but that first boot still seems to take too long, not just for the apps to launch, but for everything to update.

Then there's my iMac at the office. It's on 24/7 and does some server duties. It's connected to an Uninterruptible Power Supply, but if the power goes off for too long, it shuts down. If I am remotely logged in via SSH and have to reboot for some reason, I know that my launchd scripts aren't going to run, Dropbox isn't going to update (and the iMac does a bunch of automated tasks based on Dropbox running), and my Drobo isn't going to mount (sometimes I SSH in to get a file off the Drobo), which I could workaround, but nothing as easy as if I could just log in automatically.

I've known about Mac OS X's automatic login for ages, and (if memory serves) it even sets up automatic login for you if there's only one account on the computer (I always create separate accounts for my wife and myself on each computer, so I'm not 100 percent sure of that).

Then there's my MacBook Pro, which I now use as a desktop machine at home. It's hooked to an external monitor, another Drobo and its backup drive. I turn it off at night so that everything powers down, which makes the room much quieter, and there's no pulsing light like there is when it sleeps. (It also likes to wake itself up from sleep, despite all my attempts to figure out why, it's just easier to turn it off.) However, I need it to run a few automated tasks in the middle of the night, and when I wake up, I want to be able to check the weather page and (during the winter) the school cancellation page. I can use the "Schedule" feature in Energy Saver to have it automatically turn on around an hour before my alarm goes off (I'm a very sound sleeper, so I don't worry about it waking me), and I can have it automatically open the weather and school cancellation page for me as well, ... but only if I'm logged in.

Prelude to an objection: "Is this safe?"

IF someone broke into either my house or my office and stole one of my Macs, they could take out the hard drive and attach it to another computer. Once someone has physical access to your machine, they can do a whole host of nefarious things. Most of my private information is stored either in 1Password (the master password is not stored in Mac OS X's keychain) or in encrypted disk images, which also do not have their passwords stored in the keychain. If you use FileVault or some other high level method of encryption, maybe this isn't for you.

Security is always about weighing a balance between convenience and security. Personally, I consider the risks to be negligible in my situation (one computer never leaves my house, another is in my locked office at work).

I share this information with others and trust you to make the decision for yourself.

Explanation

Let me explain very simply what we are about to do. It's very simple (even more so than when the article was originally published).

Step One will be to tell OS X to automatically log us in using the built-in feature in the Accounts Preference pane of System Preferences.

Step Two will be to create a launchd process which will run as soon as we are logged in and use Fast User Switching to show us the regular login window.

I've tested this on my MacBook Pro, iMac and MacBook Air (all running 10.6.6), and if you were just watching the machine boot up, you can't tell that anything unusual has happened. Because OS X runs that launchd process immediately when you log in, which immediately puts you back to the login screen, it simply looks like the machine has booted up, and after it finished booting, it displayed a login screen as usual.

The only difference is that OS X sees you are logged in, which means that your apps will automatically launch, your background processes will run and any attached external drives will mount as usual.

So, the next time you run Software Update and it forces you to reboot, or next time that you need to reboot to reclaim your swap-space, or if you want to use the "Schedule" function in the Energy Saver preference panel to automatically turn your computer on 15 minutes before you get up or get to the office, when you login, you'll find everything ready to go just as you like it. Your RSS feeds, email, Twitter clients, etc. can all be updated and ready for you to use, rather than sitting there while you wait for all of your startup apps to launch and everything to start syncing/updating. Even if your Mac has an SSD, your mail client will launch quickly, but it still has to fetch your newest messages from the server.

Step One: Enable Automatic Login

Step One: make sure that automatic login is enabled for your computer.

Do this by going to System Preferences, opening the "Accounts" pane and clicking Login Options:

If you do not see your name listed next to "Automatic login," click the lock icon at the bottom left (you will need to enter an administrator's password), and then click your login name and select it for automatic login.

This shows how the Accounts window will look before you setup automatic login:

You will be prompted to enter the password for the account that you want to automatically log in.

(After you change it, "Automatic login OFF" will change to show the name set to automatically log in. See the image at the top of this article to see how mine looks after I did this.)

Step 2 (Updated 3 March 2011):

Some observant comments below suggest that you could skip Step#3 if you call the "/System/Library/CoreServices/Menu Extras/User.menu/Contents/Resources/CGSession" -suspend line directly from the plist.

That is 100% true. I preferred the original method I suggested because it gives you the ability to edit the loginhook script itself and add other actions to it, but this is a much simpler solution, because it requires no customization.

Instead of creating a plist and a shell script, we will just be creating a plist which calls the command ("/System/Library/CoreServices/Menu Extras/User.menu/Contents/Resources/CGSession" -suspend) directly.

You can download com.luomat.loginhook.plist (the code shown just above). Move it into ~/Library/LaunchAgents and reboot.

Use Cases

I now find myself less resentful when I have to reboot my computer for a system update or whatever other reason, because as soon as I click 'Restart,' I can go do something else -- I take a trip to the bathroom, refill my water glass, make a phone call or sort through the mail or other papers on my desk. The point is that I can disengage from the computer, knowing that when I need it again, it will be ready (assuming I have my preferred apps set to auto-launch on login, which I do).

Is this a huge productivity boon? No, but I've managed to replace a minor annoyance with a minor benefit. My computer is now making my life a little bit easier (that was the point of having computers, right?), and using it the way that I want to now takes a little less from me. I call that a win.

Alternate Steps - ONLY if you did not use the above method

If you are happy with the steps above, you can stop reading now. All of this is superfluous if you are using the above method.

However, if you would like to create a generic "loginhook" script which can include this feature plus other actions, read on.

Instead of the "Step Two" shown above, create a launchd process that runs every time you log in:

That looks complicated, right? It's not really as bad as it looks. All it says is "Run the program '/Users/luomat/.loginhook' each time I log in."

I called this "com.luomat.loginhook," but you can call it whatever you want.

"/Users/luomat/.loginhook" should be the path to the script from step three (below). It can be saved anywhere (again, see step three), and it can be called anything you want.

Side note: If you aren't familiar with creating .plist files for launchd, you can find a nice GUI front-end for it called Lingon for $5 on the Mac App Store. There is also an older version available on SourceForge, but it's buggier, and I'd recommend either paying the $5 for the Mac App Store version or writing the plists by hand.

You can download my plist and edit it to suit your needs. Make sure you change the paths.

The plist file should be saved at ~/Library/LaunchAgents (where ~/ just means that path to your home directory, such as /Users/luomat/ for me).

Step Three: Create the loginhook script:

Here's where the magic happens. This is "/Users/luomat/.loginhook" (but again, you can put it anywhere, as long as the path in the plist in step two matches where you store the script).

The first line identifies this as a bash script.

The second (non-blank) line says to ignore "control-C" or any other signals that might try to prevent this script from running (this is probably overkill, but it shouldn't hurt anything).

The third line is a comment reminding me that this didn't work unless the fourth line was in parentheses.

The fourth line triggers fast user switching. It will switch to the login screen, but won't log you out.

(You can download my loginhook.sh and rename it ~/.loginhook if you wish.)

Save the file and then make it executable:

where "~/.loginhook" is wherever you decided to save the file.

Troubleshooting

I've been doing this for a few days, and it seems to work fine. If it doesn't seem to work properly for you, try entering a small delay using the 'sleep' command, as shown here:

If you are seeing the desktop "flash" before it switches back to the login screen, try using a loginhook rather than than a login item. You can find out more about loginhooks at http://support.apple.com/kb/HT2420.