Mac Touch Bar Finger Print access to CLI signin

I would like to be able to use the TouchBar Finger Print in the CLI as I can in the UI. (on Mac)

Ideally eval $(op signin myaccount) would invoke the TouchBar FingerPrint and this would then signin.

I guess it would have the same timeout rules as the UI and ask me for passwords in the same manner as the UI does.

I am using the CLI multiple times an hour and typing in the password is driving me crazy.

if its secure enough on the UI why not on the CLI?


1Password Version: 7.6
Extension Version: Not Provided
OS Version: Mac 10.15.6
Sync Type: Not Provided

Comments

  • felix_1pfelix_1p

    Team Member

    Do you know any other command line tools that use TouchID? I'm asking because I haven't found any information for how this would work.

    We need the master password one way or the other, otherwise we cannot derive the necessary secrets to authenticate you and decrypt your data.

    If you want to streamline password entry, you could store your Master Password in Keychain and access it from the command line with the security command:

    eval $(security find-generic-password ... | op signin myaccount)
    

    I'm not sure how security verifies access though.

  • I'm a recent convert from LastPass (including the cli) and I'm mostly happy with the switch to 1password. However, the 1password-cli timeout is my quickly becoming my biggest pain point (see related reddit discussion here).

    Using Keychain is an interesting idea but would obviously only work for macOS users. I can look into using it, but it does feel a little hacky.

    I would love it if there was a mechanism to either increase the cli's timeout/idle-timeout or have more control over it. Other similar tools have variables that help with this: (LastPass-cli has LPASS_AGENT_TIMEOUT, Saml2Aws has SAML2AWS_SESSION_DURATION, aws-vault has --duration, awscli has AWS_FEDERATION_TOKEN_TTL, AWS_ASSUME_ROLE_TTL, and relatedly AWS_SESSION_EXPIRATION, etc.

    I think it would be great if 1password-cli had that kind of a setting to bring it up to par with those tools with similar use cases.

  • Forgot to mention that aws-okta has --session-ttl

  • eval $(security find-generic-password ... | op signin myaccount)

    I investigated the Mac KeyChain and the security CLI tool. The challenge with it is that once again you have to enter your master password every time OR you trust the security tool in the CLI and it never asks for a password because that program is trusted - which defeats the attack vector of someone coming into my terminal and running the command to get the master password

    I guess I am asking for an option on the CLI (on mac) to accept the finger print or give me the passsord (which I know is hybrid of CLI and UI)

    Today if I click the OnePassword UI and I have not logged in for a while the TouchBar is an option (once set up). I am after that

    op signin myaccount --fingerprintprompt is kinda how it might look

  • felix_1pfelix_1p

    Team Member

    @k3cua8 I think the timeout is provided by the sever, but I will double check on that. On my machine (Linux) I'm storing my Master Password in a GPG encrypted file. The GPG key is stored on a YubiKey. When I execute the wrapper script around the command line tool I'm asked for a pin only, which makes things easier.

    @bbakerman I was informed that Touch ID access is not supported for command line tools. Apparently there is no way to "authorize" command line tools in such a way that they would be allowed to access that API.

  • Hi @felix_1p , thanks for the response. Alternatively, if I look at the Security Settings of my "1password X" chrome extension, there is a setting called "Lock after system is idle for" and it gives the option to set this between 1 and 999 minutes. That definitely sounds like something that would resolve this issue. Is there an equivalent setting of this in 1password-cli? If not, it would be great if it could have one.

  • felix_1pfelix_1p

    Team Member

    @k3cua8

    Is there an equivalent setting of this in 1password-cli? If not, it would be great if it could have one.

    There is not. The biggest difference between the command line tool and all the other clients is that the command line tool is not a long running process. Other clients have the ability to transparently create a new session or to keep the existing alive, by making requests to the server.

    At least for the time being, establishing a new session with the command line tool requires the Master Password. And since we obviously don't store that anywhere, we cannot transparently create a new session.

    Depending on your setup you might be able to periodically issue "dummy requests" to the server (e.g. op get account) to extend the current session beyond its 30 minute timeout (the timeout is always measured from the moment of the last communication with the server).

  • I tried emulating this workaround, somewhat. But I found that new terminal sessions always asked for signin. So what I did different was I tried saving my op session token to a file so that new terminal sessions could read from it. That part works, but none last more than the 30 minute timeout for some reason.

    # create private hidden file to store op session token
    $ (umask 077 touch ~/.token)
    # after logging in successfully to op, save the session token to that file
    $ eval $(op signin my) && echo ${OP_SESSION_my} > ~/.token
    
    # run script every 20 minutes during work day to reset op session timeout, reading the session token from the file
    # otherwise, new terminal sessions always ask for signin
    $ crontab -l
    0,20,40 7-17 * * MON-FRI ~/.pm_token_refresh.sh
    $ cat ~/.pm_token_refresh.sh
    #!/usr/bin/env bash
    /usr/local/bin/op get item my-item --fields username --session $(cat ${HOME}/.token)
    $ chmod -c u+x ~/.pm_token_refresh.sh
    
  • I just saw 1.6.0 is out with a related improvement so will try that out as soon as brew cask sees it.

  • Nice. 1.6.0 did, in fact, make it so you can pass in an existing and active session token so that "op signin my --session ${OP_SESSION_my}" won't prompt you for your password.

    However, it still seems my cronjob that runs an op command every 20 minutes fails to keep that session token active. Any other ideas? Can anyone else reproduce this problem?

  • felix_1pfelix_1p

    Team Member

    However, it still seems my cronjob that runs an op command every 20 minutes fails to keep that session token active.

    Hmmh. Does the session get extended when you run the script manually? I don't see a reason why it shouldn't get extended.

  • Good idea, I'll try that

  • Yes that works. So something with the cronjob isn't working. I'll have to rework it to assume a fuller session.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file