Yubikey and session sharing across terminals

Hi,

I have activated the 2FA on my 1Password account. Each time I have to login in a terminal, I have to indicate the 2FA auth code. As I am a bit lazy (or too occupied to loose some time with this ;) ), I was wondering if the CLI support the Yubikey ?

Another question is related to session management, I use terminals heavily. In each terminal I launch I need to re-authenticate. Do you have some good practices to share, to improve the auth user experience without sacrificing security too much ?

I was thinking about storing the SESSION Key in a tmp file created with mktmp or a file in a ram disk and add a source command if the file exists in my .zshrc.

Thanks,


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • cohixcohix

    Team Member

    @mickael an upcoming version will support what we call the dsecret, meaning that after you auth once with a particular account, you will not need to 2FA again using the CLI.

    You cannot reuse a session file, as once the session dies on the server, you cannot use that session file to create a new one, it does not have all of the cryptographic parts that it needs to negotiate a new session.

    Once again, in a future update (probably not the next one, but maybe the one after), we will have a mechanism by which the CLI will be able to authenticate itself without the need to re-enter the master password each time, but that will be opt-in and not the default.

  • Thanks @cohix, nice to hear !

    Really impatient to see the futures updates of the CLI !

  • I ended up with the following "solution":

    In my .zshrc:

    #!/usr/bin/env bash
    
    OP_SESSIONSHARING_FILE=$(find ${TMPDIR:-/tmp} -maxdepth 1 -name "opsessions.*" -print0 | xargs -0 ls -1 -t | head -1)
    
    if [[ ! -z "$OP_SESSIONSHARING_FILE" ]] && [[ -f "$OP_SESSIONSHARING_FILE" ]]; then
      . "$OP_SESSIONSHARING_FILE"
    else
      mktemp -t opsessions > /dev/null
    fi
    
    alias oplogin='eval $(opsign.sh in)'
    alias oplogout='eval $(opsign.sh out)'
    

    And my opsign.sh script:

    #!/usr/bin/env bash
    set -e
    
    TEAM_SESSION_KEY=
    MY_SESSION_KEY=
    ACTION=${1:-in}
    
    function checks() {
      if ! which op > /dev/null; then
        echo "1Password CLI (op) is not installed."
        exit 1
      fi
    
      if [[ -z "$OP_TEAM_SHORTHAND" ]]; then
        echo "OP_TEAM_SHORTHAND environment variable missing"
        exit 1
      fi
    
      if [[ -z "$OP_SESSIONSHARING_FILE" ]]; then
        mktemp -t opsessions > /dev/null
      fi
    }
    
    cleanup() {
      find ${TMPDIR:-/tmp} -maxdepth 1 -name "opsessions.*" -print0 | xargs -0 ls -1 -t | tail -n +2 | xargs /bin/rm
    }
    
    function initSessionSharingTempFile() {
      echo "#!/usr/bin/env bash" > "$OP_SESSIONSHARING_FILE"
    }
    
    function op_signin() {
      TEAM_SESSION_KEY=$(op signin $OP_TEAM_SHORTHAND --output=raw)
      MY_SESSION_KEY=$(op signin my --output=raw)
    }
    
    function op_signout() {
      if [[ -f "$OP_SESSIONSHARING_FILE" ]]; then
        /bin/rm "$OP_SESSIONSHARING_FILE"
      fi
      op signout
      echo "export OP_SESSION_${OP_TEAM_SHORTHAND}="
      echo "export OP_SESSION_my="
    }
    
    function persistSessionKeys() {
      echo "export OP_SESSION_${OP_TEAM_SHORTHAND}=${TEAM_SESSION_KEY}"
      echo "export OP_SESSION_my=${MY_SESSION_KEY}"
    }
    
    function getSessionSharingFile() {
      find ${TMPDIR:-/tmp} -maxdepth 1 -name "opsessions.*" -print0 | xargs -0 ls -1 -t | head -1
    }
    
    checks
    cleanup
    
    if [[ "$ACTION" == "in" ]]; then
      op_signin
      OP_SESSIONSHARING_FILE=$(getSessionSharingFile)
      initSessionSharingTempFile
      persistSessionKeys >> "$OP_SESSIONSHARING_FILE"
      persistSessionKeys
    else
      OP_SESSIONSHARING_FILE=$(getSessionSharingFile)
      op_signout
    fi
    

    To login I run oplogin and to logout oplogout

    Published here also: https://gist.github.com/mickaelperrin/2e155fc054f80fe948441962c367ae75

  • mickaelmickael
    edited May 3

    Strange, I created a long post with the details but it disappears after editing it...

    So, to be concise, I implemented the following solution to share my sessions across terminals:

    https://gist.github.com/mickaelperrin/2e155fc054f80fe948441962c367ae75

    Then I use oplogin and oplogout to signin / signout.

  • mickaelmickael
    edited May 4

    For those, who are not confident in storing the env var in a plain text file, I have updated my gist to store it encrypted with gpg.

  • cohixcohix

    Team Member

    Very nice! I like that solution quite a bit. I like that you made it resilient to all sorts of edge cases, too :)

  • I updated my gist to easily handle the update of OP_ env variables in existing terminals. Just run opup.

    The gist indicates also how to grab OP_ env variables in custom shell scripts.

    https://gist.github.com/mickaelperrin/2e155fc054f80fe948441962c367ae75

  • rickfillionrickfillion Junior Member

    Team Member

    Awesome. Thanks for creating that.

    Rick

  • To come back to my first question and as I plan more and more to move my main GPG keys to a Yubikey, could you expose what's the impact of registering a Yubikey in 1Password?

    The documentation explains:

    Your 1Password account is now protected by two-factor authentication. To continue using your account on other devices or to sign in to it on a new device, you’ll need to enter a six-digit authentication code from Yubico Authenticator.

    Does it change how the CLI or iPhone or whatever application works? Do I need to generate the Yubikey 2FA to unlock on any device, especially on the iPhone app ?

  • brentybrenty

    Team Member

    @mickael: Nope! Yubikey, like any other two-factor authentication, is a second factor of authentication, so it's only used when authenticating, i.e. when you sign into the account, not when you unlock 1Password (with only your Master Password). So the difference would be when signing in initially in the app/browser, not when using it normally after that. :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file